Strengthening the Link Between Cybersecurity and Law Enforcement Requests: Q&A with Yahoo CISO Sean Zadig
Sean Zadig is the Chief Information Security Officer for tech giant Yahoo. He brings to the role a significant amount of experience investigating cybercrime, including as a Special Agent in the Office of the Inspector General at NASA. His unique blend of corporate cybersecurity leadership and law enforcement experience gives him a distinctive point of view on the intersection of SecOps and the expanding risks around law enforcement data requests.
Q: How did your experience with cyber investigations influence how you lead security at Yahoo?
When I started at Yahoo, working on cyber defense, I suggested to our then-CISO that we look at child safety online. As an email provider, that was important to Yahoo. My prior experience at Google and NASA also contributed to my interest in this area. When we did that and shared what we were seeing and learning, there was broad agreement within the company that it should be part of our focus as the security team.
Today, my team works on a broad scope of security issues - spam, phishing, financial fraud, account takeover, etc. - but also there is user safety, child exploitation, child sex trafficking, threats of harm, harassment, and so on. It runs the gamut of what you might see on a large email provider like ours. We want to protect our customers from this harmful stuff and prevent our products from being used to harm anyone.
Q: Do most CISOs see the law enforcement response process as an active attack vector? Generally speaking, is it on their radar?
No, I don’t think many CISOs are closely tracking this attack vector, but they should be. Whether an adversary can technically exploit a company’s infrastructure through a technical vulnerability or social engineer their way in by impersonating law enforcement to obtain data - the outcome is the same. And because companies are legally obligated to respond to legitimate law enforcement requests, bad actors try to use that same infrastructure for their purposes. Adversaries have successfully attacked the legal requests function, exploiting even some of the world’s largest, best-resourced companies, so it needs to be a higher priority for everyone.
Often, these functions (security and law enforcement response) sit in different areas of an organization, so even when there is awareness of the risk by CISOs, it’s not always at the top of their minds or their highest priority.
Q: True. SecOps and LERT teams are typically separate. How can they work together to reach successful outcomes?
We have a law enforcement response team at Yahoo, which is part of the legal organization. Our Trust and Safety team conducts day-to-day content moderation and escalations. They are also part of the legal team. They are not part of my infosec team, but we work closely together because we recognize a lot of overlap in what we do.
Folks who work in this space - especially when we're talking about child safety - all want to get the mission accomplished. So, there's a lot of understanding and collaboration. When new folks come in, we take them through an educational process about the work we do and why it’s essential.
Q: Responding to law enforcement requests can be complex and highly confidential, so it’s often a bit isolating. How did you address that at Yahoo?
I realized that people are doing really tough work, sometimes looking at the worst situations and doing their best to protect people. Yet once that part was done, there was never any follow-up or closure. So, I built a program we call “reporting outcomes” that involves all relevant stakeholders sharing the results of investigations whenever we can. When we get a positive outcome, like a child being rescued, and we prevent a dangerous situation from escalating, we share that information with our cross-functional team - which includes security, legal counsel, LERT, trust & safety, product engineering, and company executives. We also highlight who contributed to the outcome and how. It makes people feel like they are part of something larger and that their work really matters.
The security industry often clings to a “secret squirrel” mentality, but you have to share these success stories to raise awareness of the very real impact it is having. It also benefits the security team because business leaders know what we’re doing and why, which can help when we have other resource requests.
Q: Yahoo is in the process of deploying Kodex. Why did you choose their platform rather than build tools internally for your law enforcement response process?
Even at a large company like Yahoo, resources are limited. Sometimes, bringing in a partner like Kodex with experience building and scaling specialized tools makes sense. And because Kodex also has deep experience in law enforcement and already has other companies on its platform, I benefit from the shared knowledge of risks across the board.
For example, if a company using Kodex gets a fake law enforcement request and the same attacker tries to target another company, Kodex can stop it. Without that connecting layer, we’d be in a vacuum. Other than picking up the phone and notifying other companies, there is no way other than a platform like Kodex to share that information. The verification capabilities and the ability to customize the intake process are also important. We get a lot of requests for data we don’t even have. So, being able to narrow requests upfront and ensure law enforcement is submitting them correctly and in compliance with legal requirements eliminates the back and forth between law enforcement and our team, which saves us time and money. More importantly, this also protects the privacy of our users by appropriately limiting the scope of what otherwise would be overbroad requests. These are all pluses for my team, and I’m excited to have Kodex on board.
Q: Yet, all law enforcement data requests come from one government agency or another. Having worked in the public sector, what are your thoughts on if the government can provide a solution rather than a private technology company?
From my vantage point, it has to come out of the private sector because there’s this little thing called the Constitution and the 4th Amendment. As a private company, we legally cannot act as an agent of a government. So, all the things we’ve talked about - fighting child abuse, fraud, and so on - we do them because we want to protect our platform and our users. Not because we are trying to catch criminals. That’s not a bad outcome, but my team is not law enforcement.
If law enforcement or a government agency made a system that interfaces with us and our data, we would have a tough time saying we’re not working on behalf of the government. At the same time, we also feel an intense obligation to protect our users' privacy. So, we want to be able to limit data requests to only what the law allows and not more. Kodex helps with that by preventing overly broad requests. Sometimes, the impression on the law enforcement side (and I know because I was there) is that companies can just hand over whatever you ask for, which isn’t true. So, everyone benefits from a solution that streamlines and clearly defines the request process for each company, and you end up with a more tightly-scoped request.
Q: When you look back at your experience in the public sector fighting cybercrime through your current lens as a CISO, how have things changed?
It used to be that when law enforcement requests came into companies, it was for a cybercrime case and there just weren’t that many. Now, it doesn’t matter what the crime is - drugs, guns, financial fraud, etc. - everything has a digital component. So, the amount of requests that come into a business has dramatically increased and each one needs to be carefully reviewed. At the same time, there has been a proliferation of companies that collect and store consumer data - it’s not just Google, Facebook, or Yahoo; it’s everywhere.
For some of these companies that are smaller and don’t have the resources or background to correctly respond to legal requests for data, that is a growing challenge. Yahoo is more mature in how we interact with law enforcement requests, and we understand what is appropriate and what isn’t. But a lot of companies are not in that position. For less mature companies who are receiving their first law enforcement requests – or just launched a new feature like video or chat that attracts significant attention from law enforcement – and are freaking out, solving that alone in a vacuum is challenging and expensive. A solution like Kodex can help protect their data from people impersonating law enforcement.
Read the Kodex white paper here on protecting against fraudulent law enforcement requests