Alex Stamos rose to fame as the chief security officer for Yahoo and then Facebook. But today he’s the director of Stanford’s Internet Observatory, where he’s immersed in teaching and researching safe tech — and understands better than most the threats that the U.S. is facing, particularly as we sail toward the next U.S. presidential election.
Last night, at a StrictlyVC event in San Francisco, he talked with New York Times cybersecurity correspondent Sheera Frenkel about a small number of these massively impactful issues, first by revisiting what happened during the 2016 president election, then catching up the audience on whether the country’s defenses have evolved since. (The short version: they haven’t. If there’s any good news at all, it’s that the federal and state governments are at least aware now there’s an issue, whereas they appeared largely blindsided by it the last time around.)
What worries Stamos most are “direct attacks on our election infrastructure” because there’s been so little to bolster it. In fact, a big theme of the interview was the growing inability of the public sector to protect Americans or U.S. democracy against actors who would do the country harm.
As it relates to election infrastructure specifically, Stamos used a hyperlocal example to underscore what the U.S. is dealing with right now. As he told Frenkel, “I live in San Mateo County. I’ve met the CIO of San Mateo County. Really nice guy. I’m sure he has a staff of very hard-working people. The idea that the CIO of San Mateo County has to stand up and protect himself against the [Russian military intelligence agency known as the] GRU or China’s Ministry of State Security or Iran’s Islamic Revolutionary Guard Corps or the Lazarus Group of North Korea . . . that’s frickin’ ridiculous. Like, we don’t ask the San Mateo County Sheriff’s Department to get ready to repel an invasion by the People’s Liberation Army, but we ask for the cyber equivalent in the United States.”
Put into perspective, San Mateo County is one of about 10,000 local governments in the United States that are involved in elections, said Stamos. “Nobody else in the world runs their elections this way.”
In fact, in nearly every conceivable way, “responsibilities that were once clearly public sector responsibilities are now private sector responsibilities,” he told Frenkel during a later part of their discussion. He would know, having seen it first-hand.
“When I was the chief security officer at Facebook,” he told the audience, “I had a child safety team. We probably put more bad guys away than almost any law enforcement agency outside of the FBI or [Homeland Security Investigations unit] in the child safety realm. Like, there’s no local police department in the United States that put away more child predators than the Facebook child safety team. That is a crazy stat.”
Facebook also has a counter-terrorism team — which not everyone realizes — and which has become in many ways the country’s first responder, he suggested. Indeed, Stamos said that “there are several terrorist attacks that you’ve never heard of because they didn’t happen because we caught them. Now, there’s some local law enforcement agency that took credit for it, but it was actually our team that found it and turned it over to them with a bow on it.”
Americans might shrug off this continuing shift in who is tackling what, but they do it at their peril, suggested Stamos — who managed to keep the crowd laughing, even as he painted a bleak picture. As he noted, the big tech “companies are exercising this power without any kind of democratic oversight.” Consider, he said, that “[Facebook’s] authorization is the terms of service that people click through and never read when they join Facebook or Instagram. That’s a bizarre set of rules to be bound by when you have such incredible power.”
Another huge blind spot, said Stamos, is the apparent inability — as well as the collective lack of determination required — of the public and the increasingly powerful private sector to coordinate their work. Here, he offered another broad example to make it accessible. “Say you had an organized group in the United States that’s running a bunch of Facebook ads, but their money is coming from bitcoin from St. Petersburg,” said Stamos. “That is completely invisible to Facebook. That is perhaps visible to the FBI . . . but they don’t have access to that actual content [on FB]. And figuring out a way for these two groups to work with each other without massively violating the privacy of everybody on the platform turns out to be super hard.”
Yet it’s worse than even that sounds, he continued. The reason: there’s no decision-tree in part because the issue has grown so unmanageable that no one wants to own what goes awry. “There’s effectively nobody in charge of this right now, which is one of the scariest things we’re facing as a country. Almost nobody is in defense of cyber, and certainly nobody is in charge of the big picture, [meaning] how do we defend against election [interference] both from a cybersecurity perspective and a disinformation perspective.”
Stamos even jokingly referred to “pockets of people in the U.S. government who are effectively hiding from the White House and trying very, very hard” to escape its attention, given the daunting job they’d be tasked with figuring out. Except, all kidding aside, with no one at the helm and “no real cross-agency process, there’s really nobody in charge,” said Stamos.
That means the “tech companies are effectively the coordinating body for this. And that’s actually really screwed up.”