Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
LAS VEGAS—Facebook wants you to know that it takes election hacking seriously. So seriously that it had its hacker-in-chief, Alex Stamos, kick off the 20th Black Hat computer security conference Wednesday morning with a keynote speech and blog post detailing company plans to help prevent hackers from again interfering with the country’s democratic processes.
And no, the social-networking giant’s chief security officer wasn’t talking about putting an end to so-called fake news.
“Fake news is a term that doesn’t mean anything anymore, and so we’re trying not to use it,” he said in an interview Tuesday with The Parallax. “Intentionally wrong stories” published as news, not opinion, are more driven by the economics of clickbait than anything else, he said.
Stamos is far more concerned with securing the computer infrastructure on which today’s campaigns and elections are so heavily dependent, including voter and donor databases, phones and computers, email archives, messaging apps, voting machines, and their connections to the Internet. These components often face online threats more severe than campaign and election IT staff are prepared to fight on their own.
Computer security experts across various organizations should work together to protect their democratic institutions, Stamos says. To that end, he co-authored a research paper Facebook published in April detailing targeted information operations in elections. He also helped facilitate Facebook’s initial $500,000 contribution toward the Defending Digital Democracy Project, announced earlier this month.
Through DDD, the Belfer Center for Science and International Affairs at the Harvard Kennedy School plan to “identify and recommend strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks.” The project’s co-leaders come from Republican and Democratic political pedigrees, signaling bipartisan support.
READ MORE ON CYBERSECURITY AND ELECTIONS
From ‘treason’ to ‘criminal,’ experts decry Trump’s call for Russia hacks
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?
How to get more out of election apps than you give
Fears of Mirai botnet’s effects stretch well beyond Election Day
In emailed statements to The Parallax, Robby Mook, Hillary Clinton’s 2016 campaign manager, and Matt Rhoades, Mitt Romney’s 2012 campaign manager, explained why they joined the project as Harvard fellows and co-leaders.
“This is a forward-looking and bipartisan effort to tackle a real problem,” Rhoades wrote. “It’s not about relitigating campaigns of the past—it’s about safeguarding our democracy in the future.”
For Stamos, securing the online and computer infrastructure of campaigns is a key battle of the 21st century.
“We have built monitoring to look for the kinds of behaviors we’re seeing in the U.S. election and then in the run-up to the French election, and put together warnings that we can give to people targeted in these operations so we can work collectively to defend the personal and the campaign accounts—the official accounts of those individuals,” Stamos says.
While he’s optimistic that the new project can have a positive impact, he acknowledges that the road ahead is long and challenging. What follows is an edited transcript of our conversation.
Q: What’s going to convince political parties to participate in the Defending Digital Democracy Project, especially when one of them might have benefited from hacking operations and information attacks?
I don’t think anyone actually benefits from external influence into democracies. Now that it’s clear that this kind of manipulation can happen, we’re going to see more of this kind of behavior in other contexts around the world, and from a variety of different threat actors.
So it’s important for us to get together in a bipartisan manner and to build defenses. In the United States, the parties have a big challenge. Next year, there will be 435 House races, 33 Senate races, and I believe 30-some gubernatorial races. Each race has at least two candidates. And each candidate sets up a campaign that lasts about a year.
A campaign typically requires building, then tearing down, a whole IT infrastructure, often involving volunteers. So building a campaign that can resist attacks from advanced threat actors can be extraordinarily difficult.
“It’s hard to think of a major political party worldwide that can’t think of a foreign adversary with an advanced threat actor under their control. So if you believe that your candidates might come under attack, then we’re going to try to build capabilities that can help you defend them.”
We need to create mechanisms by which companies that deal with these threat actors every day—including big tech companies and financial services—can assistant campaigns in building secure infrastructures and sharing information about threats. When they observe attempted attacks, campaigns should be able to track them across the entire ecosystem and not just attempt to handle them on a standalone basis.
It sounds like such an effort would require a lot of people, both inside and outside Facebook.
We’ll have an ISAO (information sharing and analysis organization) with its own professional staff. It’ll likely require people inside different groups to think carefully about threats and participate in working groups. And so we’re going to provide the help we can, but what we really want to do is to create a community in which assistance can be provided. Hopefully we can have some economies of scale by solving these problems once and then deploying them multiple times in various places.
With the modern cloud and modern computing platforms, it’s not that hard to build much more securely. Use a good cloud email system, use limited computing systems like tablets and Chromebooks, and deploy two-factor authentication and universal two-factor tokens. You just need a reliable set of advice and some basic technology that can be stamped out over and over again.
Just getting the average consumer to use two-factor authentication has been a big challenge for the security industry. What’s the incentive for political parties in the U.S. and around the world to participate in the project?
It’s hard to think of a major political party worldwide that can’t think of a foreign adversary with an advanced threat actor under their control. So if you believe that your candidates might come under attack, then we’re going to try to build capabilities that can help you defend them.
Because of the how the U.S. Constitution is structured, voting standards vary wildly from state to state. Some states don’t even do printed backups of their electronic voting records. What the project is proposing seems like a much bigger ask than something as basic as standardizing infrastructure.
We’ve had initial discussions with local and state election officials. In September, we’re bringing together a cross-section of those officials for a meeting at Facebook’s office in Washington, D.C. So far, there’s actually been a lot of interest.
There is this traditional split between the federal and state governments, where there’s resistance to the federal government having too much oversight of how state and local elections work. We have no power to impose any rules. We don’t have the ability to take over people’s infrastructure. But we can provide a neutral forum in which people can exchange best practices. And those of us on the tech side can try to provide assistance voluntarily.
I think there’s a lot of interest in that voluntary model versus a much more forceful model.
What snags has the project hit along so far?
Well, this has never been done before in this industry. There are areas of past and current collaboration and cooperation between political parties, but not in the cybersecurity space.
That being said, other ISACs (information sharing and analysis centers) and ISAOs pull together fierce competitors. The national health ISAC has representatives of different parts of the health industry that have very difficult relationships with one another. And yet they can bring the chief information security officers of all the organizations together.
“Diversity of people and backgrounds of thought is absolutely critical in solving this problem.”
The financial-services industry, the national health industry, and other industrial controls provide great examples of companies that otherwise hate each other, from a competitive perspective, cooperating on cybersecurity. I believe that we’ll be able to push through and get the various campaigns and parties to work together.
Which events drove the project’s development?
As a country, we learned in 2016 presidential election the importance of people’s personal computing environments to the geopolitical stage. Many people involved in the political sphere do not have a professional security team protecting their information. You saw this with the Podesta Gmail hack, as well as attacks on others’ personal devices and personal accounts. It’s important for the tech companies that provide these platforms to be part of the conversation of how to keep people safe.
Ensuring that the project can improve computer security in time for the 2018 elections sounds ambitious. How many people does the project need in its first year? And how do those hiring plans fit in with Facebook’s diversity goals?
Dozens of elections worldwide are at risk, so we are trying to triage and reach out to the parties and countries where we think there is the most possible benefit. We’re only in the beginning stages.
We’ll have to see how big this becomes. Generally, the most effective ISACs have professional staff, but they’re not extremely large. The goal is to facilitate coordination between existing capabilities inside of all these organizations, not just to build something on the outside. This is the first time this has ever been done in the democracy space, so it’s really hard to predict exactly what the staffing levels will look like at different levels.
Diversity of people and backgrounds of thought is absolutely critical in solving this problem. Our investigation of these issues, and our ability to react to it, has been greatly improved by the fact that we have a very diverse workforce. We have a team that includes people with international-relations backgrounds, with language skills, with foreign-policy experience.
Many people who did not take any technical classes in college, who have these interesting social-science backgrounds, learned the technical parts midcareer. Having that kind of diversity of people is supercritical to complex systems, including democratic institutions.
There are about 3 billion people on the planet who have Internet access. Facebook has a little over 2 billion users. If we want to build solutions that actually work for 2 billion people, we have to be focused on having a team that reflects those people.