Egregious Misconduct Lawsuit For 2014 Yahoo Security Management

It was the 10th of March 2014, the bugles were blaring. A red carpet was unrolled.

Who was this man of mystery coming into view? He came with no prior CSO experience, let alone large operation skills. Suddenly out of nowhere, front and center of Yahoo’s own financial news site was the answer:

Watch out, Google. The rumors are true. Yahoo has officially stepped up its security A-game. It’s called Alex Stamos.

Yahoo announced yesterday that it hired the world-renowned cybersecurity expert and vocal NSA critic to command its team of “Paranoids” in bulletproofing all of its platforms and products from threats that will surely come.

The headline-grabbing hire is widely being viewed as Yahoo’s attempt to restore its reputation for trustworthiness in the fallout of a recent rash of ad-related malware attacks that jeopardized millions of its users’ identifying data.

Watch out, Google? Vocal NSA critic? These seem like battles on two fronts. Is there anyone he doesn’t have a beef with?

Never have I seen a CSO hire being celebrated as a threat to organizations they most certainly will have to work with, even if there are disagreements. Surely that starts the role off with headwinds that reduce his effectiveness. The whole tone of the PR piece seems ignorant of what a CSO is and does.

Let’s take a closer look here. The article, after bizarrely casting shade at Google’s security team, gave a quick run-down that revealed a lack of relevant experience:

Before coming aboard at Yahoo, Stamos served as chief technology officer of Artemis, a leading San Francisco-based Internet security firm that specializes in .secure Top-Level Domain security (TLD), over the last year and 10 months, according to his LinkedIn profile. Prior to his stint at Artemis, he co-founded iSEC Partners “with good friends.” Artemis’s parent company NCC Group acquired the pioneering security firm in late 2010.

Before launching iSEC Partners, Stamos held a two-year post as a managing security architect at @stake, Inc., a digital security company that helped corporations secure their critical infrastructure and applications. Symantec acquired @stake, Inc. in late 2004. Stamos also worked as a senior security engineer for nearly two years at LoudCloud, a software company now called Opsware that operates out of the same city Yahoo calls home base.

Leading what?

Artemis was a leader? I don’t see how anyone could claim that. Note that “according to his LinkedIn profile” is used to qualify because there wasn’t any other source of that kind of nonsense.

Ok, so think back to 2014. Here’s a guy within an unknown “company”, which never achieved solid customer base or a real product, claiming to be an industry leader as CTO. The leap into a CSO role at Yahoo, fighting against BOTH the government (NSA) and non-government (Google)…sounded fishy then, and sounds fishy now. Who wanted him in so badly they’d ignore the lack of quals?

Let’s be clear, since Artemis never was independent of NCC, we’re talking about a guy with a CTO title on a small team and that abruptly folded. This is not a stepping-stone into a large publicly traded operations management. And his record before doesn’t help either, with some security research and consulting in three small teams, with no large organizational/management experience anywhere.

The lack of experience matters not only for the obvious reason of being qualified to do the work, it also begs a question of what is reasonable to expect in terms of conduct (and chances of misconduct). Risk management is the bedrock of a CSO role. In 2014 Yahoo was hiring someone who hadn’t been in that hot seat ever in his career. Lacking a track record in responding to incidents, events and breaches from an operations management position, and yet he was getting a lot of unusual fanfare from his new employer.

More to the point, he had been billing himself as the best person to lead Yahoo, and didn’t seem to mind getting himself framed as someone to make them bulletproof even for future threats. That’s crazy PR talk.

It was the “we’re going to build a wall and make Mexico pay for it” campaign of the infosec industry.

Fast forward to January 23, 2019 and look at the hundreds of millions of dollars in losses from security leadership failures:

According to the S.E.C., “In late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access or acquisition of hundreds of millions of its user’s personal data.” The agency further alleged that “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact or legal implications of the breach” and “did not share information regarding the breach with Yahoo’s auditors or outside counsel.”

Yahoo didn’t disclose the breach until September 2016, when it was negotiating the sale of its internet business to Verizon. Although the transaction was completed, the acquisition price was lowered by $350 million to $4.48 billion.

Guess what happened in between 2014 when this man started his first-ever CSO role and 2016? No, I’m not talking about the $2 million he handed out in “bounties” to his friends in the security research industry. They of course to this day are very happy about what he did for them.

No, I’m not talking about his pre-announcement of encrypted end-to-end email as a product feature he would bring to customers, before he even had a team hired to work on it, and failing to deliver.

Following up on a promise it made during last summer’s Black Hat, Yahoo on Sunday said it’s on track to deliver end-to-end encryption for its email…”Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr.

That kind of awareness is what Heartland boasted about in 2009. Had Stamos been a CSO before, he might have known e2e was widely discussed.

In fact, a more sensible thing would have been for him to say people have talked for too long about e2e, basically everyone can understand it, now someone needs to deliver on their promise in order to earn trust. RedPhone and TextSecure (precursors to Signal) were launched in 2010, incidentally (no pun intended).

It almost seemed like he was trying from the start of his role as an officer to juice the stock price with giant pre-announcements, using user awareness being a goal, allowing hazy engineering delivery requirements to slide around.

During Stamos’s career, Yahoo pledged to offer a fully encrypted email service and moved to add encryption to more of its websites. It’s vague what his departure means for those efforts…

It means nothing he promised was delivered. The same thing with Artemis too. He left both so abruptly, his direct reports weren’t aware, people working on his team allegedly found out day of his departure.

Instead of making Yahoo bulletproof, as his PR would have had everyone believe on the way in, he ran for self-cover when shots rang out. I’d love to be wrong about this, beg of you to prove me wrong, but I see facts where Artemis and Yahoo followed the same pattern:

Unable to fly his plane, a pilot stands up and waves at his own staff he’s leaving behind, leaps with a golden parachute.

More than a few Paranoids told me they weren’t pleased to hear such a neophyte CSO after he fumbled management of privacy protections was going to the notoriously anti-privacy company Facebook. His words:

I had a wonderful time at Yahoo and learned that the Yahoo Paranoids truly live up to their legend. Their commitment, brilliance, drive and pioneering spirit made it a pleasure to roll up our sleeves and get to work.

Here’s what that translated into almost immediately:

Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

Facebook has been reeling from a series of privacy scandals, set off by revelations in March that a political consulting firm, Cambridge Analytica, improperly used Facebook data to build tools that aided President Trump’s 2016 campaign. Acknowledging that it had breached users’ trust…

Integrity tools were seriously lacking, despite growing evidence of problems and alerts going off everywhere. Facebook’s CSO apparently was allowing huge breaches of customers and his boss was forced by external reporting to describe his role as a failure.

In 2017, ProPublica reporters (two of whom are now at The Markup) found that advertisers could target people who were interested in terms like “Jew hater,” and “History of ‘why jews ruin the world.'” In both cases, Facebook removed the ad categories in question. In response to the ProPublica findings, Facebook COO Sheryl Sandberg wrote in a 2017 post that the option to target customers based on the categories in question was “totally inappropriate and a fail on our part.” It appears Facebook has maintained a “pseudoscience” ad category group for several years.

What’s most interesting about such a massive disaster under the CSO is really the style and type of PR moves. He used them again as he picked up his new role, talking about how he’s the one who can make the data safe at his second CSO job. He hadn’t delivered measurable risk reduction in his first job, yet someone wanted him at Facebook and he had boastful press. Who again?

Did anyone think Yahoo really was playing its “security A-game” when the head of security couldn’t put together enough executive presence to get anyone, literally a single peer, to do the right thing? If a public company is breached at this level, and a CSO can’t move the dial on disclosure, in what sense are they actually performing the job?

This man who ran wordy PR campaigns about “bulletproofing all of its platforms and products from threats that will surely come” turned out to be all hat and no cattle hiding under the mountain of cash he was getting paid and paying others.

In that sense, shareholders and customers are right to be angry about the performance of management. Such high-boasts and failure to deliver should not be taken lightly by regulators.

Sure, if someone takes a CSO role and fumbles it there generally should be accountability. In this case, however, we’re talking about a person who regularly ran high-profile self-promotional events promising future safety above and beyond others. It even seemed harmful to the reputation of the prior CSO, the way PR was used to describe the transition to him as a superior leader. He put himself in a much different situation than any other CSO we see in the industry.

The op-ed in the NYT puts it rather bluntly:

…director and officer liability for cybersecurity oversight is entering new and potentially perilous territory. That is especially so in cases like Yahoo’s, in which shareholders allege egregious misconduct at the highest levels of an organization.

Our security industry soon may be entering a post-Stamos era, where we could build guidelines to prevent someone of his boastful nature from taking a role they are unable to conduct. I’ve heard meetings have been underway for a while, and maybe even standards being drafted.

The 2014 CSO breach management at Yahoo alone was staggeringly awful, destroying trust in the brand. That was when disclosure should have happened. Instead he quietly left and went on to do it all again at his next job. That’s the real case, since there isn’t any related prior work to reference, just a repeat disaster performance.

I’ve seen very few people in security run press using such boastful praise heaped on themselves for an operations job that benefits most from a low profile. It makes little sense. And he did it twice, his only two attempts to be a CSO.

What really gets me, however, is running that kind of “I bring more influence than everyone else” PR story, then claiming the opposite after a breach, he didn’t have the ability to influence, as threats flowed through his celebrated fingers.

Update April 23, 2020: added additional integrity breach details under the CSO, including one that has been ongoing until now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.