Interview With Joe Sullivan CSO Of Facebook.com
Today, Facebook is one of the most popular websites in the whole world,
Especially in the Middle East. It is one of the bestknown examples of the new phenomenon of “social networks”, where users voluntarily share information and their personal histories, with stories and regular updates on their daily lives, along with photos of family and friends, their connections, and more. With so much personal information shared in social networks, and so many data breaches in the news, the privacy of Facebook has become a real concern. Facebook.com is also credited with playing a main role in the Arabic Revolutions in the last few months. The increased use and impact of Facebook amongst the general population has prompted entities such as the Egyptian Army and other government agencies to create official pages on Facebook.
That’s why it was mandatory for the Security Kaizen team to conduct this interview with the Chief Security Officer of Facebook.com, Mr. Joe Sullivan, and try to learn more details about Facebook security. Moataz Salah, Security Kaizen Editor, met with Joe and asked him the following questions.
Can you please introduce yourself to Security Kaizen readers?
I’m Joe Sullivan, the Chief Security Officer at Facebook. I manage a few of the teams at Facebook focused on making sure that people who use Facebook have a safe and positive experience.
Prior to joining Facebook in 2008, I spent 6 years working in a number of different security and legal roles at PayPal and eBay. Before that I worked
for the US Department of Justice for 8 years. I was very lucky to have the chance to be the first federal prosecutor in a US Attorney’s office dedicated
full-time to fighting high-tech crime. I was privileged to work on many highprofile Internet cases, ranging from the digital evidence aspects of the 9/11
investigation to child predator, computer intrusion, and economic espionage cases. I was also a founding member of the Computer Hacking and
Intellectual Property Unit, a special unit based in Silicon Valley dedicated exclusively to high-tech crime prosecution.
Can you give us an overview of the Security Teams in Facebook, the role of every team and the average number of employees per team?
We have over 30 people on the Security Team, but that really understates the number of people working on Security at the company. Facebook has
engineering, risk, compliance and operations teams outside of Security that are also 100% dedicated to security and safety. Together there are
hundreds of us focused on the area. Within the Security Team, we divide up into functional groups such as product security, investigations, information security practices, and law enforcement relations.
What kind of daily activities do you handle?
Facebook Security has a wide range of duties ranging from keeping our physical environment and electronic data safe to helping maintain the
integrity of the site. We work internally to develop and promote high product security standards, partner externally to promote safe internet practices, and coordinate internal investigations with outside law enforcement agencies to help bring consequences to those responsible for spam, fraud and other abuse.
What is the most challenging incident you have faced recently?
Our biggest challenges come when we have to disprove negatives. There are so many security “experts” writing about Facebook we are constantly
responding to claimed vulnerabilities that turn out to be theoretical at best. Just in the last month there were two stories that received global media
coverage where if you had read the headlines you would assume that major security breaches had happened. In fact, in neither case had a security
vulnerability lead to harm to a single person. We also deal with really unique challenges that require speed and creativity.
The situation in Tunisia (when ISPs started inserting code into our login page) stands out in my mind, because it was something we had not seen before but were able to roll out a complete incident response plan (including launching coding changes on our site) in under five days.
Do different governments including the US government ask for your help in certain Cyber Crime cases? Examples?
Someone on my team talks to a government official from somewhere in the world almost every day of the week—and that should be no surprise.
These interactions range from the typical sharing of cyber crime trends, to participation on investigations, to dialogue about content standards, to
responding to requests for user records. We try to foster positive dialogue so that we understand government concerns while always maintaining our
commitment to respecting the privacy and security rights of our users.
What was your action plan during the recent situations in the Middle East when some countries blocked Facebook?
Our primary focus throughout this time was on maintaining account security and integrity. We cannot counter a decision to shut down internet access
altogether or block access to our site but we can focus on preventing unauthorized access to accounts.
To avoid future similar incidents, what kind of updates did you have to your contingency plan?
We continue to focus on measures to give people more control over the security of their account. We launched opt-in HTTPS and hope to make HTTPS by default soon. We now offer Login Notification, Login Approvals (a form of two-factor authentication), Social Verification, One-Time Passwords and Remote Session Control to give all our users the tools to safeguard their accounts. To complement these userfacing tools, we constantly iterate on our technical systems which consist of multiple proprietary programs that classify malicious actions, roadblock compromised accounts, scan URLs and maintain the integrity of the site.
Did you notice attacks to specific protesters’ profiles or specific groups during this period either from the old Egyptian government or the Tunisian government?
One silver lining on all of this has been that the same tools we rolled out years ago to prevent Phishing and other types of account takeovers work equally well in combating other types of attempts to compromise accounts. But out of respect for the privacy of each user, we have not publicly discussed specific cases.
Do you think governments have the right to cut the Internet connections and what do you think the response of US citizens would be in such a case?
Through our growth as a service used by hundreds of millions of people in every country in the world, we have shown the power of the Internet
as an indispensable tool for communication. To the extent we believe communication and access to information are fundamental to a just society,
we should always be concerned when access is denied.