Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees.
“The threats that we are facing have increased significantly and the quality of the adversaries that we are facing,” Facebook Chief Security Officer Alex Stamos said during a taped call, which was reported Thursday by ZDNet1. “Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility.”
The way that I explain to management is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost . We have made intentional decisions to give access to data and systems to engineers to make them “move fast,” but that creates other issues for us. Stamos also discussed a report on the state of Facebook’s security posture and described it as a “very painful process.” He said the report will be updated every six months and that the company’s management team will be briefed on its contents. Stamos told ZDNet reporter Zack Whittaker2 he used the words “college campus” as a figure of speech several times during an internal discussion to describe challenges that the company faces. “My team runs network security for the company, and of course we secure it thoroughly,” Stamos said . The leaked comments were made during an internal talk with employees discussing the challenges Facebook had protecting its networks from the growing threat of nation-sponsored hackers.
In 2014, Russian intelligence agents orchestrated a hack on Yahoo that compromised 500 million user accounts, federal prosecutors have alleged3 . Google said in 2010 that it was on the receiving end of a highly targeted attack by Chinese hackers that was aimed at accessing the Gmail accounts of activists and stealing the company’s intellectual property . Researchers have presented evidence strongly suggesting that dozens of other breaches on defense contractors, security companies, and others have also been carried out by state-sponsored attackers.
In a series of tweets Thursday4, Stamos said a basic challenge Facebook and similar companies face stems from the freedom they give engineers to customize their environments and experiment with new tools and development processes.
“As a result, we can’t architect our security the same way a defense contractor can, with limited computing options and no freedom,” Stamos wrote. “Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one, I’m happy to accept .
The ‘college campus’ wording is just a figure of speech to make the point.”
The headline and first sentence of this post were updated in an attempt to better paraphrase Stamos’s comment “Both technically and from a cultural perspective, I don’t feel like we have caught up with our responsibility.”
A bill on the agenda for discussion in Tunisia s parliament today could bolster impunity for security forces by granting them immunity from prosecution for unnecessary use of lethal force as well as potentially criminalizing criticism of police conduct, said Amnesty International today. The proposed law, known as the Repression of attacks against armed forces bill, would authorize security forces to use lethal force to protect property even when it is not strictly necessary to protect life, contrary to international standards . It would exempt security forces from criminal liability in such cases if the force used is deemed necessary and proportionate . The bill was first proposed by the government to parliament in April 2015 and was reintroduced at the demand of police unions. This bill is a dangerous step towards institutionalizing impunity in Tunisia s security sector
Heba Morayef, Amnesty International s North Africa Research Director
This bill is a dangerous step towards institutionalizing impunity in Tunisia s security sector .
The fact that parliament is even considering this bill is a sign of the lack of political will on the part of the government to ensure accountability for abuses by the security services . The bill also flouts the country s own constitution which guarantees the right to life, freedom of expression and access to information, said Heba Morayef, Amnesty International s North Africa Research Director.
Tunisian security forces have been targeted in the past but giving them freer rein to use lethal force and immunity from prosecution is not the way to address this challenge . The Tunisian parliamentshould reject this bill and focus on measures to end the impunity enjoyed by the security forces. Tunisian security forces have been targeted by armed groups in a series of attacks since 2015 . Tunisia s parliamentary committee on General Legislation is due to hold a hearing today with the Minister of Interior whose ministry drafted the bill . Later in the day, the committee will also meet with the security forces unions which have been advocating1 for the adoption of the bill.
The bill allows security forces to respond with lethal force to an attack on property that does not threaten lives or risk causing serious injury . Article 18 of the bill would exempt members of the security forces from criminal liability for injuring or killing anyone , including as a result of using lethal force to protect against attacks on homes, objects or vehicles, if the force used is deemed necessary and proportionate to the danger . This is contrary to the state s obligation to respect and protect the right to life. Using lethal force solely to protect property would not be necessary and proportionate . The UN Basic Principles on the Use of Force and Firearms restrict the use of lethal force by law enforcement to situations where it is strictly necessary to protect life . These standards require that an independent authority assess whether the use of lethal force leading to a death or serious injury was necessary and proportionate.
In February 2017, Amnesty International published a report2 highlighting how violations committed by security forces in the context of the state of emergency, including torture and arbitrary arrests, are threatening the country s path to reform . No security officers have been convicted for these violations so far. In Tunisia, abuses committed in the name of security almost always go unpunished
Heba Morayef, Amnesty International s North Africa Research Director
In Tunisia, abuses committed in the name of security almost always go unpunished . This has created an atmosphere of pervasive impunity, where security forces feel that they are above the law and need not fear prosecution, said Heba Morayef.
Granting security forces legal immunity from prosecution through this bill will only embolden perpetrators of human rights violations.
In June, members of Tunisia s infamous El Gorjeni anti-terrorism brigade complained3 to the parliamentary security and defence committee about the number of allegations of torture and other ill-treatment directed towards them, describing such allegations as a form of harassment . The bill also includes vague provisions that could criminalize legitimate criticism of the security forces including for human rights abuses . Article 12 of the bill criminalizes the denigration of police and other security forces with the aim of harming public order , making it punishable with a penalty of up to two years in prison and a fine of up to 10,000 dinars. Articles 5 and 6 of the bill provide for up to 10 years in prison and a 50,000 dinar fine for those who disclose or publish national security secrets .
This is defined as any information, data and documents related to national security , an overly broad definition which could be used to imprison those revealing information about human rights violations . No protection from prosecution is provided for whistleblowers or journalists. These provisions are inconsistent with Tunisia s obligation to uphold freedom of expression and the public s right to access information under international law and according to the country s constitution.
During a review of its human rights record at the UN Human Rights Council in May, Tunisia received at least 10 recommendations4 relating to strengthening accountability for human rights violations by security forces .
By accepting these recommendations Tunisia has committed to take concrete steps to fight impunity.
It is deeply disappointing to see that this bill, which fundamentally threatens the human rights gains Tunisia has made since 2011, back on the table, said Heba Morayef.
Tunisia must abide by its commitments to uphold its human rights obligations by ensuring greater oversight of the security sector and taking concrete steps to address impunity once and for all.
Just under half of all British businesses were victim to at least one cyber security breach last year, according to a government report. The 2017 report, commissioned by the Department for Culture Media and Sport, found that 46 per cent of all businesses discovered at least one cyber security breach in 2016, with the average cost to firms ranging between 1,570 and 19,600. It pointed out that larger firms tend to incur much more substantial costs from cyber security attacks, which it said could reflect the increased complexity of the breaches, or because they have more sophisticated systems that are harder to repair. The report, which is part of the government s National Cyber Security Programme, warned that costs could come from the loss of customers, data or assets, handling customer complaints, and dishing out compensation, fines or legal fees. This comes after cyber experts warned1 that improvements to banks cyber systems could displace some of the threats onto other sectors, such as financial advice businesses. The cost can rise into the millions, with the loss often ultimately borne by the financial sector.
According to the government survey, only a third of the 1,523 businesses questioned have a formal policy on cyber security in place. However, it found that small businesses were more likely to have installed cyber security systems than they were last year, with almost a quarter now having formal processes in place, up from 15 per cent in 2016. The study, which was conducted in January and February this year, said this aligns with the increasing importance these smaller businesses now attach to cyber security. A positive picture was also painted in terms of the speed with which businesses identify breaches, with 90 per cent of firms recognising an attack within 24 hours.
The report found that 60 per cent of the 350 financial firms questioned outsource their cyber security to specialist providers. Marcus Scott, chief operating officer at think tank the City UK, said cyber security is increasingly becoming one of the biggest challenges facing businesses. While the average cost of a breach is 20,000, this can rise into the millions, with the loss often ultimately borne by the financial sector. Earlier this year, the City UK set up a task force to help boost understanding of cyber risk and encourage firms to take action to tackle the problem, such as working on system recovery issues and sharing best practices across other businesses. It also recommended that cyber security be managed effectively by boards, echoing advice in the report about the need for oversight of security issues at a board level. Other recommendations from the City UK included making sure cyber risk is a part of the entire business strategy. The government report found there were more breaches reported by those firms taking action to protect themselves, which it suggested could indicate that they are better at identifying when their systems have been compromised.