Russell Wasendorf allegedly stole over $215 million from his customers and falsified bank statements to cover it up. Bernie Madoff was arrested for losing $50 billion while running ponzi schemes. Jeffrey Skilling was initially sentenced to 24 years in prison and fined $45 million for recording projected future profits as actual profits.

Is the Facebook CSO becoming the new Enron CFO story?

After all, the CSO in question is known for declaring projected future plans as actual security features. When he joined Yahoo to take his first ever job as CSO (also breached catastrophically during his short time there) he pre-announced end-to-end encryption was coming. He never delivered and instead quietly quit to take another shot at being CSO…at Facebook.

It’s serious food for thought when reading about the historic breaches of Facebook that began around the time he joined and continued for years under his watch. It’s been said he’s only giving lip service to users’ best interests (given his failed Yahoo delivery) and more recently it’s been said adversaries to the US targeted him as a “coin operated” asset (given his public hostility to US government).

At this point it will be interesting to see if standing idly for so long and allowing mounting harms to customers, personally profiting from damages done, will lead to any kind of penalty akin to Skilling’s.

Today, given what we know… I think we understand that we need to take a broader view of our responsibility,” [CEO] said.

“That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well.”

[…]

Facebook has now blocked the facility.

“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” Mr Zuckerberg said.

The last several years represent the tenure of the CSO in question. “Today, given what we know?” That responsibility was no secret before he joined, and it should not have taken so many years to come to the realization that a CSO is meant to stop harm instead of profiting from it. So the question becomes what is next for the man whose first and only two attempts at being a CSO have ended in the largest breaches in history.

I’m putting two opinion pieces by the esteemed Michael Adams together and getting an odd result.

While reflecting on “detailed analysis that is being conducted at USCYBERCOM, across agencies and at events like the Cyber Command legal conference”, Michael opines that the US has taken no position on whether it would come to the aid of a victim, or side with an aggressor, when confronted with cyberattack.

The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual.

Meanwhile, an earlier opine tells us taking action with fire-and-forget remote missiles hitting a far away target while not trying to “use the law as a shield”…deserves something akin to his respect:

…from the perspective of a lawyer who has advised the highest levels of military and civilian officials on literally thousands of military operations, there is something to be said for a client that refuses to use the law as a shield for inaction and that willingly acknowledges that other factors weighed most heavily on his or her decisions.

Maybe I’m reading too much into the theme across work here, but I get a sense if the aggressor is far enough removed from accountability, let alone retaliation, then long-distance attack wouldn’t bring an urge to bother with any shields including the law. This surely is the attraction to “swivel-chair” aggressors of using missiles and keyboards. Perception of their inaction in a lawyer’s eye is erased simply by pushing a button even when a chance of success is as remote as their targets.