First, I am a whistleblower and have worked in cybersecurity. More on these below.
While I am glad Peiter “Mudge” Zatko came forward, I would like to dig a bit deeper into what might have occurred here. My apprehension and questioning of the circumstances focuses on the time Mudge allowed to transpire before coming forward, what his actual or primary motivation was to do so and the actual risk to him for doing so.
In his testimony Mudge stated he was aware of severe issues as soon as he became employed at Twitter. He stated he realized they were 10 years behind right away. As a matter of fact, Twitter settled with the FTC in 2011, and paid a $150M fine in May of 2022, for privacy issues between 2013 and 2019. The issues included a hack and an associated FBI investigation. The privacy issues were caused by the data and privileged account and identity access management lapses Mudge raised at the hearing. Which occurred almost two years after he started at Twitter. This is where the time concern comes into play. Press reports from November 2020 detail Mudge was aware of the hacking and the FBI probe into them. I could not find an article stating he was aware of the FTC issues but given the hack, his connections in the industry and FTC press reports at the time, I think it is safe to assume he was aware. These issues involve the same core data and privileged account and identity access management issues Mudge came forward about. That means they were not significantly addressed on his watch for at least 1.5 years.
Now let’s give him the benefit of the doubt. He didn’t find out about the issues until day one at Twitter and the issues were minimized. Nonetheless, he knew more than enough to perform an immediate triage and to start work on long-term plans. Let’s say he did that and was shot down on all or most of it. Why did he sit on this for over a year? Some folks have said these things can take time. Triage of a situation this bad can immediately be lessened through process, especially minimizing the amount of folks with access. And being CISO he had direct access to the CEO and board so there are no management layer hoops to jump through there. Beyond that, even if he was duped into believing his longer-term plans were supported and leadership approved of his project and funding plans, that would have become obvious when they started to execute them in a couple months. This now brings me to posit a scenario.
Mudge testified that he was recently informed one of Twitter’s employees was working with a foreign government. He was already aware that this was a year after the CEO suggestion they might allow Russia to surveil the system based on its dislike of what was being tweeted posted about its impending war with Ukraine was ultimately rejected. Mudge is also very aware of what the government’s capabilities are. He likely realized they already knew what was really going on. Or worst case, were requesting help to do so. Given this, what if Mudge drew the line to avoid being linked to what was occurring? He gave Twitter an ultimatum, they missed the deadline and he went public. Meaning, had that event no occurred, he would still be sitting on the issues. Why didn’t he come forward far earlier?
The final issue is risk. Mudge has exemplary credentials, is highly sought after, is compensated extremely well and now has $7M more from Twitter. What actual issues or hardship does he face if he is telling the whole truth and he did not enable the things he railed against? Setting aside the $7M, what was the downside of coming forth earlier given Twitter’s wretched situation?
Now regarding my background and the potential for being a Monday morning QB here. First, the easier part. I worked in cybersecurity in and for DoD and the commercial sector. The commercial sector work focused on Privileged Account Management. That is where access to systems, data etc is controlled, monitored, prevented etc. During my time in doing that it became very obvious most organizations could care less about cybersecurity. They prefer to not expose skeletons, force the masses to adopt new habits or spend the money and time doing their due diligence. And this includes government organizations, healthcare companies etc. If there is not law stating specific things must be done a certain way, they don’t do them. And when they do, they do the bare minimum. Given this Twitter’s situation, combined with their growing so fast, is no surprise.
Regarding whistleblowing. I was a post 9/11 DHS/Coast Guard/DoD whistleblower. I raised significant safety and security issues on the massive Coast Guard/DHS upgrade program called Deepwater. Issues that would impact most of the fleet of ships, boats, and aircraft. Made worse by the government creating a “Lead Systems Integrator” (LSI) process to help accelerate the program. That created a lead contractor who acted on behalf of the government. They we chartered with converting the mission requirements from the Coast Guard into technical requirements then not only doing the work to satisfy them but writing the tests, approving them and then self-certifying they passed. Without the usual government representatives performing those final tests. Worst of all the LSI of Lockheed Martin and Northrop Grumman called Integrated Coast Guard Systems (ICGS) hired themselves to do the work.
This endeavor cost me my career, I filed for bankruptcy, and moved my family several times. (The bankruptcy stemmed from the contractors convincing the judge I owed them fees for a lost appeal due to Eric Lipton of the New York Times screwing me, and some poor investment choices. Sums that were a fraction of the $7M here.) I first discovered the issues in 2003. I went public in 2006 by being the first person to use YouTube as a whistleblower. The gap in time is due to my having to jump through many organizational layers and waiting for a series of investigations to conclude. To include three internal ethics investigations, the CEO, board of directors, James Comey and a DHS IG investigation that was being stonewalled by the Commandant of the Coast Guard. (Yes, the person I was trying to help.) And none of the issues I raised had not made it into the fleet yet. (Had they, I would accelerate my activities ahead of that.) My efforts resulted in my being the lead witness in a congressional hearing, a law written to stop lead system integrators from hiring themselves, being on 60 Minutes, receiving the Barus Ethics Award, being in the movie “War on Whistleblowers”, in the book on the ordeal called “Complex Contracting” and in several books on ethics. So, the point being, I am anything but an ill-experienced Monday morning QB here. I would not have put up with Twitter’s issues for a fraction of a year.
My name is Michael DeKort — I am Navy veteran (ASW C4ISR) and a former system engineer, engineering, and program manager for Lockheed Martin. I worked in aircraft simulation, the software engineering manager for all of NORAD, a software project manager on an Aegis Weapon System baseline, and a C4ISR systems engineer for DoD/DHS, the US State Department (counter-terrorism) and in cybersecurity. As well as a Senior Advisory Technical Project Manager for FTI to the Army AI Task Force at CMU NREC (National Robotics Engineering Center)
Presented the IEEE Barus Ethics Award for Post 9/11 DoD/DHS Whistleblowing Efforts