04:06 - Source: CNN
Twitter whistleblower alleges the company has reckless and negligent cybersecurity policies that pose a national security risk
New York CNN Business  — 

Twitter’s executives defended the company, and themselves, in a meeting with employees on Wednesday, one day after news broke that a former executive had blown the whistle on the company.

CEO Parag Agrawal opened the company-wide meeting by pushing back on claims made by Peiter “Mudge” Zatko, Twitter’s former head of security. Zatko’s whistleblower disclosure alleges Twitter’s security practices are so poor they pose a threat to national security and democracy and claimed some of the company’s executive team have tried to cover it up.

Agrawal said a “false narrative” has been created about the company, which “is currently challenging our integrity.” He added: “I know that that can be frustrating, and I know it can be challenging.”

Details of the call were shared with CNN by a Twitter employee. A Twitter spokesperson said the meeting was part of its regularly scheduled company-wide meetings, and had been planned before news of the disclosure reached Twitter.

Twitter has pushed back on Zatko’s allegations, which were first reported by CNN and The Washington Post. The company says Zatko’s whistleblower disclosure is “riddled with inconsistencies and inaccuracies and lacks important context.” It also says Zatko was fired for ineffective leadership and poor performance. (Zatko says he was fired in retaliation for internally sounding the alarm on Twitter’s security practices.)

Twitter CEO Parag Agrawal walks to a morning session during a conference in July.

In the meeting Wednesday, Sean Edgett, Twitter’s general counsel, said the company reached out to regulators and “various agencies around the world” when the company learned about the allegations being made by Zatko.

Senator Richard Blumenthal has called on the Federal Trade Commission to open an investigation into Zatko’s allegations. Twitter’s main regulator in Europe, the Irish Data Protection Commission, said it was seeking information from the company in light of the allegations.

Executives were asked if they were going to point-by-point publicly address the many allegations Zatko made about the company.

Rebecca Hahn, the company’s head of global communications, said in the meeting that there were a “number of reasons” why the company had not been able to do this yet – in a possible allusion to the ongoing legal battle between Twitter and its potential future owner Elon Musk.

Hahn, who said she joined the company just over a month ago, said she was inspired by the “level of ethics, passion, and care” throughout Twitter. She assured her colleagues about the company’s public response. “The truth will get out there,” she said. “We’re always on the right side of history on this.”

While Twitter executives did not address all of Zatko’s claims on the call, Chief Privacy Officer Damien Kieran said that some of the allegations were “just not accurate” and listed steps the company has taken to protect laptops and other infrastructure from hacking.

“The idea that the number of incidents that our detection and response team investigates is some indicator of bad or negative impact at Twitter is just false,” Kieran told employees.

However, the two sides appeared to be using different definitions of what constitutes a security incident. Zatkos’s disclosure defined an incident as something “significant enough to trigger interruptions to work” and redirect personnel to determine the scope of the issue. Kieran’s definition appeared to be broader and relatively more benign, describing a security incident as any suspicious digital activity that Twitter’s security team investigates, including activity that doesn’t have any impact on the company’s computer networks or data.

CNN has requested comment from Twitter on the apparent discrepancy in definitions.

Twitter, Kieran also said, instituted greater security controls in the wake of the 2020 hack that compromised celebrity accounts, to the point that “same exact attack can’t happen.” Those security controls include requiring more employees to use “two-factor authentication,” or another layer of security when they log into computer applications.

“Whether or not that’s true, that doesn’t address the many other concerns and security vulnerabilities raised in the lawful disclosure,” John Tye, founder of Whistleblower Aid and Zatko’s lawyer, said in a statement to CNN.