Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By David Ingram

SAN FRANCISCO — Ever since Facebook disclosed last year that Russian operatives had covertly run a disinformation campaign on its network, tech companies have pledged to work together to root out examples of government-sponsored information warfare.

In one episode this summer, it didn’t work that way.

Facebook and Google disclosed in August that they had spent two months investigating a network of accounts they found were tied to Iranian state media. The companies took down the accounts, pages and groups, which numbered in the hundreds and pushed divisive political messages in the U.S., Britain and elsewhere.

Other tech companies were behind on the news. On services including Twitter, Reddit and Pinterest, researchers found posts similar to what Facebook and Google reported, but those companies didn’t have the luxury of a two-month head start.

The difference, according to interviews with people at those companies and in the industry, was that Facebook and Google were clients of a cybersecurity company named FireEye, which found some of the accounts and tipped them off.

The divide between threat-intelligence haves and have-nots has caused some grumbling in Silicon Valley. An executive at one tech company said it was “frustrating” not to receive a warning about a significant threat when FireEye, Facebook and Google knew about it for months. The executive, speaking on condition of anonymity so as not to jeopardize professional relationships, said it would be better if companies collaborated.

The episode illustrates how little-known security firms originally built to detect computer viruses and respond to hacking attempts are now taking on a growing role in the hunt for disinformation on social media at a time when tech companies are trying to work together to address foreign influence campaigns.

Haves and have nots

FireEye is just one of many threat intelligence firms offering similar services, making it a challenge for tech companies that may not want to pay a variety of companies to keep on the lookout for disinformation campaigns.

The annual cost of threat intelligence services generally varies from $50,000 to $250,000, according to the research firm Forrester. Sometimes it is sold as a supplement to other services, and some clients have special projects that can push the cost higher, Josh Zelonis, Forrester senior analyst, said.

Companies generally try to avoid overlap in security vendors, so if they’ve already hired one that does research into, for example, threats on the internet’s dark web, they are unlikely to hire another with seemingly similar capabilities.

“Any organization is generally going to prefer a single-vendor solution,” Zelonis said.

A FireEye information analyst works in front of a screen showing a near real-time map tracking cyber threats at the FireEye office in Milpitas, California, in 2014.Beck Diefenbach / Reuters file

FireEye, which is based in the San Francisco Bay Area and employs around 3,000 people, declined to disclose how much it charges for its threat-intelligence services, but said it is aware of the frustrations of non-clients.

Sandra Joyce, FireEye’s vice president for global intelligence operations, said that the company was testing a new product for smaller clients to buy “expertise on demand,” a potentially more affordable option for companies that do not have the security budget of Facebook or Google.

Too big to surveil

Tech companies like Facebook and Google are relying on FireEye and other vendors in part because they grew so quickly over the past decade that they did not anticipate how people might misuse their services — or they did not act on warnings. Facebook CEO Mark Zuckerberg told Congress in April that the company hadn’t taken “a broad enough view of our responsibility.”

Siva Vaidhyanathan, a professor of media studies at the University of Virginia, said that companies like FireEye have an advantage because they focus on hiring people with language and cultural expertise in contrast to Silicon Valley’s approach of trying to solve problems with large-scale software.

The headquarters of FireEye in Milpitas, California.Kris Tripplaar / Sipa USA

“They seem to be two steps ahead of Facebook,” he said. “You’d think that Facebook, one of the highest capitalized companies in the world, would have enough people in-house imagining all the worst scenarios, but Facebook has a habit of outsourcing some of its most important work.”

Facebook said in a blog post that it has contracts with “various” cybersecurity research firms and academic institutions. “We’ll often turn to these groups when we suspect a threat from a certain actor or region,” the social network said. “At other times, these groups identify suspicious activity on their own, without guidance from us.”

FireEye said it has an advantage because it can see threats across industries, not just against one company, and its analysts speak more than 30 languages.

The company does make some threat intelligence public. After tech firms beginning with Facebook disclosed their takedowns of accounts they linked to Iran, FireEye posted a 38-page report on its website, detailing its work.

“When we put something out publicly like this, it’s certainly to warn and equip the security community, but also the public,” Joyce said.

In the spotlight

Facebook and Google, in their public statements about the takedowns, shared credit with FireEye, fueling a publicity bonanza for the firm. Joyce said FireEye had “definitely seen a pick-up” in its intelligence business since August, though she declined to say by how much. FireEye isn’t profitable due to slowing growth in other services it offers. It reported a net loss of $304 million last year.

FireEye said its employees have drawn on experience looking into “hacktivists” — ideologically driven hackers such as the group Anonymous whose tactics, the company said, foreshadowed what Russians did in the United States during the 2016 presidential election when they disseminated stolen emails through online personas such as DC Leaks.

Besides Facebook and Google, FireEye serves an array of clients with services often unrelated to information warfare, such as investigating breaches. The Defense Department and the Securities and Exchange Commission are clients. Bloomberg Businessweek reported in 2014 that the CIA had been a client, and one of FireEye’s early investors was In-Q-Tel, an investment firm whose partners include the CIA and other intelligence agencies.

FireEye’s work on the broader rise of private intelligence services have caused concern among some privacy advocates, who say these companies could turn their methods on domestic American subjects, quelling dissent on behalf of powerful clients while escaping strict oversight.

“There’s no accountability there, except to the company and its shareholders,” said Cooper Quintin, a senior staff technologist at the Electronic Frontier Foundation.

FireEye said its focus is the subterfuge carried out by governments, not local protests.

“We specialize in identifying inauthentic accounts and online behavior, tied to nation-states, that is intended to surreptitiously manipulate target audiences for geopolitical purposes,” the company said in a statement.