Meta says it applies the concepts of “adversarial design” to build systems with the assumption that attackers will try to exploit them, rather than ignoring the reality of these risks and being caught off guard.
“You’re living in an adversarial space and you expect the bad guys to keep exploiting, and one way to tackle this is whenever you build a system, you roll it out slowly and you watch carefully for how it gets exploited, and then you rapidly build systems to protect it,” Gleicher says. “But all of that is reactive, and you want to be careful about being purely reactive. ‘Threat ideation’ is a system we’ve built that relies on a combination of strategic foresight, tabletop exercises, red teaming, blue teaming, purple teaming techniques to take a new product that we’re considering, an event that’s coming up, a policy, and put people both inside the company and outside in the shoes of the bad guys and the shoes of the good guys to see what they’re going to do.”
Using some of the same signal analysis methodology, Meta plans to roll out more nuanced warnings to users for Facebook Messenger and Instagram to automatically redirect suspicious links to spam when they may lead to targeted phishing attacks or malware and expand alerts when a user communicates with a new account that may be an imposter posing as someone the target user knows and trusts.
It’s difficult to bring all of these components together without accidentally blocking legitimate content or locking people out, but Meta says it remains motivated to find the balance. And hey, at the end of the day, helping more users get back into their accounts is good for user retention and, therefore, good for business.
“When bad actors compromise email, those are things that are outside of our direct control, and it’s not necessarily a compromise targeted at Meta assets,” Gleicher says. “But we have a lot of users, which means we have a really important, wide-ranging responsibility.”
As always, the best protections for all of your online accounts are strong unique passwords, using a password manager to keep track of them all, and enabling two-factor authentication on every account that offers it.
