Facebook's security chief on a post-Snowden 'silver lining'
People are thinking more about security and that's a good thing, says Joe Sullivan, who also touted the company's encryption policies during a press briefing at headquarters.
"We haven't fundamentally changed the way we do things," said Joe Sullivan, Facebook's chief security officer.
It's just that issues of security and privacy have been front and center since Snowden, a former NSA contractor, leaked a trove of documents to the press last year, he said. Sullivan, who spoke to a group of reporters at Facebook headquarters here, seemed pensive when discussing the new post-Snowden reality.
He was hesitant to give any opinion on the leaker. "I'm not in a position to pass judgement," he said. The biggest change, he said, was the attention to the topic. "I think about it a lot. Has this been a good thing or a bad thing, these last nine months? It's hard to deal with stops and spurts when a story comes out," he said. "[But] a world where people care about security, that's the silver lining."
There have been many of those stories since Snowden's disclosures, but one in particular is sure to have hit home for Sullivan. Last week, The Intercept reported about an NSA program called Turbine, an automated system the NSA uses to hack into millions of computers. Likely most egregious for Facebook was the claim that the NSA had even posed as a Facebook server to gain access to targets' computers.
While not referring directly to the program specifically, Facebook Chief Executive Officer Mark Zuckerbergwrote on his Facebook timeline the next day that he had spoken with President Obama to vent his grievances over the US government's spying tactics. "I've called President Obama to express my frustration over the damage the government is creating for all of our future," Zuckerberg wrote. "Unfortunately, it seems like it will take a very long time for true full reform."
Sullivan's approach has been to try to keep a level head when those stories come out. "One of the things I've tried to do is make sure we're not too alarmist -- show people in company, this is what we were working on two years ago."
Sullivan was quick to point out all of the work the company had done with encryption since before the blockbuster NSA leaks. For example, he said that the company encrypts information stores traveling between data centers. He couldn't pinpoint the exact time of the implementation, but said the process began "before 2013." The practice is especially relevant, after media reports last October that said government agencies had been infiltrating the data center traffic in transit at Yahoo and Google.
He also mentioned that the company began work on implementing secure browsing, or HTTPS, in 2009, and made the feature opt-in for users in 2011. By 2013, the company had gotten every user secured. He also said the company uses "perfect forward secrecy," which strengthens the effectiveness of SSL keys.
Sullivan also said that security issues aren't relegated to just one team, but spread out to the entire company, making sure every team is thinking about it. He mentioned a month-long security exercise played out every year during October, called Hacktober. During the exercise, the security team tries to hack Facebook while the rest of the employees try to catch them. Those of the employees who succeeded were awarded a hack-o-lantern t-shirt. He said that, since the company first started Hacktober three years ago, the shirts had become a badge of honor.
He also talked about the security environment in the tech industry and the work that the companies do together to improve security. "I think its fair to say that companies don't compete on security in Silicon Valley, he said. "It's 100 percent cooperation."
Like other companies in Silicon Valley, Facebook has also sought security help from outside the company. Facebook has a bug bounty program, soliciting help from hackers and paying them to find security vulnerabilities. Sullivan said the company has paid out $2 million since the company first launched the program two years ago. And it has also hired three people through their work with the program, from three different continents, speaking three different languages.
The important thing, he said, is to make sure products are able to adapt to new security standards, whenever they pop up in the future. "If you're thoughtful about planning ahead, you're not just slapping on security in the end," he said.