Alex Stamos is a Hoover fellow and adjunct professor at Stanford University. He served as the chief security officer at Facebook until August.
Yup, Sheryl Sandberg yelled at me.
It was the day after I briefed Facebook’s Board of Directors on an unprecedented and troubling finding on our platform. Combing through billions of accounts, my colleagues and I had discovered a web of fake personae that we could confidently tie to Russia. I told the board the difficult truth: I had no confidence that we’d found out everything the Russians were up to, and it was quite possible that things would get worse before we built the teams and invented the technology necessary to stop it. Sandberg — as reported in this past week’s New York Times investigation — felt blindsided by this. (She later apologized.)
At the time, technology companies were so enamored with the utility of our own products and so focused on sophisticated attacks from U.S. adversaries such as Russia and China that we overlooked less advanced but still effective propaganda operations. After the election, and having provided our detailed findings to the FBI and special counsel Robert S. Mueller III, Facebook stuck to a public-communications strategy of minimization and denial. It was finally jettisoned in early 2018, but the damage to trust has been massive and will take years to repair. To be clear, no one at the company ever told me not to examine Russian activity, nor did anyone attempt to lie about our findings, but Facebook should have responded to these threats much earlier and handled disclosure in a more transparent manner.
Yet Facebook’s shortcomings do not stand alone. The massive U.S. intelligence community failed to provide actionable intelligence on Russia’s information-warfare goals and capabilities before the election and offered a dearth of assistance afterward. Technology companies can build tools and teams to look inward on their products, but they will never have true geostrategic insight or ability to penetrate hostile countries. This relationship has greatly improved in 2018, mostly due to the initiative of hard-working intelligence professionals. Our elected officials, however, can claim little credit. Lawmakers’ public grandstanding at investigative hearings stands in stark contrast to their failure to establish facts, effectively oversee the executive branch and provide for the common defense.
We must also remember that in the summer of 2016, every major media outlet rewarded the hackers of the Russian Main Intelligence Directorate (GRU) with thousands of collective stories drawn from the stolen emails of prominent Democrats. The sad truth is that blocking Russian propaganda would have required Facebook to ban stories from the New York Times, the Wall Street Journal and cable news — not to mention this very paper. Since the election of Donald Trump, print and television news organizations have staffed up and provided a critical service to Americans, but they have never adequately grappled with their culpability in empowering Russia’s election interference.
It is time for us to come together to protect our society from future information operations. While it appears Russia and other U.S. adversaries sat out the 2018 midterms, our good fortune is unlikely to extend through a contentious Democratic presidential primary season and raucous 2020 election.
First, Congress needs to codify standards around political advertising. The current rules restricting the use of powerful online advertising platforms have been adopted voluntarily and by only a handful of companies. Congress needs to update Nixon-era laws to require transparency and limit the ability of all players, including legitimate domestic actors, to micro-target tiny segments of the population with divisive political narratives. It would be great to see Facebook, Google and Twitter propose helpful additions to legislation instead of quietly opposing it.
Second, we need to draw a thoughtful line between the responsibilities of government and the large technology companies. The latter group will always need to act in a quasi-governmental manner, making judgments on political speech and operating teams in parallel to the U.S. intelligence community, but we need more clarity on how these companies make decisions and what powers we want to reserve to our duly elected government. Many areas of cybersecurity demand cooperation between government and corporations, and our allies in France and Germany provide models of how competent defensive cybersecurity responsibility can be built in a democracy.
While many of the individual reporters I have spoken to are now warier of manipulation, it is unclear whether the U.S. media would handle the strategic release of stolen emails any differently today. This might be a fundamental vulnerability in the free press, but it would be reassuring to see leading newsrooms publish their standards on how they might cover newsworthy data leaks without amplifying the messages of the United States’ enemies.
Finally, U.S. citizens must adjust to a media environment in which several dozen gatekeepers no longer control what is newsworthy. While the platforms that bring hundreds of new media outlets to your phone need to improve protections against abuse, in a free society we will always be vulnerable to the injection of narratives from the enemies of democracy, both foreign and domestic. The last line of defense will always be citizens who are willing to question what they see and hear, even when it means questioning our own beliefs.