The former hacker known as Mudge is once again on the move.

Mudge, the alias for Peiter Zatko (pictured, center), was the former head of security back when X Corp. was known as Twitter. He is now a consultant for the U.S. Cybersecurity and Infrastructure Security Agency, the Washington Post reported yesterday.

Zatko has worked as a consultant most recently for security provider Rapid7 Inc., and last had a government job back in 2010-2013, when he worked for the Defense Department.

Zatko was hired by Twitter in November 2020 to try to clean up the beleaguered social media platform. He didn’t last long and was fired from Twitter in early 2022 for “poor performance and ineffective leadership.”

That reason seems suspicious, given his apparent level of professionalism, overall information security knowledge and sincerity. It had to do with his take-no-prisoners attitude about revealing Twitter’s numerous security bad practices, some of which I blogged about back in August 2022.

His firing is also remarkable given that the company was still months away from being acquired by Elon Musk, when all semblance of having any organized security posture was thrown into ensuing chaos. Zatko subsequently filed a whistleblower complaint against the company with various federal agencies and testified before Congress about the problems he tried to fix during his tenure.

That wasn’t his first time appearing on Capitol Hill. Another notable moment in his storied career was when he testified in May 1998 as a member of the hacking collective L0pht Heavy Industries, which ultimately was acquired by Symantec in 2004. The group came back in 2018 to testify, where this photo was taken. The members reiterated that many of the things they mentioned in their original foray were still an issue. I documented both meetings in a blog that I wrote for IBM’s Security Intelligence in 2018.

“I am honored to formally return to public service and work with CISA on the critical cybersecurity issues we face, including enabling secure-by-design principles to be accessible, measurable, and adopted by government and industry alike,” Zatko said in a written statement.

I find it interesting that he is focused on security by design and at the same time is now at CISA. It isn’t a new concept and refers to having security baked in by default by developers from the beginning. It has been touted by numerous companies, often directly after a major software supply chain attack that notes its absence.

Indeed, CISA also announced yesterday an initiative to encourage K-12 software vendors to pledge to support the concept. CISA also blogged about the concept about a month ago, saying that AI software should support security by design as a core business requirement.

The concept has been a key tenet of the National Cybersecurity Strategy best practices implementation that was released in July. Having Mudge at CISA is a good thing, if the agency can rise above its deficiencies and actually implement his suggestions, and if Congress can leave the agency alone: Earlier this summer CISA was in the crosshairs of the House Judiciary committee that claimed the agency was part of various conspiracies.

Photo: Internet Education Foundation/Flickr