This story has been going on for a few days but has now reached “must comment on it” critical mass. The Facebook thing.
You know what I’m talking about if you follow the security news. If you don’t? Well, first of all, good for you. But that said, FYI that I’m talking about a recent news story in ZDNet about comments that Alex Stamos, their CISO, made in a meeting about how Facebook should be run more like a defense contractor instead of a “college campus”.
Yes, you heard that right. This is a story about something somebody said once in a meeting. It even contains “leaked audio.”
Since then, the story has gone viral… here’s CNBC covering it for example. Tellingly though, it’s mostly politically-aligned outlets that are covering it most heavily. For example, here’s Breitbart covering it and Slate covering it. You wonder what kind of story crosses the political divide in this country? This one.
The security community has reacted… and to get an essence for the flavor of that response, check out this piece on Helpnet, which lays out why security journalists shouldn’t “eat their own”. My opinion? It doesn’t really matter all that much because my point isn’t about that (though I’ll get there eventually), but for full disclosure purposes here it is. 1) I think Alex is a good guy. I’ve come across him at events and stuff and he seems like a pragmatic, workmanlike, empirically-driven person who sincerely cares about security. If that sounds like “damning with faint praise” to you, read it again — I contend it’s the highest compliment you can pay to someone in this industry. 2) I think ZDNet is a reasonable publication. I’ve worked with them in the past. This story didn’t grab my attention at first, but it’s not the kind of thing I usually read. I didn’t read it in full until the blowback started.
Anyway, the story itself is interesting (to some I guess) in a “he said, she said” “middle school gossip” sort of way, but that’s not the reason I’m devoting 30 minutes of my life to writing about it. Instead, it’s because there’s something else going on here. There’s a “bigger thing” that has nothing to do with the security community, what Alex did or didn’t say in some meeting, ZDNet, journalism, or the nuances of this particular story. I think that “bigger thing” is important and I have yet to see it discussed head on.
What’s that bigger thing? It’s why this story has legs in the first place. Because it shouldn’t. Here, I can prove it to you. Say, for the sake of argument, that I told you that a former employer (say, I don’t know, a large eastern-US securities broker/dealer) was run like a Turkish prison. What if I told you that an unnamed government contractor I might have worked at was run like a “frat house”? Is any of that newsworthy? No, right? Because “who cares”, right? That sense of apathy you felt as I said those things? That’s the correct response.
Instead, the reason this story is interesting to people is their unstated, but yet very real, expectations. Meaning, the reason people are interested in this story is because they have, at some level, an expectation of Facebook’s security obligations. The expectations include how Facebook should be run and the gravity with which they steward the data they hold. It’s not unreasonable to see why. First, Facebook contains the most intimate details of people’s lives. I don’t use it that way (because ick) — but most people do. There’s an expectation at work – namely, that Facebook treats information with gravity – that they take it seriously and recognize it as important. The implication that they might not (which is after all the subtext of this story) is therefore a big deal.
But it’s bigger than even just this. I know it because the theory about Facebook maybe “tending to openness” isn’t exactly new. Have you seen The Social Network? Have you read any business book about Facebook? Like, ever? That they are “open” isn’t news.
Here’s what’s different now though. We now know that Facebook, along with other social media, was a primary instrument in Russia’s attack on the 2016 US election… in fact, I think Russia’s use of social media generally (and Facebook specifically) was the “cyber atomic bomb” that Kremlin adviser Andrey Krutskikh called out two years ago. Coming as it does only shortly after the full extent of social media’s role in that effort was made known, I think there is a further expectation on Facebook. That expectation is that they have an obligation to actively prevent that. The expectation is now calcified and therefore, to people out in the aether, Facebook being “run like a college campus” is the wrong thing.
I think this is actually the key and most salient point. In fact, I think it’s why Alex said what he did about why they needed to be run like a defense contractor in the first place. Why “defense contractor” and not, for example, “bank”? It’s possible he just picked that as an example of places that take security seriously. But I don’t really think that’s the case. Instead, I think he chose his language with precision. Because the one thing that defense contractors have in common is that nation states want to get in. It’s both a very different level of adversary and a different kind of stakes. And he’s right. So, as to the subject matter of the story? The short answer is “props to Alex” for recognizing this and pushing for cultural change to cut it off at the pass. He’s on the money, and that’s why this is, if its anything, a positive story about Alex.
The point more generally though is that there is a underlying expectation at work about how Facebook should treat security. If I were Facebook – or, in fact, any other social media company – I’d be paying attention to this. Why? Because of where this is likely to go next. If, in fact, the expectation is that social media companies – or companies more generally – have an obligation for how they handle data, how they conduct themselves security-wise, and how they defend against nation states… well, it’s not a long leap from that to codifying these expectations legislatively. Something tells me the world would change if that happens.