Technology
Alex Stamos reveals what Facebook thinks of Russian interference
-
A leaked memo has cast more light on Facebook’s
discomfort at being thrust into the frontline of nation-state
cyberwarfare. -
Alex Stamos, Facebook’s outgoing chief security
officer, said having to be more transparent about state
interference has been “uncomfortable,” according to the email
obtained by BuzzFeed. -
Stamos said he deserves as much blame as anyone else
for Facebook being slow to notice and stamp out Russian
meddling in the 2016 presidential election.
Just days after Mark Zuckerberg came clean about Facebook’s
failings on Russian interference, a leaked memo has cast more
light on the firm’s discomfort at being thrust into the frontline
of nation-state cyberwarfare.
In an interview with Recode,
Zuckerberg said Facebook was “too slow” and “overly idealistic”
about the social network’s power for good to notice that the
Kremlin was interfering in the 2016 presidential election.
Now, he said, Facebook has a playbook for “preventing these kind
of disinformation campaigns.” This has led to some difficult
discussions at Facebook, according to a brutally honest leaked email sent
by outgoing chief security officer Alex Stamos.
In the memo, obtained by BuzzFeed News,
Stamos ruminated on tech companies being thrust “into the
struggle between nation-states.” He said: “We are moving into a
world where the major platforms are going to be expected to
provide our findings, attribution and data directly to the
public, making us a visible participant in the battle between
cyberwarfare titans.”
This, Stamos wrote, has been an “uncomfortable transition” and he
has not always agreed with the compromises Facebook has struck.
“That being said, I believe my colleagues have all approached the
process in good faith, and together we have sorted through
legitimate equities that needed to be weighed,” the CSO added.
Stamos, who leaves Facebook in August,
didn’t go into detail about the compromises he disagreed with,
but did clear up one thing: The rumours that Chief Operating
Officer Sheryl Sandberg told him not to investigate or disclose
Russian activity. This was “absolutely not” the case, he said.
Stamos said he deserves “as much blame (or more) as any other
exec at the company” for the missing the Russian interference. In
a personal note at the end of his email, he suggested that
spending more time with his family was a big factor in his
decision to quit.
“I have three children under twelve and I’ve come to the
realization that I’ve spent 75% of my youngest child’s life as
the CISO of companies in battle with the Russian intelligence
services. This isn’t conducive to being a great parent,” he
added.
A Difficult Week
Alex Stamos, Friday, March 23, 2018
At noon on Monday, a NY Times reporter I have long known and
respected gave me a ring.
“Alex, this will probably be the most difficult discussion we’ve
ever had.” She was right.
She told me that four anonymous sources had told her a variety of
things that she was working into one story that would post later
that day. I spent the next thirty minutes shooting down several
completely false accusations and trying to prevent the true facts
from being woven into a misleading narrative. I pointed out to
her that, if true, her story would still be a scoop in several
days and asked if she could me and Facebook more time to work
with them to tell an accurate tale of our challenging last couple
of years.
About three hours later, with me frantically working with our
comms team to get on-the-record quotes to the reporters, the
first stub version of the story went out with a headline that
implied that I had just quit Facebook out of anger. This led to
thousands of tweets and hundreds of stories based upon the
initial, incomplete report, as well as a tearful call from my
mother who thought I had been fired. The original NY Times
headlines and story were corrected several times, but despite our
outreach to other outlets the initial framing calcified into
conventional wisdom.
Some fact checking.
Did you quit? Look up, is my name greyed out? If not, then I’m
still a Facebook employee (or our deprovisioning process really
needs some work).
At some point, I will leave, and this answer will become a bit
ironic, but it is absolutely untrue that I quit on Monday, and
today I’m still trying to do my best by our users.
Have you had passionate discussions with other execs? Yes. Have
we met?
Have those disagreements been about investigating or disclosing
Russian activity? The world has changed from underneath us in
many ways. One change has been the thrusting of private tech
companies into the struggle between nation-states. Traditionally,
the standard has been to report malicious activity by adversary
nations to US law enforcement. We are moving into a world where
the major platforms are going to be expected to provide our
findings, attribution and data directly to the public, making us
a visible participant in the battle between cyberwarfare titans.
This is an uncomfortable transition, and have not always agree
with the compromises we have struck in the process. That being
said, I believe my colleagues have all approached the process in
good faith, and together we have sorted through legitimate
equities that needed to be weighed.
Did Sheryl tell you not to investigate or disclose Russian
activity? Absolutely not. I have rejected this claim,
on-the-record, multiple times to multiple reporters and on
Twitter. Unfortunately, we are living in a media moment where
sometimes an anonymous accusation is printed over the on-record
denial of a direct participant. The Times, to their credit,
removed a paragraph that had been written before my on-record
statement had been provided, which has become its own
meta-controversy (/sound inception_trombone.mp3).
Was there a reorganization of the security team? Yes, here is my
post announcing that in January.
Are you leaving in August because of this change? I initiated the
discussion of changing the structure of the InfoSec team just
before Thanksgiving 2017. This was due to my concerns that
organizational issues impaired our election security work in
2016. While the outcome of this discussion was not one I
proposed, at the time I committed myself to making the transition
as smooth as possible and trying to set the new teams up for
success. I am genuinely proud of the capable, diverse security
teams we have built and I truly want my colleagues to continue to
be successful in their vital work.
The re-org, did, however, leave me with a challenge, in that it
created a big mismatch between the responsibilities I felt
carrying the Chief Security Officer title and the potential for
big impact I could have from my redefined role. This conundrum
was pretty obvious to many, and when people internally asked if I
was leaving I rather openly told them that I was committed to
staying through August. That was the truth; I had not made up my
mind to leave, and I thought setting a date eight months in the
future was responsible and reassuring about the stability of the
team. Unfortunately, somebody leaked the fact in a manner meant
to turn an eight-month commitment into a rage-quitting.
Are you leaving because of Cambridge Analytica? No, that makes no
sense if your look at the calendar.
How are you feeling? Aww, how sweet, thanks for asking! I feel
like shit.
I am extremely uncomfortable with the “heroic Alex” narrative the
media is using to beat up on Facebook for many reasons:
1. It is undeserved. I was the Chief Security Officer during the
2016 election season, and I deserve as much blame (or more) as
any other exec at the company.
2. It erases the work of the true heroes. If anybody deserves
credit for the good things we did, it is the members of the
threat intelligence team who first spotted and stopped Russian
activity in 2016, and the huge cross-functional group who really
studied and understood this problem in 2017. Just because I
approve the expense reports of the first group and was part of
the second does not give me any special virtue.
3. Heroes need villains. This narrative is popular not because
people like me, but because it harms Facebook. At least one
person seems to be trying specifically to hurt Sheryl by mixing
in leaked facts with untrue allegations.
4. The media loves to build up heroes before tearing them down.
We Greeks invented this narrative device, the fatal flaw, and I
know that at least one person is pushing lies about me to
journalists. Aside from this being hurtful on a personal scale, I
realize that the more I’m narratively built up, the further the
media eventually gets to pull me down (which they will also frame
as bad for Facebook).
Most importantly, this narrative absolves us of the hard things
we have to do to win back the world’s trust. It would be really
simple to believe that the outcomes of arguments between a
handful of people got us to this point, but the truth is that we
need to all own this. The problem the company is facing today are
due to tens of thousands of small decisions made over the last
decade within an incentive structure that was not predicated on
our 2018 threat profile. While it has been disconcerting to hear
anger and sadness in the voices of our colleagues this week, I
also take heart in how widespread our desire has become to align
ourselves in the new landscape. I saw this shift in many
executives last year, as they clearly recognized the emerging
imperatives to prioritize security, safety, integrity and trust
over all else, but no number of all-hands or corporate goals was
going to be able turn this huge ship without a bottom-up change
in culture.
So now we need to turn that angst into action. We need to change
the metrics we measure and the goals we shoot for. We need to
adjust PSC to reward not shipping when that is the wiser
decision. We need to think adversarially in every process,
product and engineering decision we make. We need to build a user
experience that conveys honesty and respect, not one optimized to
get people to click yes to giving us more access. We need to
intentionally not collect data where possible, and to keep it
only as long as we are using it to serve people. We need to find
and stop adversaries who will be copying the playbook they saw in
2016. We need to listen to people (including internally) when
they tell us a feature is creepy or point out a negative impact
we are having in the world. We need to deprioritze short-term
growth and revenue and to explain to Wall Street why that is ok.
We need to be willing to pick sides when there are clear moral or
humanitarian issues. And we need to be open, honest and
transparent about challenges and what we are doing to fix them.
I have heard all of these changes discussed among executives over
the last year, and I think we’re in a place where such aims are
realistic and achievable. If any company is up to these
challenges, it’s ours. I still can’t believe how lucky I am to
work with talented people.
Alex, blink twice if you are being held hostage as you write
this. I wrote this post myself, and did not run it by anyone. I
have to thank Schrep for pulling me aside, asking how I am and
suggesting that I speak to the company from my heart, but he has
not seen or endorsed this post.
Now what? Are you staying? I honestly don’t know. My standard for
any job has been whether I am being effective in my position,
true to my beliefs, and present for my family. My fear is that
stories like this one can become self-fulling, and my ability to
represent the company publicly has been compromised by this cloud
hanging over my head. To the last criteria, I have three children
under twelve and I’ve come to the realization that I’ve spent 75%
of my youngest child’s life as the CISO of companies in battle
with the Russian intelligence services. This isn’t conducive to
being a great parent.
If I do leave, I promise to be open and honest. Wherever I am, I
am always available to anybody looking to discuss how to tackle
these problems or who have thoughts on what I can do better.
Thank you to everybody who has been kind to me, especially this
week.
-
Entertainment7 days ago
Election 2024: The truth about voting machine security
-
Entertainment6 days ago
Teen AI companion: How to keep your child safe
-
Entertainment6 days ago
‘Wallace and Gromit: Vengeance Most Fowl’ review: A delightful romp with an anti-AI streak
-
Entertainment5 days ago
‘Dragon Age: The Veilguard’ review: BioWare made a good game again
-
Entertainment5 days ago
Polling 101: Weighting, probability panels, recall votes, and reaching people by mail
-
Entertainment4 days ago
‘Only Murders in the Building’ Season 4 ending explained: Who killed Sazz and why?
-
Entertainment4 days ago
5 Dyson Supersonic dupes worth the hype in 2024
-
Entertainment3 days ago
When will we have 2024 election results online?