In Madrid, a pitch for “open security”

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the “Google Cybersecurity Summit: Protecting Europe's Digital Space” in Madrid on October 26, 2022.

Today’s cybersecurity discussion couldn’t be more timely.

Against a backdrop of rising geo-political tensions, we are seeing more and more efforts to undercut our shared security.

Cyber and information wars have become tools of the trade in attempts to exploit our vulnerabilities and destabilize our economies and our democracies.

It is no wonder that when the European Commission unveiled its plan for Europe’s digital transformation by 2030, it called security a fundamental right central to its vision.

So where do we begin the task of securing the digital world?

On the one hand, some would embrace data localization requirements, limits on market access, and even restrictions to accessing some cross-border services.

Essentially walled gardens and high fortresses. But we would suggest a different tack.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.

That’s because in today’s mobile, hybrid environment, cybersecurity is a team sport. We are each only as strong as our weakest link. But when we work together, we spur innovation and advance best practices that benefit all.

I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.

We hope to use what we have learned to help secure Europe’s “digital decade.”

To that end, we recently published a white paper with recommendations like investing in technology that’s secure by default; working with private and international partners on new areas of cooperation, and building security based on openness and interoperability.

These recommendations are based on first-hand experience. In 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora. We learned that transparency, coupled with security by design, was the best way to secure the digital ecosystem.

As we detail in our recently released docuseries, HACKING GOOGLE, Aurora changed everything. It spurred us to shift away from the old “perimeter defense” model of crunchy on the outside, chewy in the middle (with high outside walls but no interior defenses) to a zero-trust model in which all users, all devices, and all applications are continuously checked for security risks, and yet security comes easily and naturally for users.

After Aurora, we launched our Threat Analysis Group, or TAG, to spot, disclose, and attribute threats, whether they were coming from nation-state actors or commercial spyware and surveillance vendors. We also launched our Project Zero team to find and promptly disclose previously unknown zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

It hasn’t always been comfortable work–but that kind of transparency is key to security. As the computer engineering saying goes, “with enough eyes, all bugs are shallow.”

Today, by adopting advanced security innovation and threat intelligence, we ensure vulnerabilities are fixed fast, before they can be widely exploited.

You can see our approach in action whenever TAG discloses a new threat. For example, in 2017, our Android operating system was the first mobile platform to warn users about NSO Group’s Pegasus spyware–“zero-click” malware designed to allow an attacker to compromise a smartphone without a user taking any action.

By sharing information early and widely, we raised awareness of this threat, helped victims understand if they were compromised, and promoted a greater focus on mitigations. Since then, TAG has continued to report on Pegasus and other commercial spyware tools, shining a light on this murky industry.

So when the war came in Ukraine, open security principles kept us one step ahead. Since the war began, we’ve sent thousands of warnings to users targeted by nation-state actors–another practice we pioneered after Aurora. We’ve succeeded in blocking the vast majority of the attacks. And we launched Project Shield, bringing not just journalists, but human rights organizations and even government websites in Ukraine under Google’s security umbrella against distributed denial of service attacks.

Because while it can be easy to DDOS small sites, it turns out that it’s pretty tough to DDOS Google.

We are all in on this collaborative approach to security. Currently, we are working with our team at VirusTotal to launch a new Google Safety Engineering Center in Málaga, Spain, which we hope will become a European hub for joint research on advanced threats.

Since we acquired VirusTotal in 2012, they have grown from a scrappy startup to become the world’s leading malware scanner and repository, what many call “the Google of cybersecurity tools.” VirusTotal enables people to search for malware against the millions of new samples submitted daily.

On top of that, when Google combined our existing security solutions with Mandiant’s cyber threat intelligence, we laid the groundwork to help public and private sector organizations in Europe anticipate, warn about, and mitigate threats.

What are the larger lessons for all of us as we work toward open security?

First, partnerships and agreements among democratic and rule-of-law societies are key. We need to set aside siloed approaches and embrace an ecosystem of innovation where security experts can share threats, evolve best practices, and adopt new technologies.

In support of that ecosystem, I’m pleased to announce that in 2023, we will be hosting a new Google for Startups Growth Academy for EU Cybersecurity, a growth program to help cybersecurity startups across Europe grow into success stories.

Second, interoperability and aligned security standards between technologies and among countries makes compliance easier for businesses, innovators, and manufacturers of all sizes–which makes for more secure hardware and better software.

The third and final thing to keep in mind is that when we shift away from buggy legacy technology and perimeter defense models and toward modern infrastructure, we can accommodate today’s increasingly global, hybrid workforces, without sacrificing security.

Collective security requires not just walls, but bridges.

By adopting an approach built on open principles like security-by-default, zero-trust architecture, transparency, and principled partnerships, we can advance the frontiers of information security, letting all of us sleep better at night.