Author Archives: Kent Walker

In Madrid, a pitch for “open security”

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the “Google Cybersecurity Summit: Protecting Europe's Digital Space” in Madridon October 26, 2022.

Kent Walker is on a platform stage addressing a room full of people

Today’s cybersecurity discussion couldn’t be more timely.

Against a backdrop of rising geo-political tensions, we are seeing more and more efforts to undercut our shared security.

Cyber and information wars have become tools of the trade in attempts to exploit our vulnerabilities and destabilize our economies and our democracies.

It is no wonder that when the European Commission unveiled its plan for Europe’s digital transformation by 2030, it called security a fundamental right central to its vision.

So where do we begin the task of securing the digital world?

On the one hand, some would embrace data localization requirements, limits on market access, and even restrictions to accessing some cross-border services.

Essentially walled gardens and high fortresses. But we would suggest a different tack.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness. Kent Walker

That’s because in today’s mobile, hybrid environment, cybersecurity is a team sport. We are each only as strong as our weakest link. But when we work together, we spur innovation and advance best practices that benefit all.

I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.

We hope to use what we have learned to help secure Europe’s “digital decade.”

To that end, we recently published a white paper with recommendations like investing in technology that’s secure by default; working with private and international partners on new areas of cooperation, and building security based on openness and interoperability.

These recommendations are based on first-hand experience. In 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora. We learned that transparency, coupled with security by design, was the best way to secure the digital ecosystem.

As we detail in our recently released docuseries, HACKING GOOGLE, Aurora changed everything. It spurred us to shift away from the old “perimeter defense” model of crunchy on the outside, chewy in the middle (with high outside walls but no interior defenses) to a zero-trust model in which all users, all devices, and all applications are continuously checked for security risks, and yet security comes easily and naturally for users.

After Aurora, we launched our Threat Analysis Group, or TAG, to spot, disclose, and attribute threats, whether they were coming from nation-state actors or commercial spyware and surveillance vendors. We also launched our Project Zero team to find and promptly disclose previously unknown zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

It hasn’t always been comfortable work–but that kind of transparency is key to security. As the computer engineering saying goes, “with enough eyes, all bugs are shallow.”

Today, by adopting advanced security innovation and threat intelligence, we ensure vulnerabilities are fixed fast, before they can be widely exploited.

You can see our approach in action whenever TAG discloses a new threat. For example, in 2017, our Android operating system was the first mobile platform to warn users about NSO Group’s Pegasus spyware–“zero-click” malware designed to allow an attacker to compromise a smartphone without a user taking any action.

By sharing information early and widely, we raised awareness of this threat, helped victims understand if they were compromised, and promoted a greater focus on mitigations. Since then, TAG has continued to report on Pegasus and other commercial spyware tools, shining a light on this murky industry.

So when the war came in Ukraine, open security principles kept us one step ahead. Since the war began, we’ve sent thousands of warnings to users targeted by nation-state actors–another practice we pioneered after Aurora. We’ve succeeded in blocking the vast majority of the attacks. And we launched Project Shield, bringing not just journalists, but human rights organizations and even government websites in Ukraine under Google’s security umbrella against distributed denial of service attacks.

Because while it can be easy to DDOS small sites, it turns out that it’s pretty tough to DDOS Google.

We are all in on this collaborative approach to security. Currently, we are working with our team at VirusTotal to launch a new Google Safety Engineering Center in Málaga, Spain, which we hope will become a European hub for joint research on advanced threats.

Image of the exterior of a tall building on a tree-lined city street

In 2023, our newest Google Safety Engineering Center will be launching in Málaga.

Since we acquired VirusTotal in 2012, they have grown from a scrappy startup to become the world’s leading malware scanner and repository, what many call “the Google of cybersecurity tools.” VirusTotal enables people to search for malware against the millions of new samples submitted daily.

On top of that, when Google combined our existing security solutions with Mandiant’s cyber threat intelligence, we laid the groundwork to help public and private sector organizations in Europe anticipate, warn about, and mitigate threats.

What are the larger lessons for all of us as we work toward open security?

First, partnerships and agreements among democratic and rule-of-law societies are key. We need to set aside siloed approaches and embrace an ecosystem of innovation where security experts can share threats, evolve best practices, and adopt new technologies.

In support of that ecosystem, I’m pleased to announce that in 2023, we will be hosting a new Google for Startups Growth Academy for EU Cybersecurity, a growth program to help cybersecurity startups across Europe grow into success stories.

Second, interoperability and aligned security standards between technologies and among countries makes compliance easier for businesses, innovators, and manufacturers of all sizes–which makes for more secure hardware and better software.

The third and final thing to keep in mind is that when we shift away from buggy legacy technology and perimeter defense models and toward modern infrastructure, we can accommodate today’s increasingly global, hybrid workforces, without sacrificing security.

Collective security requires not just walls, but bridges.

By adopting an approach built on open principles like security-by-default, zero-trust architecture, transparency, and principled partnerships, we can advance the frontiers of information security, letting all of us sleep better at night.

Supporting the EU and securing the digital space

Citizens, companies and governments across the European Union agree that everyone should be free to live their lives and use technology without fear that their information will be stolen or held ransom by cybercriminals or other malicious actors.

But with each passing week, cyber threats are growing more costly and more aggressive, undermining the trust essential to a vibrant, inclusive digital society. This is a moment that calls for international leadership, which is why it’s notable that the European Commission has featured security at the center of its vision for digital transformation.

Today, Google is publishing a set of recommendations and white paper supporting the Commission’s efforts, and we commit to extending our full capabilities to help secure Europe’s “digital decade”.

The need

We applaud the European Commission’s effort to meet this moment, and believe that companies should step up to do their part as well.

The stakes have never been clearer. Even before Russia’s invasion of Ukraine — a ground assault accompanied by an attack on Europe’s cyberspace — there were troubling signs that Europe’s democratic values were being challenged by authoritarian governments.

I spoke about the importance of these values recently at the Copenhagen Democracy Summit. Democracies provide fertile ground for advances in science and technology. Technology owes its success to the conditions — openness, pluralism, free exchange — that democracy creates, enabling inventors to take risks and pursue new avenues for inquiry and collective innovation. So it’s no surprise that Ukraine’s tech sector thrived in recent years under the flag of a free European democracy.

But how can technology, in turn, contribute to the defense of Europe’s digital space? We have been reflecting on lessons we learned the hard way more than a decade ago, and how we used them to create a next-generation security infrastructure.

In the months ahead, we plan to share our experience in proactive digital defense with leaders in Europe. We are keenly aware of our responsibility to support the work of Europe’s democratic governments and institutions on economic progress, national security, and defense of the public square.

Google’s role

Our white paper recommends several areas where the European Union can make progress in securing Europe’s digital space, including:

  • Open security: Driving European resilience through “open security,” on the principle that openness and interoperability encourage scrutiny, threat sharing, and rapid adoption of best practices and new technologies.
  • Security by default: Promoting systemic investments in digital transformation, zero-trust architectures, and operating systems and devices that are secure by default, helping organizations overcome an overreliance on outdated and hard-to-patch technology infrastructures and devices that lie open to risks of espionage and extortion.
  • Partnership: Engaging partners by facilitating public-private threat information exchanges and briefings involving EU policymakers and technical experts — and by increasing dialogue to explore new areas of cooperation, such as applying artificial intelligence to improve security.
  • Encryption: Prioritizing strong encryption as superior means of protecting sensitive data compared to data localization requirements, which can have the unintended effect of actually undermining security and resilience.

These recommendations reflect both our decades of security expertise and our deep interest in the EU’s digital defense. Some of our leading security initiatives, and top security researchers, are based in Europe.

At the Google Safety Engineering Centers (GSEC) in Munich and Dublin, Google engineers don’t just talk about digital safety, they build it. And they do so on Europe’s distinctive strengths: respected technical universities, many thousands of Google employees, and top expertise in fields including privacy and computer science.

VirusTotal, a Google team that began as a small Málaga-based startup in 2004 and grew into a European champion before its acquisition by Google in 2012, helps millions in the public sector, commerce and research to understand malware and cybersecurity trends. In 2023, VirusTotal will open a brand new headquarters in the heart of Andalusia’s tech hub.

And, as we announced last week, Mandiant, one of the world’s premier cybersecurity teams, has now joined Google — bringing with it hundreds of industry-leading European experts in the field of threat intelligence and incident response.

These teams and others like them will ensure we’re countering tomorrow’s challenges with tomorrow’s tools. And our commitment to Europe’s digital security will be accompanied by a commitment to collaboration — building on the kind of innovation that has always made democracies stronger than their adversaries.

Transparency in the Shadowy World of Cyberattacks

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the International Conference on Cyber Security 2022on July 19, 2022.

Thank you for the chance to be a part of this important conversation about cybersecurity.

At Google we’re proud to say that we keep more people safe online than anyone else in the world. But that wasn’t always the case.

So let me start by telling you a story about how we got it wrong, and two things we all can learn from that experience. My dad always told me that it was cheapest to learn from the other guy’s mistake. So let me tell you about one of ours.

As some of you may recall, in late 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora.

We’ve long had some of the most attacked websites in the world. But Aurora was something special.

Aurora was an attack attributed to the Chinese government, a significant security incident that resulted in the theft of intellectual property from Google.

But Aurora wasn’t just any security incident. And it wasn’t just against Google.

As part of our investigation we discovered that several other high-profile companies were similarly targeted. Other companies either hadn’t discovered the attacks, or hadn’t wanted to disclose them. When I was a federal prosecutor specializing in technology crimes, one of the biggest challenges we encountered was getting companies to go public or even come to the authorities.

So we felt it was important to talk about the attack–to tell the world about its impact, the methods of the hackers, and the sectors at risk.

We worked with the US Government to share threat vectors and vulnerabilities.

And we didn’t stop there: After Aurora, we launched an entire team called Project Zero to find and promptly disclose previously undiscovered, zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

And today, Google’s Threat Analysis Group, or TAG, works to counter a range of persistent threats from government-backed attackers to commercial surveillance vendors to criminal operators. TAG does regular public disclosures of foreign state actor attacks, including doing the difficult work of attribution.

Without giving too much away, I can also tell you that, working with our team at VirusTotal (now called Chronicle), we have some projects in the works that will help us raise awareness of vulnerabilities from around the world. And we’re very excited about our upcoming partnership with Mandiant, one of the world’s premier security teams, to broaden and deepen this work.

So I’d say that the first lasting lesson from the Aurora attack is the need to weave openness and transparency into the fabric of a cybersecurity response. It’s not always comfortable work–we’ve had to have some tough conversations with partners and with our own teams along the way–but it’s necessary to move the industry forward and ensure bugs are getting fixed fast, before they can be exploited in the wild.

In the ensuing years, we’ve developed principles to ensure we can share learnings about vulnerabilities, cyber attacks (such as attacks on elections), and disinformation campaigns responsibly, transparently, and helpfully with the public, with our partners, and with law enforcement.

And the US government has in turn stood up its own process to facilitate more information sharing with industry partners in order to expedite patches that safeguard us all.

But the value of transparency isn’t the only reason I bring up the Aurora story.

Aurora not only taught us the need to embrace transparency, it also taught us a second, and even more important lesson: What works and what doesn’t when it comes to security architecture.

It’s possible to over-index on info sharing alone.

Focusing on the fundamentals of software security is in some ways more important to raise all of us above the level of insecurity we see today.

We curate and use threat intelligence to protect billions of users–and have been doing so for some time. But you need more than intelligence, and you need more than security products–you need secure products.

Security has to be built in, not just bolted on.

Aurora showed us that we (and many in the industry) were doing cybersecurity wrong.

Security back then was often “crunchy on the outside, chewy in the middle.” Great for candy bars, not so great for preventing attacks. We were building high walls to keep bad actors out, but if they got past those walls, they had wide internal access.

The attack helped us recognize that our approach needed to change–that we needed to double down on security by design.

We needed a future-oriented network, one that reflected the openness, flexibility, and interoperability of the internet, and the way people and organizations were already increasingly working.

In short, we knew that we had to redesign security for the Cloud.

So we launched an internal initiative called BeyondCorp, which pioneered the concept of zero trust and defense in depth and allowed every employee to work from untrusted networks without the use of a VPN. Today, organizations around the world are taking this same approach, shifting access controls from the network perimeter to the individual and the data.

If you fast forward to today’s hybrid-cloud environment, zero trust is a must.

At the core of zero trust is the idea that security doesn’t have a defined border. It travels with the user and the data. For example, as the Administration pushes for multi-factor authentication for government systems, we’re automatically enrolling users in two-step verification to confirm it’s really them with a tap on their phone when they sign into our products.

Practically, this means that employees can work from anywhere in the world, accessing the most sensitive internal services and data over the internet, without sacrificing security. It also means that if an attacker does happen to break through defenses, they don’t get carte-blanche to access internal data and services.

The most impactful thing a company, organization, or government can do to defend against cyber-attacks is to upgrade their legacy architecture.

Is it always easy? No, but when you consider that legacy architecture with its millions upon millions of lines of proprietary code, has thousands of bugs, each one a potential vulnerability, it’s worth it.

And beyond replacing existing plumbing, we need to be thinking about the next challenges, and deploying the latest tools.

In the same way the world is racing to upgrade encryption to deal with the threat of quantum decryption, we need to be investing in cutting-edge technologies that will help us keep ahead of increasingly sophisticated threats.

The good news is that cyber-security tools are evolving quickly, from artificial intelligence capabilities, to advanced cryptography, to quantum computing.

If today we talk about security by design, what comes next is security through innovation–security designed with AI and machine learning in mind–designed to counter bad actors using new tools to evade filters, break into encrypted communications, and generate customized phishing emails.

We’ve got some of the best AI work in the business, and we’re testing new approaches and using some of our leading-edge AI tools to detect malware and phishing at scale. AI allows us to see more threats faster, while reducing human error. AI, graph mining, and predictive analytics can dramatically improve our ability to identify and block phishing, malware, abusive apps, and code from malicious websites.

We look forward to sharing more of our findings so that organizations and governments can prepare. After all, this is no time for locking down learnings or successful techniques. Bad actors are not just on the lookout for ways to exploit your unknown vulnerabilities. As with Hafnium and SolarWinds, they are looking for the weak link in the security chain, letting them springboard from one attack to another. A vulnerability at one organization can do damage to entire industries and infrastructures.

Cybersecurity is a team sport, and we all need to get better together, building bridges not just within the security communities, but also between the national security community and academia and Silicon Valley.

Kent Walker speaking on stage

Having started with one story, let me leave you with another—cybersecurity and Russia’s war in Ukraine.

A lot has changed in our approach since Aurora. And perhaps no example illustrates that shift more clearly than our response to the war in Ukraine.

Russia’s invasion sparked, not just a military and economic war, but also a cyber war and an information war. In recent months, we have witnessed a growing number of threat actors– state actors and criminal networks–using the war as a lure in phishing and malware campaigns, embarking on espionage, and attempting to sow disinformation.

But this time, we were ready with a modern infrastructure and a process for monitoring and responding to threats as they happened.

We’ve sent thousands of warnings to users targeted by foreign-state actors–a practice we pioneered after Aurora. And in the vast majority of cases, we’ve blocked the attacks.

We launched Project Shield, bringing not just journalists, but vulnerable websites in Ukraine under Google’s security umbrella against DDOS attacks. While you can DDOS small sites, it turns out that it’s pretty tough to DDOS Google. We disrupted phishing campaigns from Ghostwriter, an actor attributed to Belarus. And we helped the Ukrainian government modernize its cyber infrastructure, helping fortify it against attack.

We are proud that we were the first company to receive the Ukrainian government’s special peace prize in recognition of these efforts.

But the work is far from done.

Even now, we’re seeing reports that the Kremlin could be planning to ratchet up attacks and coordinated disinformation campaigns across Eastern Europe and beyond in an attempt to divide and destabilize Western support for Ukraine. In fact, just today, our TAG team published a new report on activity from a threat group linked to Russia’s Federal Security Service, the FSB, and threat actors using phishing emails to target government and defense officials, politicians, NGOs, think tanks, and journalists.

And, looking beyond Russia and Ukraine, we see rising threats from Iran, China, and North Korea.

Google is a proud American company, committed to the defense of democracy and the safety and security of people around the world.

And we believe cybersecurity is one of the most important issues we face.

It’s why we invested $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security.

It’s why we’ve just created a new division–Google Public Sector–focused on supporting work with the US government. And it’s why we are always open to new partnerships and projects with the public sector.

In recent years, we’ve worked with the FBI’s Foreign Influence Taskforce to identify and counter align foreign influence operations targeting the U.S. We’ve worked with the NSA’s Cybersecurity Collaboration Center. And we’ve joined the Joint Cyber Defense Collaborative to help protect critical infrastructure and improve collective responses to incidents on a national scale.

Getting our whole digital economy on the front foot is essential. And there’s some encouraging progress. For example, we were glad to see last week’s Cyber Safety Review Board report deeply investigating the log4j vulnerability and making important recommendations about how to improve the ecosystem.

We need more of that.

Looking ahead, our collective ability to prevent cyber attacks will come, not only from transparency, but from a commitment to shoring up our defenses — moving away from legacy technology, modernizing infrastructure, and investing in cutting-edge tools to spot and stop tomorrow’s challenges.

We can’t beat tomorrow’s threats with yesterday’s tools. We need collective action to shore up our digital defenses. But by drawing on America’s collective abilities and advantages, we can achieve a higher level of collective security for all of us.

Thank you.

Source: The Keyword