Six weeks into the job, Facebook chief security officer Alex Stamos has begun to settle into his new post securing the Internet for the 1.5 billion people who use the world’s biggest social network each month.
Stamos presented a glimpse of his strategic vision for the site—and the wider web—while seated at a table in a hotel suite overlooking the Las Vegas strip at this year’s Def Con hacker conference. (As part of a bootcamp introduction to the company, he spent a couple of spent hours the night before debugging lines of Java script.) Now captain of Zuckerberg’s guard, he revealed why he decided to join the tech giant and he identified his top three priorities at the company (though it’s still early).
Stamos recently left Yahoo (YHOO) where he served as chief information security officer and spearheaded an initiative in collaboration with Google (GOOG) to build an end-to-end email encryption tool for email services. Earlier this year, he notoriously tussled with U.S. National Security Agency director Michael Rogers over the question of whether law enforcement should have access to peoples’ private communications, a debate now raging between Washington D.C. and Silicon Valley.
Here is a peek at Stamos’ mission. The following are his words, edited for length and clarity.
On joining Facebook: Ambition and adversaries
There are two quality judgements that made me want to come to Facebook (FB).
One was that the individuals on the security team who I’ve interacted with through previous jobs are incredibly skilled and nice—people you want to work with—but very ambitious.
Two, the adversaries that Facebook faces are really good at their jobs. There’s a benefit to having good adversaries. It sharpens the mind and gives you an opportunity to address problems that would be, in other companies, just like, ‘Oh that’s too crazy ever to turn into a problem.’ For us, we assume that that’s not crazy. When you play at our level you have to start thinking about the Internet of things and embedded systems and all that other stuff.
Priority No. 1: Fighting the good fight
I’ve come up with three areas that I’m going to be focusing on for the coming months that I think are going to be interesting opportunities for us. The first is: The team has done an incredibly good job of building defenses for the highest level of adversary, and I want to continue that.
So, my first goal is continuing down the road of building solutions that help us stand up against the best financed adversaries. It’s something that we seem to have done really well at. But you can never finish. It’s a chess game. It’s not like building a house or a bridge where eventually it’s over. This is the kind of thing that you have to continuously do to get better at.
Priority No. 2: Connecting the world, securely
Facebook’s corporate goal is to build a more open and connected world. My team’s job is to build a more open and connected world—comma—securely, which is implied by that but is not necessarily a part of it. You can connect people and do so in a way that makes them less safe, and we have to be very careful that we don’t do that.
One of the biggest areas of ambition right now is our Internet.org project, which as you guys have read about, is the goal to bring the Internet to the two-thirds of the world that don’t have it, more quickly than they otherwise would. In doing so we face a totally different set of problems and we have to solve a whole new set of problems we’ve never had to solve before.
When we talk about bringing Internet access to people who have never had it before, we’re not talking about sexy bugs like. We’re talking about security flaws that have been known about for years—fundamental flaws like phones not supporting modern versions of cryptography.
This is an area that I’m really excited about because these are problems that we don’t have to address with our ‘1% security problems’—in dealing with the richest, most resourced consumers, and our enterprise problems. I like to think about how the rest of the world lives: Can we bend the curve not just on Internet access but on keeping those folks safe?
Priority No. 3: Strengthening neighbors
The third area we’re going to really focus on is uplifting the security of the entire Internet industry. Because we have the gift of having very good adversaries and of having the resources to fight them, the issues that we see today will trickle down and become everybody’s issues in six months to a year.
The things you guys are going to learn about at Def Con today—you know, often people are like, ‘Oh, well, in a year this is going to be a big deal for everybody’—well, it’s quite possible what you’re learning about at Def Con today was a problem for us six months ago. You’re only, by definition, seeing the people who do open research and who want to make the world better by talking about it publicly. There’s nothing that you’re learning about at Def Con that could not have been found by private teams that have different motives. And those are the kinds of folks that we have to deal with.
Putting those priorities in action
One facet of that area is ThreatExchange, which is our open, free threat information sharing platform. Right now there are over 80 companies that are active on ThreatExchange, such as Yahoo, Pinterest, Twitter (TWTR), Microsoft (MSFT), Dropbox.
These are all companies that upload data when they find a security incident. Maybe they find a new piece of malware on a corporate laptop and then they’ll analyze it and they’ll add to ThreatExchange. Then folks on ThreatExchange who subscribe to them automatically pull that data down and check their own systems.
We’ve stopped countless attacks by finding one company that has faced a certain vulnerability or piece of malware and then spread that herd immunity out to the rest of the companies much more quickly than the bad guys can pivot and break into multiple companies.
Ask and you shall receive
The other project that we’re trying to use to help other people is osquery [“OH-ESS-query”], an open source toolkit that you can put on your corporate or production host. We run it on many, many servers on our corporate and production systems. A bunch of other companies do that, too. Slack and Yelp (YELP) have both deployed it and they’re using it.
Osquery allows you to ask questions of your huge fleet of computers and get answers very quickly. That sounds like something simple. It turns out to be very complex. Once you have that ability, then you have a very powerful tool for not just looking for security events but for troubleshooting performance issues, troubleshooting crashes. At Facebook, osquery is written and provided by the security team, but it’s used by engineers all over the company to troubleshoot issues.
Osquery is just part of the stack of tools we’ve built to protect against really advanced threats. We’re looking to see which other tools for us to open up and contribute to other people.
So far, it has been a fun six weeks and we’ll have a lot to talk about in the future. It’s nice to be a part of a company that’s ambitious and trying to do things that nobody else has done. And it’s also fun to be part of security team that’s trying to enable those things and not just say no.
In the future—when you talk about drones and other kinds of flying things and lasers and stuff like that—that makes security a little more challenging. Though it’s kind of fun to feel like I’m a character in a William Gibson novel when we talk about stuff like that.