As we close out this year, we’re sharing a number of updates on our work to protect people around the world against various threats — from run-of-the-mill hacking to commercial spyware to covert influence operations. We’ll also review some top-of-mind threats we’ve seen throughout 2022, and what we expect going into 2023.
This year, our focus has been bringing different teams and functions together to break down silos that are very typical for our industry, and enable stronger efficiency and knowledge-sharing between teams to protect both people and businesses. One example of this is our work to protect businesses from advertising fraud, which often starts with a personal account of a Facebook Page admin getting compromised. To combat this, we work across many teams: from security engineers who architect our authentication mechanisms, to threat intelligence teams who track threat actors, to integrity teams who use machine learning to detect abusive accounts and content, to the support teams who help remediate the issue.
Security is a highly adversarial space where we are constantly thinking about how our products, our policies and our enforcement may get abused. We have to keep evolving our defenses and processes in response to malicious actors trying to work around them. The stronger our defenses become, the more threat actors try to exploit even the smallest gaps in enforcement and expand their targeting across different services. This means that our industry must continue collaborating through information-sharing with each other and security researchers to raise the bar across the board. Here are the areas where we’ve had particular impact:
This year marked a major milestone in our enforcement against covert influence operations — we’ve now disrupted more than 200 networks worldwide since 2017 for violating our Coordinated Inauthentic Behavior (CIB) policy. See our detailed recap.
These deceptive networks came from 68 countries and operated in at least 42 languages. Most of them targeted people in their home countries, and only around one-third aimed solely at audiences outside of their own countries, engaging in foreign interference.
The United States was the most targeted country by global CIB operations, with Ukraine and the United Kingdom following thereafter. Russia was the most frequent geographic source of CIB networks, followed by Iran and Mexico. Influence operations that originated in Russia most often targeted Ukraine, then African countries and followed by the US.
Looking ahead: As larger tech platforms continue to catch these operations sooner, we expect threat actors to keep targeting smaller, less-resourced services. Information-sharing among researchers, industry and government will be all the more critical to help expose these networks.
We just published our second threat report, which provides insights into the growing threat posed by the global surveillance-for-hire industry which indiscriminately targets people — including journalists, activists and political opposition — to collect intelligence, manipulate and compromise their devices and accounts across the internet.
Latest threat research: This year, we’ve taken down global spyware entities, including in China, Russia, Israel, the United States and India, who targeted people in almost 200 countries and territories. This industry exponentially increases the supply of threat actors by providing powerful surveillance capabilities to its clients against people who typically have no way of knowing they are being targeted. See our detailed threat report on the spyware industry.
Looking ahead: In 2023, we expect this industry to continue targeting people wherever they are on the internet. Because surveillance-for-hire services cast their net so wide, no single company can tackle this alone. We strongly believe that we need a concerted regulatory response by democratic governments, as well as continued action by industry and focus from civil society. To help inform our collective defenses, we’ve published a set of recommendations for a broad whole-of-society response.
We know that account security is top-of-mind for many people, so we’re sharing an update on the actions we’re taking to protect people’s accounts:
Top compromise drivers: Our research shows that people are twice as likely to recover their Facebook account if their contact points — like the email address or phone number they have in their settings — are up to date, so we can reach them when they need help. However, people lose access to email addresses or switch phone numbers — a challenge that is recognized across our industry. We’ve also seen threat actors target people’s contact points to gain broader access to other online accounts connected to their email. In fact, when looking at compromised Facebook accounts, we found that one in four began with a person’s contact point being taken over. To help prevent and mitigate this, we’ve rolled out new security features and support options this year. See our detailed recap.
Expanding user support: While our scaled account recovery tools aim at supporting the majority of account access issues, we know that there are groups of people that could benefit from additional, human-driven support. This year, we’ve carefully grown a small test of a live chat support feature on Facebook, and we’re beginning to see positive results. For example, during the month of October we offered our live chat support option to more than a million people in nine countries, and we’re planning to expand this test to more than 30 countries around the world.
Looking ahead: In 2023, expect us to double down to address these threats in three areas:
We’ll share our progress and learnings to help accelerate industry collaboration in this area.
Expanding our Bug Bounty program: Our Bug Bounty program continued to play an important role this year in enabling collaboration between our internal and external researchers to find and fix bugs across our apps. This year, we’ve rewarded about 750 bug bounty reports by the security research community, and we paid out more than $2 million in bounty awards — bringing our total to more than $16 million since 2011.
Finding and reporting security bugs: To help strengthen the security of the broader internet, our Red Team has found vulnerabilities and reported them to maintainers of open source libraries and industry peers, including Schneider Electric, Airspan and MITRE so they can patch them and protect their users.
Looking ahead: We’re making updates to our Bug Bounty program, which include finding new ways to work with external researchers to help secure our virtual reality and mixed reality metaverse technology. We’re also setting new payout guidelines with bounty amounts that range as high as $300K, making our program one of the highest-paying in the industry. See more details about our updates.