Former Facebook security chief says it’s ‘too late’ to protect 2018 elections

Facebook’s recently departed security chief says US government inaction has ensured that the upcoming midterm elections will be vulnerable to hacking and online manipulation campaigns.

Alex Stamos — who left the company earlier this month — argued his case in an essay for Lawfare, saying it was “too late to protect the 2018 elections.” He’s responding to two pieces of news from yesterday: Microsoft seizing six domains apparently intended for Russian political phishing attacks, and Facebook deactivating 652 fake accounts and pages that were allegedly engaged in misinformation campaigns.

Stamos cites this as evidence that hackers from Russia (and now Iran) have not been deterred from election meddling, and he accuses the Obama administration, the Trump administration, and Congress of a “sclerotic response” to manipulation campaigns during the 2016 election. “If the United States continues down this path, it risks allowing its elections to become the World Cup of information warfare,” he writes.

His prescriptions for the 2020 US elections include promoting the Honest Ads Act, a bill that would mandate more transparency around online political ads, but with an amendment that would specify how influence campaigns could use huge voter databases for targeted ads. He also urges the US government to create a dedicated federal cybersecurity agency, as well as state-level security groups for preventing direct election-hacking — theoretically finding and fixing vulnerabilities like a recently revealed voting machine security hole.

The essay presents a counter-narrative to the widespread criticism that Facebook and other social media platforms have received for letting hackers manipulate their platforms. Stamos has been candid about the company’s security problems, and he reportedly upset some Facebook executives by pushing to reveal information about 2016 misinformation campaigns. Here, he writes that “social media platforms, including my former employer, made serious mistakes in 2016.” But he also focuses substantially on the government’s role in failing to prevent or punish attacks, as well as potential problems with other online ad companies that have “flown under the radar.”

Bob Lord, the Democratic National Committee’s chief security officer, made similar comments earlier today, after the DNC reported an attempted phishing attack to the FBI. “These threats are serious and that’s why it’s critical that we all work together, but we can’t do this alone,” Lord said. “We need the [Trump] administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks.”

Facebook’s security chief is leaving, and no one’s going to replace him

Facebook’s chief security officer, Alex Stamos, said today that he’ll be leaving the company later this month. The announcement comes just a day after Facebook — and to a large extent, Stamos — revealed that Facebook had discovered malicious actors who continue to use the platform to manipulate political discussions and organizing in the United States.

Stamos won’t be replaced after he leaves, meaning no one will hold the title of “chief security officer” at Facebook. All eyes are trained on the company to see how it will deal with major security concerns, including the use of fake accounts to manipulate politics and the Cambridge Analytica data scandal.

Instead of building out a dedicated security team, Facebook has dissolved it and is instead embedding security engineers within its other divisions. “We are not naming a new CSO, since earlier this year we embedded our security engineers, analysts, investigators, and other specialists in our product and engineering teams to better address the emerging security threats we face,” a Facebook spokesman said in an email. Facebook will “continue to evaluate what kind of structure works best” to protect users’ security, he said.

Stamos’ departure still seems to be a big loss, even apart from the symbolic title. Stamos was known for being one of the few executives at Facebook willing to engage with people outside the company about the service’s ongoing problems. He frequently interacted with reporters on Twitter about security issues, often in unusually candid terms.

Facebook hired Stamos in 2015. He had worked at Yahoo in a similar role before then, but resigned after discovering that the company had built a system to scan emails for the US government, according to Reuters.

Stamos’ last day will be on August 17th. He’ll be teaching and conducting research at Stanford after that. In a statement, Facebook COO Sheryl Sandberg said the company “look[s] forward to collaborating with him in his new role.” Stamos’ departure had been decided on last year, according to a New York Times report from March, but Facebook reportedly wanted to keep him on until August.

Facebook is clearly aware that losing its chief security officer and dissolving its dedicated security team, in the middle of all that’s going on, is not a great look. So many of the company’s statements today are clearly designed to address obvious concerns that arise.

“We expect to be judged on what we do to protect people’s security, not whether we have someone with a certain title,” a spokesperson said. In another statement, Facebook said it is “investing heavily in security to address new types of threats” and that its new security structure has “helped us do more to keep people safe.”