By Kent Walker
Nation-state actors, cybercriminals, and other malicious actors are always looking for the weak link in the security chain, a vulnerability they can use to springboard from one attack to another. SolarWinds was a case study–a cyberattack that didn’t just target one organization, but entire industries and infrastructure. And of course Russia's war in Ukraine raises its own slate of concerns for the future as we watch not just a military and economic war, but also a cyber war and an information war.
Against this backdrop, I sat down at the Aspen Security Forum this week with New York Times national security correspondent David Sanger, former congresswoman and CEO of the Woodrow Wilson International Center Jane Harman, and former Undersecretary of Defense Michèle Flournoy to discuss how we can build bridges between the private and public sector to organize a more robust defense for the organizations of open societies.
The question at the top of everyone’s minds at Aspen was, “Are the private and public sectors partnering in the right ways to protect against the rising tide of threats to innovation and the digital ecosystem?”
It’s a good question, but as we discussed at Aspen, it doesn’t go far enough. We’re seeing a threat landscape that will test our digital infrastructure. The more the threats evolve, the more we need partnerships between the private and public sector–real and effective efforts to share threat information in ways that safeguard individual privacy while benefiting the entire digital ecosystem.
But the next wave of cybersecurity threats will take more than just partnerships and sharing threat information alone. As we see increasingly sophisticated attacks from bad actors using new tools to evade filters, break into encrypted communications, and generate customized phishing emails, the need for investment in leading-edge technologies becomes clear.
The last thing anyone wants is to be caught off guard.
We learned that lesson in late 2009 when Google was the victim of a major cybersecurity attack, code named Operation Aurora.
Attributed to the Chinese government, Aurora was a significant security incident that resulted in the theft of intellectual property from Google. Aurora showed us that we (and many in the industry) were doing cybersecurity wrong. We had built high walls to keep bad actors out, but if they got past those walls, they had wide internal access.
It was an eye-opening experience, and it led Google to be among the first to recognize that that approach needed to change–that we had to adopt security by design.
Having security that’s built in, not just bolted on will be key to building a secure digital ecosystem in the years ahead.
We’ve come a long way since Aurora and today, Google keeps more people safe online than anyone else in the world. That’s because in the aftermath of Aurora, we redesigned our approach to security in a way that was built with the Cloud in mind, pioneering the concept of zero trust and defense in depth.
Was this process of re-architecting our infrastructure expensive? Yes. Was it time-consuming? Absolutely.
But at the end of the day, it was necessary.
It was a hard lesson, but we hope the national security community will take it to heart. Because as my fellow panelist Michèle Flournoy pointed out, the public sector’s ability to take full advantage of our innovation ecosystem will determine whether or not America maintains its edge and deters future attacks.
With cybercriminals always on the lookout for the weak link in the security chain, it’s up to each of us–private and public sector alike–not to be that weak link.
Asymmetrical attacks against our growing digital infrastructure are increasing. We can’t let insufficient cooperation or innovation weaken our collective defense. Yesterday’s tools won’t be enough to stop tomorrow’s threats.
It’s why we’ve just created a new division–Google Public Sector–focused on supporting work with the U.S. government. And why we are always open to new partnerships and projects with the public sector.
In recent years, we’ve worked with the FBI’s Foreign Influence Taskforce to identify and counter align foreign influence operations targeting the U.S. We’ve worked with the NSA’s Cybersecurity Collaboration Center. And we’ve joined the Joint Cyber Defense Collaborative to help shore up defenses, protect critical infrastructure, and improve collective response to incidents on a national scale.
And, even beyond cyber-security, we need to be alert to information warfare. The invasion of Ukraine offers a timely case study. We’re working to defend the public square, sharing information about abuses we’re seeing on our platforms and efforts to spread false and harmful information. We’ve not just removed content that violates our policies and reduced borderline content, but also raised authoritative voices and rewarded high-quality creators.
YouTube even took the unprecedented step of globally blocking disinformation channels like RT and Sputnik, taking down more than 8,000 channels and more than 70,000 videos for violating our content policies–content that minimized the war’s toll or spread harmful lies about what was happening on the ground.
Protecting global cybersecurity and a free and open public square relies on governments, businesses, and individuals working together. By focusing on the fundamentals like investing in modern infrastructure and working together to share threat information responsibly and transparently, we can mount a real and effective defense against the attacks of today and the threats of tomorrow.