Allegations from whistleblower “Mudge,” Twitter’s former head of cybersecurity, raise questions about observability, access rights, and the pressures on developers.
When news broke that Peiter “Mudge” Zatko, the former head of cybersecurity at Twitter, went whistleblower, alarm bells rang that may resonate with other enterprises.
Mudge, as Zatko is known among cybersecurity researchers, has credentials that extend back 30 years and include hacking thinktanks and leading research projects at DARPA. He was let go from Twitter in January and has since made claims of lax oversight by his former employer regarding security of information, data, and unchecked access to such sensitive areas of the company. Those accusations include assertions that foreign states, such as Russia and China, could take advantage of the alleged vulnerabilities.
As his disclosures continue to be vetted, other enterprises may want to examine their own processes and controls on permissions and access rights at a time when developers might be pushed to work fast.
An organization such as Twitter probably has guidelines for how to handle data that is the most critical and personally identifiable, says Kevin Novak, managing director of cybersecurity with Breakwater Solutions. Such policies might say access is provided on a “need-only” basis, he says, but Zatko’s concerns put Twitter in the spotlight, especially if more people than necessary have access to information they do not need. “They could influence that information, access that information, change processes about how it is used,” Novak says. “It’s just over-empowering.”
It can be hard for large enterprises to follow through on their own guidelines, he says, because of the time and effort, and balancing the needs of the staff with that of management.
