Can Facebook's new hires take on troll farms and data privacy?
CEO Mark Zuckerberg promises the social network will hire 10,000 new security and content moderation employees this year. Can they make changes users want?
- 2022 Eddie Award for a single article in consumer technology
Facebook CEO Mark Zuckerberg prepares to testify before a combined hearing of the Senate judiciary and commerce committees on Tuesday. He reiterated his promise to hire 10,000 new cybersecurity and content review employees.
Facebook's plan to guard itself against misuse of its free service includes doubling the number of people working on cybersecurity and content moderation to 20,000 employees in 2018, no small feat since finding qualified tech workers is already difficult.
But cybersecurity and privacy experts say Facebook faces a bigger challenge: making sure all of those workers are actually focused on fixes to the problems that have put CEO Mark Zuckerberg and the world's largest social network at the center of multiple controversies. That includes concerns over user data privacy, fake news, hate speech and election tampering by foreign governments.
Facebook is already halfway to its hiring goal. On Monday, Zuckerberg revealed he's already hired 5,000 of those employees and hopes to bring on the other half by the end of the year. It's a huge investment -- one that's going help to increase Facebook's projected spending by up to $12.3 billion in 2018, to a potential total of more than $32.7 billion. (In 2017, it was just under $20.5 billion.)
Zuckerberg said the hit to Facebook's profitability is necessary to address concerns that bad actors in Russia had used Facebook to spread propaganda and misinformation during the 2016 US presidential election. Since then, the company has been dealing with another problem -- the Cambridge Analytica scandal, in which a political consultancy was able to gain access to data on as many as 87 million Facebook users.
While the hiring effort is focused on stemming misinformation, the controversy swirling around Facebook has quickly grown to include more fundamental questions, including whether Facebook is a trustworthy steward of all the user information it collects. The company, which had $41 billion in sales in 2017, makes its money by selling ads that are targeted to users based on what it knows about you. Zuckerberg, in Washington this week to answer legislators' questions about how that data is managed, has admitted that Facebook made mistakes and didn't have a good enough grasp on how developers and third-party apps were co-opting its platform.
"What it comes down to is, there's a perceived level of protection of user information that people are realizing didn't exist," said Eric Cole, a cybersecurity expert who advised the administration of President Barack Obama as part of the Commission on Cybersecurity for the 44th Presidency. What users want to know about the new hires -- and any of the proposed fixes -- is, "How would that have actually solved this problem?"
Facebook didn't respond to a request for comment, but Zuckerberg said in his prepared testimony, "I've directed our teams to invest so much in security -- on top of the other investments we're making -- that it will significantly impact our profitability going forward. But I want to be clear about what our priority is: protecting our community is more important than maximizing our profits."
An army of cybersecurity workers
First, the company has to find the employees. And if even half of those workers are focused full-time on cybersecurity, Facebook faces a Herculean task. That's because there's a shortage of job seekers with these skills in the workforce.
In a 2017 report on the state of the cybersecurity industry, experts from a consortium of security-oriented organizations projected the field will be short 1.8 million workers globally by 2022. Cole, who now trains people entering the field at the SANS Institute, said that 10,000 workers would represent a significant portion of the entire cybersecurity workforce.
"That's insanely high," Cole said. "They would have the biggest security department on planet Earth."
While cybersecurity workers can look into Russian manipulation on Facebook, Cole said that hacking experts wouldn't have stopped what happened with Cambridge Analytica. In that case, Facebook let third-party apps access the data of users who interacted with those apps, as well as the friends of all those users.
"This was clearly a policy and decision that was made by Facebook," Cole said. "That's the irony of all of this, that it really it had nothing to do with security."
Privacy, security or both?
But lumping in privacy questions with cybersecurity may make a certain amount of sense. For one thing, regular internet users tend to think of privacy and security as the same thing, said Lorrie Cranor, a professor at Carnegie Mellon University and director of the CyLab Usable Privacy and Security Laboratory.
"When we do research and we interview people about privacy, they very quickly start talking about security," Cranor said, adding that people are worried about data breaches and identity theft. "People think of it as a privacy violation."
Facebook is already taking tools typically employed to stop hackers and using them to improve user privacy. On Tuesday, the company launched a program that rewards cybersecurity experts for finding and reporting third-party apps that are accessing Facebook user data inappropriately.
Called a bug bounty, this kind of program normally focuses on finding software flaws that could let hackers breach apps and other systems. This new "data abuse bounty" is focused on making sure apps are following Facebook's privacy policies. Zuckerberg has said he'll cut off any developers who don't adhere to its policiies.
"That's a positive development," Cranor said. "If you have policies that you can't enforce, then they're not that helpful to people."
Retaining a workforce
If Facebook succeeds in hiring all 10,000 employees and has them trained exclusively on solving the problems the company now faces, there will be yet another challenge, Cole said. That's keeping everyone working at Facebook.
Cole said he often sees a company bring in cybersecurity employees who don't have the exact skill set they need and then train them for several months. That investment is good for the company, unless the employee takes his or her training somewhere else. That happens a lot.
"These folks are jumping around because there's such a high demand," Cole said.
If they stay, all the better for Facebook, Cole said. But the need for training means the benefit of the new hires won't instantly cure what ails the social media giant.
Even if all goes to plan, Cole said, "it's not an immediate fix."
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
Special Reports: CNET's in-depth features in one place.