Leaked: Facebook security boss says its corporate network is run "like a college campus"

The source of the recording said Facebook's senior management and executives were apathetic to matters of cybersecurity. Alex Stamos said he used one of the remarks "as a figure of speech."
Written by Zack Whittaker, Contributor

Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet.

Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company.

"The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility."

"The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

Read more: IT leader's guide to the threat of cyberwarfare | Cyberwar and the Future of Cybersecurity | Cybersecurity as big a challenge as counterterrorism, says spy chief

Stamos added: "We have made intentional decisions to give access to data and systems to engineers to make them 'move fast' but that creates other issues for us."

The security chief also said that the company had issued a report on where the company stands from a security perspective, in what he described as a "very painful process." He said the report will be updated every six months, when the management team are briefed on its contents.

The comments were part of an internal talk to employees during which he discussed the challenges Facebook had with keeping its networks secure, amid a growing danger of state-sponsored actors and advanced persistent threats, which in some cases have near-limitless resources.

For his part, Stamos, when reached, said that he had used the "college campus" line several times internally to describe challenges that the company faces, and used it as a figure of speech.

"My team runs network security for the company, and of course we secure it thoroughly," he said Thursday.

Stamos denied that the comments were a criticism of the company's management. "They care a great deal," he said. "It's not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network."

"Tech companies are famous for providing freedom for engineers to customize their computing environments and to experiment with new tools, frameworks and development processes," he said. "Allowing for this freedom helps creativity and productivity, but we have to weigh that against the fact that we have become a potential target of advanced threat actors. As a result, we can't architect our security in the same way a defense contractor can, with extremely limited computing options and no freedom."

"Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one that I'm happy to accept," he said.

In fairness, Stamos isn't wrong. His frank comments are not uncommon in the infosec space. It's a common-held belief among many companies, large and small, that security isn't taken seriously or dismissed as unimportant compared to what a company sells.

Facebook also has more citizen data now than most governments, making the social network as much of a target today as defense contractors were ten years ago.

But while Facebook may not be storing plans for spy planes and autonomous drones, private citizen data is a commodity -- the social network has billions of people's data -- and nation states are hungry for it.

Stamos, a staunch security and privacy advocate, joined Facebook in June 2015 after a brief stint at Yahoo as chief information security officer. While Stamos had pushed to build out an offensive security "red team" and spearheaded privacy-focused features for Yahoo's customers, the company had reportedly taken "a back seat" on security during his tenure, largely attributed to then-chief executive Marissa Mayer's persistent clashes with Stamos over funding for security features and defense. Stamos left after a little more than a year in the job, reportedly after Mayer's decision to acquiesce to a top-secret classified order to scan emails of Yahoo customers, which the security team is said to have only discovered when it thought the company had been hacked.

The recording's source, who has intimate knowledge of Facebook's security systems and internal processes but did not want to be named, said that the threats that the company faces are "way above [Facebook's] ability to handle."

It was for that reason the recording was leaked -- to reveal an endemic apathy by Facebook executives -- Stamos not included -- who are too focused on making the company work rather than making the company secure.

While Stamos had internally pushed for stronger cybersecurity, policies, and processes, the source said, other senior executives were too busy lobbying lawmakers, and focusing on the company's vision and products -- citing its "move fast" strategy (which has since been partially retired) and not listening enough to the company's security professionals.

Although Facebook has seen its fair share of privacy scandals over the years, it hasn't yet fallen victim to a data breach like Yahoo, Equifax, LinkedIn and Myspace.

The source indicated that Facebook was likely on borrowed time. It's a "painful process to get security across to executives," the source told ZDNet.

Even though the company has so far escaped the "hacked" headlines, its platform is still open to abuse.

Tech companies, including Facebook, are feeling the heat after admitting that Russian adversaries had used the platform to buy ads to influence the 2016 election. Congress is currently investigating the role that Russia had in the election. Several other companies, including Google and Twitter, have also discovered their ads were bought by the Russians in the months running up to the election.

As adversaries get stronger and more capable, security experts argue that it's only a matter of time before even the bigger companies get hacked, and the odds are almost never in the defender's favor.

While companies need to defend against every hack and intrusion, the hackers only have to succeed once.

A Facebook spokesperson did not respond to a request for comment.

Additional context to this story was added after publication.

Editorial standards