Tech
Facebook's security chief talks encryption plan
For Facebook, ensuring the security of its users worldwide starts with improving the security culture and dialogue within the company itself.
More about Facebook's infrastructure:
MENLO PARK, CALIF.---Facebook has built its business upon the sharing of content between people worldwide, but protecting that data is a gargantuan responsibility -- one that demands an increasing amount of transparency.
Facebook's chief security officer Joe Sullivan sat down for a whiteboard session at the social network's Silicon Valley headquarters on Tuesday morning, providing a deep dive about the company's security strategy.
That strategy, Sullivan explained, starts with the security knowledge and culture within Facebook offices.
"You can't expect security to be perfect," Sullivan asserted, arguing that security is in a constant state of improvement.
A decade ago, Sullivan suspected that most people online were "incapable" of securing themselves, reiterating that it is impossible to build a security model that is 100 percent secure if Internet users don't take the proper precautions to protect themselves.
These days, Sullivan observed positively that security has changed from something people don't really want to do to something people are excited about -- starting with internal hacks and dummy phishing emails used as learning lessons within the Menlo Park, Calif.-based company itself.
One simple requirement for Facebook employees that could go a long way is the requirement for every Facebook employee to have Login Approval settings turned on, adding an extra layer of security authentication to keep others from logging into their accounts.
When looking at some of the more recent high-profile cyber attacks, notably those conducted by the Syrian Electronic Army going after media outlets and corporations, Sullivan posited there has always been a personal and social component to the attacks.
For Facebook, he continued, that means engaging every single employee at the company.
"Security people, we're paranoid," Sullivan quipped. "But when you actually see concrete evidence of implementation, that moves it from paranoia to professional security advice."
"Some companies will have a single security team that sits in the corner," Sullivan quipped, citing that Facebook has at least four different primary teams covering technical security, security infrastructure, site integrity, and safety.
Two of these teams report directly to Sullivan, which he acknowledged provides him with the useful perspective of managing the front-end legal process in the wake of the National Security Agency revelations starting last June.
Facebook was one of the nine tech companies tapped by the federal agency's secret data mining program PRISM, which was initially revealed through classified documents leaked by former government contractor Edward Snowden.
Facebook CEO Mark Zuckerberg, along with other tech titans, have repeatedly attempted to distance themselves from the NSA, lambasting the federal government at large for infringing upon privacy expectations.
Nevertheless, Sullivan maintained a calm outlook, noting that part of his job is not to set off any unnecessary alarms. He added that anyone who focuses on security is not likely surprised by the things we have seen.
"Security people, we're paranoid," Sullivan quipped. "But when you actually see concrete evidence of implementation, that moves it from paranoia to professional security advice."
Encryption has been a buzzword in the security field even before the NSA firestorm began, and it was the topic du jour at Tuesday's whiteboard session with the media.
Sullivan concluded, "A world where people care more about security and things like encryption, then that's the silver lining on this."
But Sullivan stipulated that encryption isn't something to be taken lightly as a hot topic, outlining that it breaks down to two questions that need to be addressed first: what encryption are you doing and how do you implement it.
Sullivan highlighted that Facebook started implementing HTTPS back in 2009, allowing users to turn it on by 2011.
Estimating that a third of Facebook's user base at the time turned it on shortly after launch, Sullivan admitted he was amazed, remarking that the proactiveness demonstrated people actually care about security and understand the difference encryption can make.
Sullivan also pointed toward Conceal, Facebook's open source storage encryption scheme consisting of a set of APIs for Android. Apps can use Conceal for encrypting data and large files stored in public locations, such as SD cards.
Mobile is a huge priority for Facebook, reinforced by each quarterly earnings report as the major revenue source for the social media brand going forward. Thus, securing data on this channel will continue to be a spot to watch.
Hinting at Facebook's constant campaign around open source, Sullivan argued that companies need to implement encryption in a way that evolves as standards evolve.
When asked if he think Snowden's actions were then warranted for fostering a dialogue about transparency, Sullivan laughed but remained tight-lipped, noting he wouldn't pass judgment while clarifying he does welcome these discussions.
Sullivan concluded, "A world where people care more about security and things like encryption, then that's the silver lining on this."