Twitter: Head of Security Reportedly Fired; CISO to LeaveDecision Based on Assessment of How the Firm Was Being Led, Says Memo Quoted by NYT
Twitter has said it is firing Peiter Zatko, the network security expert it hired in November 2020 as head of security.
Changes in the composition of Twitter's security team followed "an assessment of how the organization was being led," according to a company memo shared with The New York Times.
Zatko, known by the handle "Mudge," gained fame as a member of the Cult of the Dead Cow ethical hacking collective in the 1990s and later moved to top cybersecurity research positions at the Defense Advanced Research and Projects Agency, aka DARPA, and Google.
Twitter CEO Parag Agrawal, who took over from Jack Dorsey in November, also announced that industry veteran Rinki Sethi, the chief information security officer, will be departing in the coming weeks. The company did not specify if the departure is voluntary.
Sethi in a tweet confirmed her departure and said, "It is with a heavy heart that I announce my impending departure from Twitter. Thanks to all of you that have reached out to check in with me, I appreciate all the kind words, thoughts and love being sent my way."
Neither Sethi nor Zatko responded to ISMG's request for a comment.
A Twitter spokesperson told Information Security Media Group: "I can confirm that Mudge Zatko is no longer at Twitter and Rinki Sethi will be departing Twitter in the coming weeks. As with matters of employment and privacy, we have no further details to share at this time."
The social media platform in a memo shared with the employees accessed by The New York Times reportedly said, "The changes followed an assessment of how the organization was being led and the impact on top-priority work."
Twitter's head of privacy engineering, Lea Kissner, will become the company's interim CISO, according to the report.
Reportedly, after assuming the CEO position, Agrawal reorganized the management staff and dismissed Dantley Davis, the chief design officer, and Michael Montano, the head of engineering.
In a previous filing with the Securities and Exchange Commission, Twitter said that Agrawal is restructuring the leadership team to drive increased accountability, speed and operational efficiency, and shifting to a general manager model for consumer, revenue and core technologies, which will be led by Kayvon Beykpour, Bruce Falck and Nick Caldwell, respectively.
"These GMs will lead all core teams across engineering, product management, design, and research. Lindsey Iannucci also joined the leadership team as chief of staff and vice president of operations to support Agrawal in strengthening operations across the leadership team, and the company. As part of these changes, Dantley Davis, design and research lead, will also be stepping down from his position at the company effective Dec. 31, 2021, and will remain an advisor through the end of the first quarter of 2022 to ensure an orderly transition," the filing said.
Zatko and Sethi joined Twitter in late 2020. Sethi was previously a vice president of data safety at IBM, vice president and CISO at Rubrik, and had undertaken various leadership roles in companies such as Palo Alto Network, Intuit and eBay.
Zatko was one of the first computer security researchers to gain a following for his hacking abilities and his understanding of cybersecurity. In one of his first papers in 1995, he described how a buffer overflow works and the threat this flaw posed to networks at the time (see: Twitter Hires Famed Hacker 'Mudge' as Security Head).
Later, Zatko joined the ethical hacking collective Cult of the Dead Cow and began speaking at events such as Def Con about a range of security issues. In 1998, he testified before a U.S. Senate hearing about internet vulnerabilities. Later, he briefed then-President Bill Clinton about the dangers of distributed denial-of-service and other nascent attacks, according to reports from the time.
In response to Mudge's alleged firing, Jake Williams, a former member of the National Security Agency's elite hacking team, tweeted, "I get that this is a meme (and a damn good one at that), but losing 'a strong security team' significantly downplays the years of damage Twitter has done to its security program."
I get that this is a meme (and a damn good one at that), but losing "a strong security team" significantly downplays the years of damage Twitter has done to its security program. https://t.co/IJpJEPYUap— Jake Williams (@MalwareJake) January 22, 2022
Williams tells ISMG: "Zatko and Sethi are two of the most sought-after security leaders in the entire cybersecurity industry. That any organization was ever lucky enough to have them at the same time was itself significant. To hear that they are both leaving the organization in what almost certainly are related circumstances should be concerning for anyone who is concerned with the security of the platform.
"It won't surprise me to learn that their departure is related to security concerns over Twitter's recent embrace of web3 technologies, as demonstrated by yesterday's release of the NFT integrations. I would assess that being charged with the security of the Twitter platform while engineering teams are integrating with web3 frameworks would lead to conflict with the remainder of the leadership team. Of course, there are likely many factors at play that we don't yet know about publicly."
Matthew Green, associate professor at Johns Hopkins University, says: "I don't know what's going on at Twitter. When CISOs leave social media companies unexpectedly, it can mean all sorts of unpleasant things."
I don't know what's going on at Twitter. When CISOs leave social media companies unexpectedly it can mean all sorts of unpleasant things. https://t.co/CbzlAvJy1K— Matthew Green (@matthew_d_green) January 21, 2022
Some Twitter users suggested that they might be leaving the company to join their former boss Jack Dorsey at his digital payments firm Block.
High-Profile Security Incidents
The appointment of Zatko followed several high-profile security incidents at Twitter that led to criticism of the company's security practices.
In July 2020, three suspects, including a Florida teenager, were charged in connection with hacking 130 high-profile Twitter accounts, including those of Bill Gates, Barak Obama and Joe Biden, to pull off a cryptocurrency scam (see: 3 Charged in Twitter Hack).
The hackers reportedly gained control of several high-profile Twitter accounts by using phone phishing and SIM-swapping techniques and sent fake messages to steal about $120,000 in bitcoins from victims. It's also believed that the suspects gained access to some Twitter account user data, including information stored in the Direct Message feature (see: Twitter Hack: Suspects Left Easy Trail for Investigators).