Peiter Zatko

Opening Statement to the Senate Judiciary Committee on Alleged Twitter Cybersecurity Practices

delivered 13 September 2022, Dirksen Office Senate Building, Washington, D.C.

Audio mp3 of Address     Audio AR-XE mp3 of Address

 

[AUTHENTICITY CERTIFIED: Text version below transcribed directly from audio]

Thank you very much, sir. Chairman Durbin, Ranking Member Grassley, Members of the Committee:

I appear before you today to answer questions about information I submitted in written disclosures about cybersecurity concerns I observed while working at Twitter. My name is Peiter Zatko, but I'm more often referred to by my online handle as "Mudge."

For 30 years my mission has been to make the world better by making it more secure. From November 2020 until January 2022, I was a member of Twitter's Executive Team. In my role, I was responsible for information security, privacy engineering, physical security, information technology, and Twitter global support. I'm here today because Twitter leadership is misleading the public, lawmakers, regulators, and even its own board of directors.

What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards. The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers, thieves, and spies -- and the company repeatedly creates security problems on their own -- this is a big deal for all of us.

When I brought concrete evidence of these fundamental problems to the Executive Team and repeatedly sounded the alarm of the real risks associated with them -- and these were problems brought to me by the engineers and employees of the company themselves -- the executive team chose instead to mislead its board, shareholders, lawmakers, and the public instead of addressing them.

This leads to two obvious questions: Why did they do that? And what were the problems and vulnerabilities identified? And that's what I'm here to talk about.

So, first, why did they do that? To put it bluntly, Twitter leadership ignored -- ignored its engineers because key parts of leadership lacked the competency to understand the scope of the problem; but more importantly their executive incentives led them to prioritize profits over security. Upton Sinclair famously said, "It is difficult to get a man to understand something when his salary depends on his not understanding it."1 This mentality is exactly what I saw at the executive level at Twitter.

So, what are the problems I discovered? Two basic issues: First, they don't know what data they have, where it lives, or where it came from. And so, unsurprisingly, they can't protect it.

And this leads to the second problem -- which is the employees, then, have to have too much access to too much data and to too many systems. You can think of it this way -- which is, it doesn't matter who has keys if you don't have any locks on the doors. And this kind of vulnerability is not in the abstract. It's not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room.

Given to the real harm -- Given the real harm to users in national security, I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my whistleblower disclosures out of spite or to harm Twitter. Far from that, I continue to believe in the mission of the company and root for its success. But that success can only happen if the privacy and security of Twitter's users and the public are protected.

In accepting an executive position at Twitter, I made a personal commitment to Mr. Dorsey, the Board, the greater public, and myself that I would drive the changes needed at Twitter to protect the users, the platform, and democracy. That's what I'm continuing to do here today. I stand by the statements I made in my lawful disclosures, and I am here to answer any questions you may have about them.

Thank you.

1 Source: Sinclair. U. (1994). I, Candidate for Governor: And How I Got Licked (page 109). University of California Press.

See also: Written testimony submitted to the Senate Judiciary Committee by Mr. Zatko

Original Audio and VIdeo Source: C-SPAN.org

Original Image (Digitally Enhanced Screenshot) Source: judiciary.senate.gov

Audio Note: AR-XE = American Rhetoric Extreme Enhancement

Video Note: Frame interpolated from 30fps to 60fps

Page Updated: 10/28/22

U.S. Copyright Status: Text, Audio, Video = Property of AmericanRhetoric.com. Image = Fair Use.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Top 100 American Speeches

Online Speech Bank

Movie Speeches

© Copyright 2001-Present. 
American Rhetoric.
HTML transcription by Michael E. Eidenmuller.