This article features Government Accountability Project’s Senior Counsel and director of its Democracy Protection Initiative, Dana Gold, and was originally published here.
Security workers who want to come forward about wrongdoings risk retaliation and fear not making a difference. Should society do more to support them?
In August 2022, Twitter’s former head of security, Peiter “Mudge” Zatko, filed an 84-page whistleblower complaint with the US Securities and Exchange Commission in which he claimed the company misled the public on issues like bots and spam, had low security standards, and withheld critical information about breaches from its board, allegations which Twitter denied. As a person who built their life by exposing flaws in software, Mudge claimed he was “ethically bound” to go public, because he felt Twitter neglected to correct these flaws, according to an interview with The Washington Post.
Blowing the whistle was not a decision he made lightly, and many experts who come forward on cybersecurity issues face similar dilemmas. Most of them initially try to voice their concerns internally, only turning to external avenues if they feel they are not heard.
Once a person decides to flag wrongdoings, they are aware they might face severe consequences. The current mechanisms for lawful disclosure “are difficult, [and] they come with a lot of repercussions,” Zatko tells CSO. It is why he believes some of the aspects surrounding whistleblowing “need to be readdressed.”
Employees who come forward have fears, the main ones being “fear of retaliation and fear of futility — that speaking up won’t make a difference,” says Dana Gold, senior counsel at Government Accountability Project and director of its Democracy Protection Initiative. Workers in the tech and cybersecurity spaces need to be better shielded against retaliation, she says. “Strong whistleblower protection laws and pathways for disclosures are critical to the point of being non-negotiable to responsible private and public governance. We need whistleblowers to be able to come forward — they are not only the best defense against critical threats, but they may sometimes be the only defense we have.”
How governments can support whistleblowers
Legislation around the protection of whistleblowers has somewhat improved around the world in the past decades, but changes still need to be made to make it easier for techies to report issues without fearing consequences. “At least in the United States, there needs to be better protections dedicated to tech workers,” Gold says. “Congress has been so slow and unable to regulate the tech sector. Despite multiple oversight hearings to address problems in the tech industry, tech workers remain vulnerable without stand-alone whistleblower protections.”
With cybersecurity becoming increasingly embedded into our lives, encouraging whistleblowers who flag tech-related issues is “vital to national security,” as Gold puts it. Nations must do two things, she says. Firstly, they have to make sure that infosec employees working in the public sector are taken seriously when they want to report wrongdoings. This means having multiple pathways for them and creating an environment where they feel safe to come forward.
Sue Bergamo, CISO at BTE Partners, LLC, agrees. “Governments should have a whistleblower program with clear instructions on how to disclose information, then offer the resources to enable procedures to encourage employees to come forward and guarantee a safe reporting environment,” she says.
Secondly, nations need to upgrade their legislation to include strong anti-retaliation protection against tech workers, making it unlawful for various entities to engage in reprisal. This includes job-related pressure, harassment, doxing, blacklisting, and retaliatory investigations.
The US, for example, has no federal laws designed to protect employees who blow the whistle on cybersecurity issues. However, anti-retaliation stipulations are broad enough to include such cases. For instance, some laws that push back against punishing corporate whistleblowers and people who reveal misdeeds with federal funds can also apply to tech whistleblowers. Additionally, in 2021, the US Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative paved the way for using the False Claims Act to address government contractors and grant recipients that submit false claims misrepresenting compliance with cybersecurity standards.
According to Empower Oversight non-profit, certain acts can be applicable to whistleblowers who report on tech-related issues:
- The False Claims Act safeguards employees who blow the whistle on government fraud.
- The Sarbanes-Oxley Act shields employees who reveal fraud and securities violations in publicly traded firms.
- The Dodd-Frank Act defends employees reporting securities violations to the Security and Exchange Commission (SEC).
- The Financial Institutions Reform Recovery and Enforcement Act covers employees disclosing legal infringements at banks and similar depository institutions.
- The Energy Reorganization Act ensures protection for nuclear industry employees against violations of related laws or regulations.
- The Whistleblower Protection Act upholds protections for federal government employees reporting legal violations, significant threats to public health or safety, or gross mismanagement, waste, or abuse.
- The National Defense Authorization Act protects employees that reveal gross mismanagement, waste, abuse, or violations of laws or regulations relating to federal contracts.
The European Union has also made progress in the effort to protect whistleblowers. Member states were asked to transpose EU Directive 2019/1937 into their legal framework, and the countries that did not (Czechia, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland) were referred to the Court of Justice in February this year. The directive asked EU members to provide increased protection to whistleblowers in both the public and private sectors, which included creating a robust system of protection against retaliation.
However, the advancements made on the legislative front need to be matched by similar progress in corporate practices.
What organizations could do to reduce whistleblower risks
Corporate whistleblowers have a lot at stake when they decide to report issues. They could be labeled troublemakers or lose their security clearance, both of which could limit their employment opportunities and affect their financial security. Additionally, they could also face legal consequences if the information they disclose is sensitive or classified.
Many of the headaches could be prevented if organizations address whistleblowers’ concerns internally, before they escalate, creating a positive and supportive environment for those who want to signal wrongdoings.
The first priority for organizations should be to establish a clear policy for employees who want to flag issues. “This involves developing and implementing comprehensive and easily accessible procedures,” according to Empower Oversight.
Employees need to be assured that their identities will remain confidential throughout the entire internal reporting process, if this is something they want. That said, providing options for anonymous reporting of cybersecurity issues is absolutely crucial to encourage them to talk. Kolja Weber, CEO FlokiNET, who has assisted whistleblowers in the past, says organizations should walk the extra mile to protect their employees’ identity. “Anonymity is always the best way to ensure whistleblowers stay safe and feel encouraged to come forward,” he says.
Whistleblowers should be given multiple reporting options
Ideally, organizations should offer multiple paths for reporting problems. Whistleblowers could, for instance, talk to their supervisors, call an anonymous hotline, address a designated ombudsman, or even notify a specialized office that has access to leadership. A system that offers plenty of options gives employees flexibility based on their comfort level and the nature of the issue. If organizations offer several avenues for reporting issues, they can increase the likelihood that employees will come forward.
To further increase chances, employees can be offered regular training sessions in which they are informed about the importance of coming forward on cybersecurity issues, the ways to report wrongdoing, and the protection mechanisms they could access. Moreover, leadership should explain that it has zero tolerance for retaliation. “Swift action should be taken if any instances of retaliation come to light,” according to Empower Oversight.
The message leadership should convey is that issues are taken seriously and that C-level executives are open for conversation if the situation requires such an action. As Renee Guttmann, founder and principal of Cisohive and former CISO of companies like Coca-Cola, Time Warner, and Campbell, points out, “a process for escalating issues to executive leadership and the Board [should be in place] if there is a belief that issues are not being appropriately addressed through their chain of command.”
At each step, employees should be assured that the problem they disclose will be investigated thoroughly and that enough resources will be poured into that. The entire process should be transparent, with both the person who reported the issue and the organization being kept informed of the progress.
All these measures can be beneficial in the long run, and organizations that implement them should be able to address problems internally, preventing them from escalating. Many companies are slowly understanding the true importance of the process. “It takes time, but I think it’s happening, companies stop stigmatizing employees who blew the whistle,” says Delphine Halgand-Mishra, founding executive director at The Signals Network, a non-profit that provides support to whistleblowers and journalists. The organization created the legal section of the Tech Worker Handbook, which explains legal concerns and issues tech workers might have before, during, and after deciding to speak out.
Cybersecurity whistleblowers can be essential for democracy
Peiter “Mudge” Zatko and Anika Collier Navaroli, who reported security, privacy, and disinformation issues related to Twitter, were “vital whistleblowers,” Gold says. “Their willingness to testify about the role of social media in facilitating unprecedented threats to democracy was courageous and vital.”
Both, however, had to navigate a series of challenges after they blew the whistle, but their decision to come forward was a calculated one. “There’s a sentence I heard many whistleblowers say: ‘I was hoping someone else would do it, and nobody did,’” said Halgand-Mishra. “I also hear them say: ‘I just couldn’t face my own conscience.’ They know they are getting in trouble, but there’s no other way.”
The Signals Network’s founding executive director believes both governments and the private sector should do more to foster an open culture and protect whistleblowers because they are part of any “vibrant democracy.” According to Halgand-Mishra, “Whistleblowers should be embraced by society; they should be celebrated.”
