Biz & IT —

Facebook is struggling to meet the burden of securing itself, security chief says

Chief Security Officer described security report as a “very painful process.”

Facebook Chief Security Officer Alex Stamos.
Enlarge / Facebook Chief Security Officer Alex Stamos.

Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network's top security executive said in a leaked phone call with company employees.

"The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," Facebook Chief Security Officer Alex Stamos said during a taped call, which was reported Thursday by ZDNet. "Both technically and from a cultural perspective, I don't feel like we have caught up with our responsibility."

He continued:

The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost. We have made intentional decisions to give access to data and systems to engineers to make them "move fast," but that creates other issues for us.

Stamos also discussed a report on the state of Facebook's security posture and described it as a "very painful process." He said the report will be updated every six months and that the company's management team will be briefed on its contents.

Stamos told ZDNet reporter Zack Whittaker he used the words "college campus" as a figure of speech several times during an internal discussion to describe challenges that the company faces. "My team runs network security for the company, and of course we secure it thoroughly," Stamos said. The leaked comments were made during an internal talk with employees discussing the challenges Facebook had protecting its networks from the growing threat of nation-sponsored hackers.

In 2014, Russian intelligence agents orchestrated a hack on Yahoo that compromised 500 million user accounts, federal prosecutors have alleged. Google said in 2010 that it was on the receiving end of a highly targeted attack by Chinese hackers that was aimed at accessing the Gmail accounts of activists and stealing the company's intellectual property. Researchers have presented evidence strongly suggesting that dozens of other breaches on defense contractors, security companies, and others have also been carried out by state-sponsored attackers.

In a series of tweets Thursday, Stamos said a basic challenge Facebook and similar companies face stems from the freedom they give engineers to customize their environments and experiment with new tools and development processes.

"As a result, we can't architect our security the same way a defense contractor can, with limited computing options and no freedom," Stamos wrote. "Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one, I'm happy to accept. The 'college campus' wording is just a figure of speech to make the point."

The headline and first sentence of this post were updated in an attempt to better paraphrase Stamos's comment "Both technically and from a cultural perspective, I don't feel like we have caught up with our responsibility."

Channel Ars Technica