The following is adapted from a meeting held on July 19, 2022 by Kent Walker, President of Global Affairs2022cyber securityat international conferencesspeech.
Thank you for the opportunity to participate in this important conversation about cybersecurity.
At Google, we're proud to say we keep more people safe online than anyone else in the world. But this is not always the case.
So let me start by telling you a story about how we got it wrong, and two things we can all learn from that experience. My dad always told me that it’s cheapest to learn from other people’s mistakes. So let me tell you about one of ours.
Some of you may remember that in late 2009, Google was the victim of a major cybersecurity attack, codenamed Operation Aurora.
We have long had some of the most attacked websites in the world. But Aurora is special.
Aurora was an attack initiated by the Chinese government and was a major security incident that resulted in the theft of Google’s intellectual property.
But Aurora isn't just any security incident. This isn't just about Google.
As part of our investigation, we discovered that several other high-profile companies had been subject to similar attacks. Other companies either didn't discover the attacks or didn't want to disclose them. When I was a federal prosecutor specializing in technology crimes, one of the biggest challenges we encountered was getting companies to go public or even get help from the authorities.
So we think it's important to talk about this attack - to tell the world about its impact,hackerapproach and the sectors at risk.
We work with the U.S. government to share threat vectors and vulnerabilities.
We didn't stop there: After Aurora, we launched an entire team called Project Zero to discover and promptly disclose previously undiscovered zero-day vulnerabilities in our own and other companies' software, raising the bar for everyone's security .
Today, Google's Threat Analysis Group (TAG) works to address a range of persistent threats, from government-backed attackers to commercial surveillance vendors to criminals. TAG regularly publicly discloses attacks by foreign attackers, including undertaking difficult attribution efforts.
So I would say the first lasting lesson from the Aurora attack is the need to embed openness and transparency into the fabric of cybersecurity responses. It’s not always comfortable work – we’ve had to have some tough conversations with partners and our own teams along the way – but it’s necessary to move the industry forward and ensure bugs are fixed quickly before they can Use them in the wild.
Over the following years we developed some principles to ensure that we couldResponsibly, transparently and helpfullyShare information about vulnerabilities with the public, our partners and law enforcement,Network attacks(such as attacks on elections) and knowledge of disinformation campaigns.
In turn, the U.S. government has established its own processes to facilitate greater information sharing with industry partners to expedite patches that protect us all.
But the value of transparency isn't the only reason I brought up Aurora's story.
Aurora not only taught us the need to embrace transparency, but also taught us a second, even more important lesson: what works and what doesn’t when it comes to security architecture.
Over-indexing of information sharing alone is possible.
In some ways, focusing on the fundamentals of software security is even more important to moving us all above the levels of insecurity we see today.
We curate and use threat intelligence to protect billions of users—and have been doing so for some time. But you need more than intelligence, and you need more than just security products—you need security products.
Security must be built in, not just fixed.
Aurora shows us that we (and many in the industry) are doing it wrong when it comes to cybersecurity.
Safety back then was usually "crispy on the outside, chewy in the middle." Great for candy bars, but not so good for preventing attacks. We're building high walls to keep bad actors out, but if they get past those walls, they have wide inside access.
This attack helped us realize that our approach needed to change—we needed to double down on security by design.
We need a future-proof network that reflects the openness, flexibility and interoperability of the Internet and the way people and organizations already increasingly work.
In short, we knew we had to redesign security for the cloud.
So we launched an internal program called BeyondCorp, which pioneered the concepts of zero trust and defense in depth and allowed every employee to work on untrusted networks without using a VPN. Today, organizations around the world are taking the same approach, moving access control from the network perimeter to individuals and data.
If you fast forward to today’s hybrid cloud environments, zero trust is a must.
At the heart of Zero Trust is the idea that security has no clear boundaries. It travels with users and data. For example, as governments push for multi-factor authentication for government systems, we automatically enroll users in two-step verification to confirm it's really them with a tap on their phone when they log into our products.
In practical terms, this means employees can work from anywhere in the world, accessing the most sensitive internal services and data over the Internet without sacrificing security. This also means that if an attacker happens to breach the defenses, they will not have full access to internal data and services.
The most impactful thing a company, organization, or government can do to defend against cyberattacks is to upgrade their legacy architecture.
Is it always easy? No, but it's worth it when you consider that legacy architectures with millions of lines of proprietary code have thousands of bugs, each a potential vulnerability.
In addition to replacing existing pipes, We also need to think about the next challenge and deploy the latest tools.
Just as the world races to upgrade encryption to counter the threat of quantum decryption, we need to invest in cutting-edge technology to help us stay ahead of increasingly sophisticated threats.
The good news is that cybersecurity tools are rapidly evolving, from artificial intelligence capabilities to advanced cryptography to quantum computing.
If today we talk about security by design, then next is security through innovation – designing with security in mind with AI and machine learning – aiming to use new tools to fight bad actors in order to evade filtering servers, hack into encrypted communications and generate customized phishing emails.
We have some of the best AI work in the industry, and we're testing new methods and using some of our leading AI tools to detect malware and phishing at scale. Artificial intelligence enables us to detect more threats faster while reducing human error. Artificial intelligence, graph mining, and predictive analytics can significantly improve our ability to identify and block phishing, malware, abusive applications, and malicious website code.
We look forward to sharing more of our findings so organizations and governments can be prepared. After all, now is not the time to lock down learning or success techniques. Bad actors aren’t just looking for ways to exploit your unknown vulnerabilities. Like Hafnium and SolarWinds, they are looking for weak links in the security chain that allow them to jump from one attack to another. A breach in one organization can cause damage to entire industries and infrastructure.
Cybersecurity is a team sport and we all need to get better together, building bridges not only within the security community but also between the national security community and academia and Silicon Valley.
Starting with one story, let me tell you another one – cybersecurity and Russia’s war in Ukraine.
Our approach has changed a lot since Aurora. Perhaps there is no better example of this shift than our response to the war in Ukraine.
Russia's invasion triggered not only a military and economic war, but also a cyber war and information war. In recent months, we have witnessed an increasing number of threat actors—state actors and criminal networks—using warfare as bait for phishing and malware campaigns, engaging in espionage, and attempting to spread disinformation.
But this time, we have modern infrastructure and processes in place to monitor and respond to threats as they occur.
We've sent thousands of warnings to users targeted by foreign actors—a practice we pioneered after Aurora. In the vast majority of cases, we have blocked the attacks.
We launched Project Shield to bring not only journalists but also vulnerable websites in Ukraine under Google's security umbrella to protect against DDOS attacks. While you can DDOS a small website, DDOSing Google has proven to be very difficult. We disrupted a phishing campaign by Ghostwriter, an actor from Belarus. We also helped the Ukrainian government modernize its cyber infrastructure and help strengthen its ability to withstand attacks.
We are proud that we are the first company to receive a Special Peace Award from the Government of Ukraine in recognition of these efforts.
But the work is far from complete.
Even now, we are seeing reports that the Kremlin may be planning to step up attacks and coordinate disinformation campaigns in Eastern Europe and beyond in an attempt to divide and undermine Western support for Ukraine. In fact, just today, our TAG team released a new report on the activity of a threat group associated with the Russian Federal Security Service, FSB, and threat actors using phishing emails to target government and defense officials, Politicians, NGOs, think tanks and journalists.
And, looking beyond Russia and Ukraine, we see increasing threats from Iran, China and North Korea.
Google is a proud American company committed to defending democracy and the safety and security of people around the world.
We believe cybersecurity is one of the most important issues we face.
That’s why we’re investing $10 billion over the next five years to strengthen cybersecurity, including expanding zero trust initiatives, helping to protect the software supply chain, and enhancing open source security.
That’s why we just created a new division—Google Public Sector—focused on supporting work with the U.S. government. That is why we are always open to new partnerships and projects with the public sector.
In recent years, we have worked with the FBI's Foreign Influence Task Force to identify and counter foreign influence operations targeting the United States. We work with the NSA's Cybersecurity Collaboration Center. We have joined the Joint Cyber Defense Collaborative to help protect critical infrastructure and improve our collective response to incidents across the country.
Keeping our entire digital economy on the leading edge is critical. And some encouraging progress has been made. For example, we were pleased to see last week's Cybersecurity Review Board report delve into log4j vulnerabilities and make important recommendations on how to improve the ecosystem.
We need more.
Going forward, our collective ability to prevent cyberattacks will come not only from transparency, but also from a commitment to strengthening our defenses—moving away from legacy technologies, modernizing infrastructure, and investing in cutting-edge tools to detect and thwart future challenges.
We cannot defeat tomorrow's threats with yesterday's tools. We need collective action to strengthen our digital defences. But by leveraging America’s collective capabilities and strengths, we can achieve a higher level of collective security for all of us.
Thank you.
Original article by batsom, if reproduced, please credit: https://cncso.com/en/google-security-considerations-after-apt-attack-html