Facebook chief security officer Joe Sullivan's job is all about keeping users safe. But, thanks to the revelations from former National Security Agency contractor Edward Snowden, that's increasingly meant focusing on keeping user's data from the prying eyes of governments, a well as the prying eyes of cybercriminals.
Sullivan joined the social media giant after stints at Paypal and eBay -- plus a few years working on cybercrimes as a federal prosecutor. The Switch talked to him after DefCon about how the NSA leaks have changed the security industry and helped fuel the user backlash to the Facebook Messenger app's permission requests. This interview has been lightly edited for length and clarity.
Andrea Peterson: One of the things I’ve been talking about with people is whether or not the NSA leaks from the past year are still casting a shadow over the relationship between the hacker and information security community and federal intelligence agencies. Do you think it is? And if so, do you think there is any way to mend that relationship?
Joe Sullivan: I never really appreciated the relationship, I guess, to a certain extent. Coming to Vegas for the security conferences was never focused on relationships with the government. It’s always been focused on coming to learn from the classes, learn from industry experts that are here, and do a little bit of recruiting and relationship-building. So it’s hard for me to comment on the relationship between government agencies and the community.
But I do think one thing the last year has shown is that there’s no expectations that government agencies are helping secure our services. To a certain extent we’re trying to push security forward on our own -- and whether that’s the way it should be or not, I don’t know. We’ve made a lot of progress on security and continued growing our team. And when I think about what has come out over the last year, there’s a lot more public interest in security -- there’s a lot of passion in the security community.
If there’s a positive thing that’s come out, it might be attendance at the conference -- it felt like it was larger. We saw the last year as an opportunity to do some things like encrypt more, and this was a good week to get feedback on that.
For example, we realized there was an appetite for a security conversation outside the company, and we created a page called “Protect the Graph,” and really have cultivated a good audience of people. And we got a lot of good feedback on that page and the dialogue on things that we’ve put there.
For instance, we put out a paper a few months ago about STARTTLS and how we had implemented STARTTLS as a way of ensuring encryption for e-mails that we would send. And what we had found across the community in the past was that STARTTLS only works if both sides have implemented it, and so there was this perception that, “Well, no one has implemented it, so why should we bother?”
So we put out this paper showing that we’ve done a study and we can see that STARTTLS has been implemented, and so everyone should go implement it. Several people at the conference said to me that what you did with STARTTLS and nudging the industry forward was awesome -- now you can’t really say no one’s doing it so I’m not going to do it. Since we published our study in mid-May, the percentage of our outbound email that is now successfully encrypted with both Perfect Forward Secrecy and strict certificate validation jumped from 28% up to 95%.
There’s excitement for collaboration -- we released an open source security tool with Etsy a few months ago. And that’s what we were talking about last week -- how can we work with each other on more things. I think there’s hope in the industry, even coming out of the despair, if you will.
It does seem like the big result of the disclosures is that tech companies have banded together to say that they’re not comfortable with data demands that are made of them, and been have had at least a more public adversarial relationship when it comes to government requests for user data. Can you comment on if and how have you seen the relationship between Facebook and intelligence agencies change as there has been more information that you've been able to share about that relationship?
I think it’s fair to say that any reform that has happened has come from company pressure -- whether it was litigation, where the companies did band together; whether it was transparency reporting, where it felt like transparency reporting had evolved from a particular company's practices to a spotlight on the government practices and thus there is more willingness across the industry to speak up; or whether it was the implementation of notice polices in response to legal process. We’ve all sort of evolved our practices.
Companies certainly have become more comfortable standing up and showing their commitment to the people who use their services. I think it’s not so much that companies have changed their practices, as there was more an opportunity for a dialogue than there once was.
It does seems like there’s also been a shift in how some consumers view companies' access to their information in the wake of the Snowden leaks. I’m sure you’re aware that there’s been a backlash against the permission requests in the standard Facebook Messenger app since it recently became needed to access that feature on mobile devices. But as I understand it, the Messenger app didn’t really ask for anything more than the standard Facebook app did, or many other apps do. Do you think consumers are just more willing to assume the worst now?
I think that the world has taught people to pay attention to security more -- and that’s a good thing. We want a world where we’re in partnership with the people who use our services to create the best security. We’ve tried over the years at Facebook to educate people on security and data protection -- whether it is not sharing your password, or being thoughtful about which applications you connect to through our platform, or using two-factor authentication. The world has become more sophisticated, and that’s a good thing.
I’m also interested in how you specifically became involved in the security space. You’re a former prosecutor with a legal background. Does that give you more insight into the policy proposals that have come out within the last year?
Personally, I feel my career has taken just an ideal path for me, in that I’ve found a passion in security that I didn’t know when I was choosing my career in high school. I love the intersection of law and technology, and as we see from conferences like DefCon, there are a large number of lawyers at a security conference. That’s because security and law are so interconnected, and I think it’s valuable to have that type of collaboration between the tech community, the security community, the legal community and the government and politics community. Technology has changed the world dramatically, especially when it comes to borders and security, and the more sophisticated we all are the better we will do.
Well, I know I’m running out my clock here and I think we’ve covered some great ground, but are there other things you want to touch on?
Yeah, I don’t think it’s naive to believe there is hope in security right now. I think there is hope because we’re seeing a lot of innovation right now. We’re seeing that the people who do innovation in and out of Silicon Valley are recognizing that there’s value in security, so there are a lot more start-ups to collaborate with, which is a good thing. There’s a lot more companies that recognize the importance of hiring good people, so the field is more valued than ever.
Media, like you, are excited to talk about security and have found that there’s a consumer audience for complex technical security news. As you mentioned, people are reading the disclosures at the time they install applications. These are all good things for the future. There’s hope that, as people are becoming educated, the community is becoming more sophisticated.
I’m optimistic about the future of security, and I think that we as a company have been blessed in that we have been allowed and encouraged to invest heavily in security over time. And I think over the past year people have learned a lot more about that -- all the work we’ve done with encryption and perfect forward secrecy, HSTS, acquiring PrivateCore to help make our security and even traffic encryption better. There’s just a lot of positive stuff going on, and hopefully people don’t get worn down by the cadence of negative stories about security and see that there’s progress being made.
It definitely does seem like some things are changing -- even as the Snowden stories can be a little overwhelming. You may have heard about Alex Stamos’s [CISO at Yahoo] point at Black Hat about opposing a certain feeling of nihilism in the security space. But it does seem to have pushed more companies to be proactive on this front and also made people a lot more engaged...
I think it’s great that people are making a commitment to hiring and putting people like Alex in place. I’m excited to have peers like that because we can work together. We’re working on security, but one of the things that we’ve really found is that collaboration leads to better security. That’s what we’ve found over our bug bounty program over the years.
And willingness to talk about what’s going well and what’s not going well with security has helped us get better. A lot of companies have been afraid to do a bug bounty because you’re telling the world that you’re vulnerable on your own -- and we’ve paid out over $3 million to security researchers over the past few years through our program. That’s made us a lot better at security; it’s been a complement to the stuff we’ve been doing on our own.