In late July, Facebook security chief Alex Stamos told employees in a conference call that the company isn’t doing enough to respond to growing cyber threats: in fact, with Facebook’s “move fast” mantra, the vault that stores the keys to a billion lives is (deliberately) run like a college campus but has the threat profile of a defense contractor, he said.
So that’s security worry No. 1.
Security worry No. 2 is that somebody on the call—a Facebook employee, one assumes—taped him and leaked the clip to ZDNet, which published it on Thursday.
Here are Stamos’ remarks from the call, which was concerned with the challenges of protecting Facebook’s networks from the growing threat of nation-sponsored hackers:
The threats that we are facing have increased significantly, and the quality of the adversaries that we are facing. Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility.
The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost.
We have made intentional decisions to give access to data and systems to engineers to make them ‘move fast,’ but that creates other issues for us.
As Ars Technica points out, nation states are suspected of being behind attacks against Google, Yahoo, defense contractors, security companies and more. In March, federal prosecutors indicted Russian intelligence agency officers for a 2014 hack on Yahoo that compromised 500 million user accounts, for example, while Google said in 2010 that it had lost intellectual property in a highly targeted attack coming from China.
That’s the kind of thing that Facebook, and everybody else online, is facing. And Facebook is being run like a campus. OK. We don’t know exactly what that means, but it doesn’t sound good. It sounds sloppy. It sounds like a high-risk environment.
But before we grab our torches and burn down the frat houses, let’s take a look at what Stamos had to say when he took to Twitter to clarify the remarks on Thursday:
I was asked for comment today wrt some leaked audio from when I was speaking to my security team at Facebook. 1/11
Here it is: I’ve said this before, internally, to describe one of the basic challenges security teams face at companies like ours 2/11
Tech companies are famous for providing freedom for engineers to customize their environments & experiment with new tools 3/11
And also frameworks & development processes. Allowing for this freedom helps creativity and productivity 4/11
We have to weigh that against the fact that we have become a potential target advanced threat actors. 5/11
As a result, we can’t architect our security the same way a defense contractor can, with limited computing options and no freedom. 6/11
Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one, I’m happy to accept. 7/11
The “college campus” wording is just a figure of speech to make the point; 8/11
My team runs network security for the company. Of course we secure it thoroughly. 9/11
It would not be correct to read my quote as a criticism of management not caring about security; they care a great deal. 10/11
It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network. 11/11
Some are sympathizing with Facebook. Software developer Molly McG: “…it’s actually an incredible analogy for the challenges you face and I love it … The college campus is a perfect metaphor for an environment where you can experiment while protected by institutional safeguards.”
“I don’t even see how this statement of reality is even remotely controversial” said April King, head of website security at Mozilla. “That freedom, despite its subsequent challenges, lets you attract the kind of tech talent that you simply couldn’t get at a large corporation.”
Fair enough. But we’re talking about personal information belonging to millions of people. Hiring whiz kids is great for churning out creative new ideas, but if that creativity comes at the expense of security, whose interests does it serve? Do we want surgeons to learn how to use a scalpel on a live patient?
Then again, as he explained, Stamos didn’t mean inexperienced, or foolhardy, when he referred to a “college campus.”
From the outside it looks like Facebook takes security very seriously: ever seen a Equifax- or Yahoo-level data breach from Facebook? No? Neither have we.
One of many examples of what Facebook does right can be found in the way it locks users in a closet if the company finds that they’ve reused their passwords on other sites that have been breached.
Another commendable practice: Facebook has been using secure browsing by default since July 2013. Plus, Facebook issues transparency reports to let us all know which governments are making plays for our data and how many times. On top of all that, it doesn’t balk at paying out decent bug bounties.
Plenty of other internet platforms are also doing those security-proactive things besides Facebook, but it’s still worth noting that clearly not every single Facebook security or development engineer is swinging from the ceiling fan.
Of course a company like Facebook only has to fail once for everything we’ve shared with it to be spilled.
Storing vast amounts of user data, moving fast and structuring themselves like a campus rather than a defence contractor are all deliberate decisions on Facebook’s part. Nobody obliged the company to do that, or shoulder the risks and responsibilities that go along with making it all work.
When it comes to Facebook securing its network, Naked Security’s Mark Stockley thinks that overall, it’s pretty impressive (though it’s certainly got a problem with at least one employee who felt that it’s OK to tape a confidential call and release it to a major tech publication).
On the other hand, regardless of Stamos trying to put his comments into the context of fostering creativity, the fact is that the top security guy at the company said “I don’t feel like we have caught up with our responsibility”. That’s why Mark said you could quote him on this one:
These are Facebook’s choices and the challenges it faces are real but self-imposed so I sympathize, but not enough to forgive it if they’re breached.
kentongsmith
This is the hypocrisy of the security community. We all talk about “making security work for the business” and “understanding what it takes for the business to be successful while still being secure”. Yet as soon as someone speaks honestly about what the impact of that actually is we’re all, “Oooo, that sounds irresponsible” and the “but if that’s the decision they’ve made…” comments.
I have a huge amount of respect for Alex Stamos and I think that’s a great analogy that more companies need to understand because I think we’re all headed there. People want access to data no matter where they are and what device they’re using, and they want it to be easy. What type of organizations have been doing that for years? Colleges. They’ve been dealing with BYOD since before vendors had even thought of the term. It’s really hard, and I’m sure with the threats Facebook is facing it’s extremely challenging. At least the person in charge of security understands the challenge and is willing to face it head on. We should be giving him props for that and holding him up as a leadership example.
Max
What exactly is the problem here? Facebook has an unorthodox company structure that can be challenging from a security perspective. So far, from what we can tell, they did a good job facing that challenge. And on top of that you have their top security guy being aware of the challenge and wanting to do more. Would it have been better if he had said “we already do plenty to keep us secure, no need to worry about anything” in this conference call?