CISA Hires ‘Mudge’ to Work on Security-by-Design Principles

The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.

Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.

A statement from CISA boss Jen Easterly confirmed Mudge’s addition as Senior Technical Advisor to work on shaping a culture of security-by-design everywhere.

“Mudge joins us in a part-time capacity to help us collaboratively shape a culture of security by design that is foundational to every security team, every C-suite, and every board room in the country,” Easterly said. Zatko’s hiring was first reported by the Washington Post.

Zatko is a famous hacker from the L0pht/cDc collectives who is credited for some of the earliest research work around buffer overflow vulnerabilities.  He previously served as a DARPA program manager and created the Cyber Fast Track program that provided resources to hackers and hacker spaces.

Zatko served as Twitter’s security boss for two years before filing a whistleblower complaint to Congress describing “extreme, egregious deficiencies” in Twitter’s handling of user information and multiple violations of SEC and FTC regulations.

In addition to Zatko, CISA recently hired former Yahoo CISO Bob Lord and researcher Jack Cable to evangelize the security-by-design pillar of the National Cybersecurity Strategy and CISA’s own Strategic Plan.

The CISA security-by-design plan calls for technology manufacturers to make Secure-by-Design and Secure-by-Default the focal points of product design and development processes. 

“Secure-by-design means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure,” according to the CISA document. “Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.”

In addition, CISA is pushing a “Secure-by-Default” principle that ensures that products are resilient against prevalent exploitation techniques out of the box without additional charge. 

“These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls,” the agency said.

Related: CISA Pushes Secure-by-design, Secure-by-default Principles

Related: Whistleblower: China, India Had Agents Working for Twitter

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: ‘Mudge’ Named Head of Security at Twitter