John Brennan is nervous, and it’s impossible to blame the former CIA director for feeling that way.
Days after revelations of sweeping security vulnerabilities at Facebook (FB) and Google (GOOG, GOOGL), Brennan offered no confidence that we’ve discovered all of yesterday’s bad news about social-network security and can move on to preventing tomorrow’s.
“I don’t think we’ve turned a corner yet, from the standpoint of remediation or prevention,” he said in an interview Wednesday morning.
Brennan, who led the Central Intelligence Agency from 2013 to 2017 after spending four years as President Obama’s homeland-security adviser, lent only this faint endorsement: “I think we may have turned a corner from the standpoint of cognizance and awareness and humility.”
Why so glum? As Brennan sees it, first these tech giants overlooked widespread exploitation of their networks by foreign actors before trying to brush off early reports of this interference. And their recent revelations of a series of privacy vulnerabilities have left him uneasy over what we haven’t heard about next.
Has Big Tech learned enough yet?
Earlier that morning, Brennan had said in a keynote at the Intersection 2018 conference (hosted by the Irvine, Calif., security firm SecureAuth) that he was confident that the government had learned enough from the 9/11 terrorist attacks to be able to stop the next such attempt.
But in the interview, he was not so optimistic about our exposure to the kind of election interference that ran rampant throughout the 2016 election—“the intrusions into servers and collecting e-mails and then pushing them out to WikiLeaks, and getting into different types of voting systems and taking stock of voter registration rolls,” as he recounted.
While he said defenders at various levels of government are now working to counter future attempts by Russian or other hackers to explore voting systems, he wouldn’t give as much credit to private industry.
“I think there has been now some greater humility on the part of some of the social media platforms where they now understand that their platforms were exploited by the Russians—despite their statements early on,” he said.
In a speech Thursday at an event hosted by the Open Markets Institute, a group vying to curb the power of tech giants, Sen. Mark Warner (D.-Va.) mocked that defensive mindset: “Certain extraordinarily prominent CEOs—whom I won’t call out directly right now—I still remember famously made comments like ‘oh my gosh, if any politicians think Facebook could be misused, they just don’t get it’.”
Brennan still fears that the likes of Facebook, Google and Twitter (TWTR) have yet to do enough to stop disinformation campaigns. “There still is ample opportunity for actors, whether they be domestic or foreign, to ply their trade in that social media environment,” he said Wednesday.
The very next day, Facebook announced that it had evicted 800-plus U.S.-based accounts and pages that had “consistently broken our rules against spam and coordinated inauthentic behavior.” It also shut 66-plus accounts and profiles run by a Russian firm called SocialDataHub for scraping people’s information against Facebook’s rules.
Respect means having to say you’re sorry
That Thursday news dump was only part of a streak of awkward timing by Facebook and Google that left the two firms looking somewhere been dense and emotionally tone-deaf.
A week and a half before my conversation with Brennan, Facebook had reported a breach of 50 million accounts rooted in the “View As” privacy feature that lets you check how other Facebook users can see your profile. And two days before, Google had said its discovery of a Google+ vulnerability exposing half a million or so accounts would require closing the consumer side of that struggling network.
Brennan expressed zero interest in buying either gadget, adding that he doesn’t own an Amazon (AMZN) Echo either.
“I have a fair amount of humility when it comes to my technical understanding and knowledge,” he said. “I’m not going to incorporate into my technical, digital life things that I am not comfortable with.”
Finally, two days after our interview, Facebook offered what it appeared to think was good news: It reported that 30 million accounts had been compromised by the “View As” exploit, not the 50 million initially feared.
But for 14 million of those users, things were much worse. Product management vice president Guy Rosen wrote that the attackers saw not just basic profile data but such details as “relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
The Facebook post didn’t say this explicitly, but the compromise of that much data not only risks profound personal embarrassment but the compromise of personal-history account-security questions that only you should be able to answer.
The other thing missing from that Facebook post as well as Google’s security announcement: the words “sorry,” “apologize,” or any variation thereof.
Maybe it’s even too soon to give these companies credit for humility.