{"id":633,"date":"2017-10-24T13:35:05","date_gmt":"2017-10-24T13:35:05","guid":{"rendered":"https:\/\/securitycurve.com\/?p=633"},"modified":"2017-10-24T13:35:05","modified_gmt":"2017-10-24T13:35:05","slug":"facebook_thing","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=633","title":{"rendered":"The Facebook thing"},"content":{"rendered":"

This story has been going on for a few days but has now reached “must comment on it” critical mass.\u00a0 The Facebook thing.<\/p>\n

You know what I’m talking about if you follow the security news. If you don’t? Well, first of all, good for you.\u00a0 But that said, FYI that I’m talking about a recent news story in ZDNet about comments that Alex Stamos, their CISO, made in a meeting<\/a> about how Facebook should be run more like a defense contractor instead of a “college campus”.<\/p>\n

Yes, you heard that right.\u00a0 This is a story about something somebody said once in a meeting.\u00a0 It even contains “leaked audio.”<\/p>\n

Since then, the story has gone viral…\u00a0 here’s CNBC covering it<\/a> for example.\u00a0 Tellingly though, it’s mostly politically-aligned outlets that are covering it most heavily.\u00a0 For example, here’s Breitbart covering it<\/a>\u00a0and Slate covering it<\/a>.\u00a0 You wonder what kind of story crosses the political divide in this country?\u00a0 This one.<\/p>\n

The security community has reacted… and to get an essence for the flavor of that response, check out this piece on Helpnet<\/a>, which lays out why security journalists shouldn’t “eat their own”.\u00a0 My opinion?\u00a0 It doesn’t really matter all that much because my point isn’t about that (though I’ll get there eventually), but for full disclosure purposes here it is.\u00a0 1) I think Alex is a good guy.\u00a0 I’ve come across him at events and stuff and he seems like a pragmatic, workmanlike, empirically-driven person who sincerely cares about security.\u00a0 If that sounds like “damning with faint praise” to you, read it again — I contend it’s the highest compliment you can pay to someone in this industry.\u00a0 2) I think ZDNet is a reasonable publication.\u00a0 I’ve worked with them in the past.\u00a0 This story didn’t grab my attention at first, but it’s not the kind of thing I usually read. I didn’t read it in full until the blowback started.<\/p>\n

Anyway, the story itself is interesting (to some I guess) in a “he said, she said” “middle school gossip” sort of way, but that’s not the reason I’m devoting 30 minutes of my life to writing about it.\u00a0 \u00a0Instead, it’s because there’s something else going on here.\u00a0 There’s a “bigger thing” that has nothing to do with the security community, what Alex did or didn’t say in some meeting, ZDNet, journalism, or the nuances of this particular story.\u00a0 I think that “bigger thing” is important and I have yet to see it discussed head on.<\/p>\n

What’s that bigger thing?\u00a0 It’s why this story has legs in the first place.\u00a0 Because it shouldn’t.\u00a0 Here, I can prove it to you.\u00a0 Say, for the sake of argument, that I told you that a former employer (say, I don’t know, a large eastern-US securities broker\/dealer) was run like a Turkish prison.\u00a0 What if I told you that an unnamed government contractor I might have worked at was run like a “frat house”?\u00a0 \u00a0Is any of that newsworthy?\u00a0 No, right?\u00a0 Because “who cares”, right?\u00a0 That sense of apathy you felt as I said those things?\u00a0 That’s the correct response.<\/p>\n

Instead, the reason this story is interesting to people is their unstated, but yet very real, expectations.\u00a0 Meaning, the reason people are interested in this story is because they have, at some level, an expectation of Facebook’s security obligations.\u00a0 The expectations include how Facebook should be run and the gravity with which they steward the data they hold.\u00a0 It’s not unreasonable to see why.\u00a0 First, Facebook contains the most intimate details of people’s lives.\u00a0 I don’t use it that way (because ick) — but most people do.\u00a0 There’s an expectation at work – namely, that Facebook treats information with gravity – that they take it seriously and recognize it as important.\u00a0 The implication that they might not (which is after all the subtext of this story) is therefore a big deal.<\/p>\n

But it’s bigger than even just this.\u00a0 I know it because the theory about Facebook maybe “tending to openness” isn’t exactly new.\u00a0 Have you seen The Social Network?\u00a0 Have you read any business book about Facebook?\u00a0 Like, ever?\u00a0 That they are “open” isn’t news.<\/p>\n

Here’s what’s different now though.\u00a0 We now know that Facebook, along with other social media, was a primary instrument in Russia’s attack on the 2016 US election… in fact, I think Russia’s use of social media generally (and Facebook specifically) was the “cyber atomic bomb” that Kremlin adviser\u00a0Andrey Krutskikh called out two years ago<\/a>.\u00a0 Coming as it does only shortly after the full extent of social media’s role in that effort was made known, I think there is a further expectation on Facebook.\u00a0 That expectation is that they have an obligation to actively prevent that.\u00a0 The expectation is now calcified and therefore, to people out in the aether, Facebook being “run like a college campus” is the wrong thing.<\/p>\n

I think this is actually the key and most salient point.\u00a0 In fact, I think it’s why Alex said what he did about why they needed to be run like a defense contractor in the first place.\u00a0 Why “defense contractor” and not, for example, “bank”?\u00a0 It’s possible he just picked that as an example of places that take security seriously.\u00a0 But I don’t really think that’s the case.\u00a0 Instead, I think he chose his language with precision.\u00a0 Because the one thing that defense contractors have in common is that nation states want to get in.\u00a0 It’s both a very different level of adversary and a different kind of stakes.\u00a0 \u00a0And he’s right<\/span>.\u00a0 So, as to the subject matter of the story?\u00a0 The short answer is “props to Alex” for recognizing this and pushing for cultural change to cut it off at the pass.\u00a0 He’s on the money, and that’s why this is, if its anything, a positive story about Alex.<\/p>\n

The point more generally though is that there is a underlying expectation at work about how Facebook should treat security.\u00a0 If I were Facebook – or, in fact, any other social media company – I’d be paying attention to this.\u00a0 Why?\u00a0 Because of where this is likely to go next.\u00a0 If, in fact, the expectation is that social media companies – or companies more generally – have an obligation for how they handle data, how they conduct themselves security-wise, and how they defend against nation states…\u00a0 well, it’s not a long leap from that to codifying these expectations legislatively.\u00a0 Something tells me the world would change if that happens.<\/p>\n","protected":false},"excerpt":{"rendered":"

This story has been going on for a few days but has now reached “must comment on it” critical mass.\u00a0 The Facebook thing. You know what I’m talking about if you follow the security news. If you don’t? Well, first of all, good for you.\u00a0 But that said, FYI that I’m talking about a recent […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[53],"class_list":["post-633","post","type-post","status-publish","format-standard","hentry","category-security","tag-facebook"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=633"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/633\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}