Facebook’s CSO: the security industry needs to change

Every summer, suited and/or black-clad security geeks flock en masse to the sun-drenched surreality of Las Vegas for “Hacker Summer Camp”: a full week of various security and hacker conferences, the fanciest of which ($2,800 at the door) is called Black Hat. Today Facebook’s CSO Alex Stamos gave its keynote address. He began by calling the infosec community a “family” — then gave a speech which felt a little like an intervention.

He was exceedingly diplomatic about it. He never actually said that the infosec community has collectively spent long enough as a sullen, nihilistic teenager full of misguided angry contempt for the rest of the world, and it is past time for it to grow up, move out of its basement and finally begin to play well with others and develop at least a hint of compassion, empathy and humility. But that was certainly my takeaway1.

This is especially important because, of course, information security matters. Data breaches. Email hacks. Vulnerabilities in critical infrastructure. Democracies threatened by political “information operations” and, at least conceivably, by compromised voting systems. Information security hits the headlines at least weekly, and both the rate and scale of newsworthy breaches are increasing. It turns out that our contemptuous nihilistic infosec teenager has a superpower on which the interconnected aspects of our entire society rely. Growing up isn’t just good for them, and their family — it’s important for everyone.

How does this teenagedom manifest itself today? Stamos — a well-known, longstanding privacy and security advocate, incidentally — summarized that nicely:

Most of all, he observed that the security community spends an enormous amount of time and effort ferreting out complicated, byzantine vulnerabilities, while all too often paying only lip service to what actually harms users. The vast majority of which is abuse — i.e. harm caused by using systems in technically correct ways, such as spamming, doxxing, DDoSing, dogpiling, etc. —

— and even the kinds of harm caused by what the industry currently thinks of as vulnerabilities are mostly caused by simple, straightforward problems, e.g. re-used passwords, unpatched systems, luring users into clicking attachments, rather than the cinematic Gibsonian notion of some hoodied hacker or organized nation-state team cutting their way through layers of online security using 0-day exploits.

He also called for greater empathy and diversity in the industry, and Facebook is putting its might where Stamos’s mouth is: almost half of Facebook’s security management/leadership team are women, and they’re working with CodePath to offer cybersecurity courses at six institutions — City College of New York, Hofstra University, Merritt College, Mississippi State University, California State University San Bernardino and Virginia Tech — which have a more diverse student body than the infosec industry (which admittedly isn’t hard.)

“Security people aren’t brilliant, we aren’t smarter than everyone else … we aren’t going to bug-squash our way out of the current situation,” Stamos said. (It’s basically taken as written by everyone in the industry that the current situation is not a good one.) “I’d like us to put as much thought into how we eliminate entire classes of vulnerabilities as we do into spectacular demos on stage.” Here’s hoping the grown-up infosec community to come can do just that.


1 Certainly accentuated by my own biases, of course, and perhaps by the fact that Black Hat itself is no longer a teenager — this is its 20th year.