Facebook security chief's brutally honest leaked email reveals how distraught the company was about being used by the Russians

Advertisement
Facebook security chief's brutally honest leaked email reveals how distraught the company was about being used by the Russians

Alex Stamos

Getty

Alex Stamos, Facebook's outgoing chief security officer.

Advertisement
  • A leaked memo has cast more light on Facebook's discomfort at being thrust into the frontline of nation-state cyberwarfare.
  • Alex Stamos, Facebook's outgoing chief security officer, said having to be more transparent about state interference has been "uncomfortable," according to the email obtained by BuzzFeed.
  • Stamos said he deserves as much blame as anyone else for Facebook being slow to notice and stamp out Russian meddling in the 2016 presidential election.


Just days after Mark Zuckerberg came clean about Facebook's failings on Russian interference, a leaked memo has cast more light on the firm's discomfort at being thrust into the frontline of nation-state cyberwarfare.

In an interview with Recode, Zuckerberg said Facebook was "too slow" and "overly idealistic" about the social network's power for good to notice that the Kremlin was interfering in the 2016 presidential election.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Now, he said, Facebook has a playbook for "preventing these kind of disinformation campaigns." This has led to some difficult discussions at Facebook, according to a brutally honest leaked email sent by outgoing chief security officer Alex Stamos.

In the memo, obtained by BuzzFeed News, Stamos ruminated on tech companies being thrust "into the struggle between nation-states." He said: "We are moving into a world where the major platforms are going to be expected to provide our findings, attribution and data directly to the public, making us a visible participant in the battle between cyberwarfare titans."

Advertisement

This, Stamos wrote, has been an "uncomfortable transition" and he has not always agreed with the compromises Facebook has struck. "That being said, I believe my colleagues have all approached the process in good faith, and together we have sorted through legitimate equities that needed to be weighed," the CSO added.

Stamos, who leaves Facebook in August, didn't go into detail about the compromises he disagreed with, but did clear up one thing: The rumours that Chief Operating Officer Sheryl Sandberg told him not to investigate or disclose Russian activity. This was "absolutely not" the case, he said.

Stamos said he deserves "as much blame (or more) as any other exec at the company" for the missing the Russian interference. In a personal note at the end of his email, he suggested that spending more time with his family was a big factor in his decision to quit.

"I have three children under twelve and I've come to the realization that I've spent 75% of my youngest child's life as the CISO of companies in battle with the Russian intelligence services. This isn't conducive to being a great parent," he added.

A Difficult Week

Advertisement

Alex Stamos, Friday, March 23, 2018

At noon on Monday, a NY Times reporter I have long known and respected gave me a ring.

"Alex, this will probably be the most difficult discussion we've ever had." She was right.

She told me that four anonymous sources had told her a variety of things that she was working into one story that would post later that day. I spent the next thirty minutes shooting down several completely false accusations and trying to prevent the true facts from being woven into a misleading narrative. I pointed out to her that, if true, her story would still be a scoop in several days and asked if she could me and Facebook more time to work with them to tell an accurate tale of our challenging last couple of years.

About three hours later, with me frantically working with our comms team to get on-the-record quotes to the reporters, the first stub version of the story went out with a headline that implied that I had just quit Facebook out of anger. This led to thousands of tweets and hundreds of stories based upon the initial, incomplete report, as well as a tearful call from my mother who thought I had been fired. The original NY Times headlines and story were corrected several times, but despite our outreach to other outlets the initial framing calcified into conventional wisdom.

Advertisement

Some fact checking.

Did you quit? Look up, is my name greyed out? If not, then I'm still a Facebook employee (or our deprovisioning process really needs some work).

At some point, I will leave, and this answer will become a bit ironic, but it is absolutely untrue that I quit on Monday, and today I'm still trying to do my best by our users.

Have you had passionate discussions with other execs? Yes. Have we met?

Have those disagreements been about investigating or disclosing Russian activity? The world has changed from underneath us in many ways. One change has been the thrusting of private tech companies into the struggle between nation-states. Traditionally, the standard has been to report malicious activity by adversary nations to US law enforcement. We are moving into a world where the major platforms are going to be expected to provide our findings, attribution and data directly to the public, making us a visible participant in the battle between cyberwarfare titans.

Advertisement

This is an uncomfortable transition, and have not always agree with the compromises we have struck in the process. That being said, I believe my colleagues have all approached the process in good faith, and together we have sorted through legitimate equities that needed to be weighed.

Did Sheryl tell you not to investigate or disclose Russian activity? Absolutely not. I have rejected this claim, on-the-record, multiple times to multiple reporters and on Twitter. Unfortunately, we are living in a media moment where sometimes an anonymous accusation is printed over the on-record denial of a direct participant. The Times, to their credit, removed a paragraph that had been written before my on-record statement had been provided, which has become its own meta-controversy (/sound inception_trombone.mp3).

Was there a reorganization of the security team? Yes, here is my post announcing that in January.

Are you leaving in August because of this change? I initiated the discussion of changing the structure of the InfoSec team just before Thanksgiving 2017. This was due to my concerns that organizational issues impaired our election security work in 2016. While the outcome of this discussion was not one I proposed, at the time I committed myself to making the transition as smooth as possible and trying to set the new teams up for success. I am genuinely proud of the capable, diverse security teams we have built and I truly want my colleagues to continue to be successful in their vital work.

The re-org, did, however, leave me with a challenge, in that it created a big mismatch between the responsibilities I felt carrying the Chief Security Officer title and the potential for big impact I could have from my redefined role. This conundrum was pretty obvious to many, and when people internally asked if I was leaving I rather openly told them that I was committed to staying through August. That was the truth; I had not made up my mind to leave, and I thought setting a date eight months in the future was responsible and reassuring about the stability of the team. Unfortunately, somebody leaked the fact in a manner meant to turn an eight-month commitment into a rage-quitting.

Advertisement

Are you leaving because of Cambridge Analytica? No, that makes no sense if your look at the calendar.

How are you feeling? Aww, how sweet, thanks for asking! I feel like shit.

I am extremely uncomfortable with the "heroic Alex" narrative the media is using to beat up on Facebook for many reasons:

1. It is undeserved. I was the Chief Security Officer during the 2016 election season, and I deserve as much blame (or more) as any other exec at the company.

2. It erases the work of the true heroes. If anybody deserves credit for the good things we did, it is the members of the threat intelligence team who first spotted and stopped Russian activity in 2016, and the huge cross-functional group who really studied and understood this problem in 2017. Just because I approve the expense reports of the first group and was part of the second does not give me any special virtue.

Advertisement

3. Heroes need villains. This narrative is popular not because people like me, but because it harms Facebook. At least one person seems to be trying specifically to hurt Sheryl by mixing in leaked facts with untrue allegations.

4. The media loves to build up heroes before tearing them down. We Greeks invented this narrative device, the fatal flaw, and I know that at least one person is pushing lies about me to journalists. Aside from this being hurtful on a personal scale, I realize that the more I'm narratively built up, the further the media eventually gets to pull me down (which they will also frame as bad for Facebook).

Most importantly, this narrative absolves us of the hard things we have to do to win back the world's trust. It would be really simple to believe that the outcomes of arguments between a handful of people got us to this point, but the truth is that we need to all own this. The problem the company is facing today are due to tens of thousands of small decisions made over the last decade within an incentive structure that was not predicated on our 2018 threat profile. While it has been disconcerting to hear anger and sadness in the voices of our colleagues this week, I also take heart in how widespread our desire has become to align ourselves in the new landscape. I saw this shift in many executives last year, as they clearly recognized the emerging imperatives to prioritize security, safety, integrity and trust over all else, but no number of all-hands or corporate goals was going to be able turn this huge ship without a bottom-up change in culture.

So now we need to turn that angst into action. We need to change the metrics we measure and the goals we shoot for. We need to adjust PSC to reward not shipping when that is the wiser decision. We need to think adversarially in every process, product and engineering decision we make. We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access. We need to intentionally not collect data where possible, and to keep it only as long as we are using it to serve people. We need to find and stop adversaries who will be copying the playbook they saw in 2016. We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world. We need to deprioritze short-term growth and revenue and to explain to Wall Street why that is ok. We need to be willing to pick sides when there are clear moral or humanitarian issues. And we need to be open, honest and transparent about challenges and what we are doing to fix them.

I have heard all of these changes discussed among executives over the last year, and I think we're in a place where such aims are realistic and achievable. If any company is up to these challenges, it's ours. I still can't believe how lucky I am to work with talented people.

Advertisement

Alex, blink twice if you are being held hostage as you write this. I wrote this post myself, and did not run it by anyone. I have to thank Schrep for pulling me aside, asking how I am and suggesting that I speak to the company from my heart, but he has not seen or endorsed this post.

Now what? Are you staying? I honestly don't know. My standard for any job has been whether I am being effective in my position, true to my beliefs, and present for my family. My fear is that stories like this one can become self-fulling, and my ability to represent the company publicly has been compromised by this cloud hanging over my head. To the last criteria, I have three children under twelve and I've come to the realization that I've spent 75% of my youngest child's life as the CISO of companies in battle with the Russian intelligence services. This isn't conducive to being a great parent.

If I do leave, I promise to be open and honest. Wherever I am, I am always available to anybody looking to discuss how to tackle these problems or who have thoughts on what I can do better. Thank you to everybody who has been kind to me, especially this week.

{{}}