Why we’re committing $10 billion to advance cybersecurity

We welcomed the opportunity to participate in President Biden’s White House Cyber Security Meeting today, and appreciated the chance to share our recommendations to advance this important agenda. The meeting comes at a timely moment, as widespread cyberattacks continue to exploit vulnerabilities targeting people, organizations, and governments around the world.

That’s why today, we are announcing that we will invest $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security. We are also pledging, through the Google Career Certificate program, to train 100,000 Americans in fields like IT Support and Data Analytics, learning in-demand skills including data privacy and security. 

Governments and businesses are at a watershed moment in addressing cybersecurity. Cyber attacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges: 

First, organizations continue to depend on vulnerable legacy infrastructure and software, rather than adopting modern IT and security practices. Too many governments still rely on legacy vendor contracts that limit competition and choice, inflate costs, and create privacy and security risks. 

Second, nation-state actors, cybercriminals and other malicious actors continue to target weaknesses in software supply chains and many vendors don’t have the tools or expertise to stop them. 

Third, countries simply don’t have enough people trained to anticipate and deal with these threats. 

For the past two decades, Google has made security the cornerstone of our product strategy. We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on our services. By making all of our products secure by default, we keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and potential cyber attacks. We’ve published over 160 academic research papers on computer security, privacy, and abuse prevention, and we warn other software companies of weaknesses in their systems. And dedicated teams like our Threat Analysis Group work to counter government-backed hacking and attacks against Google and our users, making the internet safer for everyone.

Extending the zero-trust security model 

We’re one of the pioneers in zero-trust computing, in which no person, device, or network enjoys inherent trust.  Trust that allows access to information must be earned.  We’ve learned a lot about both the power and the challenges of running this model at scale. 

Implemented properly, zero-trust computing provides the highest level of security for organizations.  We support the White House effort to deploy this model across the federal government. 

As government and industry work together to develop and implement zero-trust solutions for employee access to corporate assets, we also need to apply the approach to production environments. This is necessary to address events like Solarwinds, where attackers used access to the production environment to compromise dozens of outside entities. The U.S. government can encourage adoption by expanding zero-trust guidelines and reference architecture language in the Executive Order implementation process to include production environments, which in addition to application segmentation substantially improves an organization’s defense in depth strategy. 

Securing the software supply chain 

Following the Solarwinds attack, the software world gained a deeper understanding of the real risks and ramifications of supply chain attacks. Today, the vast majority of modern software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security systems. Despite this, there is no formal requirement or standard for maintaining the security of that software. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis. 

That’s why we worked with the Open Source Security Foundation (OpenSSF) to develop and release Supply-chain Levels for Software Artifacts (SLSA or “salsa”), a proven framework for securing the software supply chain. In our view, wide support for and adoption of the SLSA framework will raise the security bar for the entire software ecosystem. 

To further advance our work and the broader community’s work in this space, we committed to invest in the expansion of the application of the SLSA framework to protect the key components of open-source software widely used by many organizations. We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.

Strengthening the digital security skills of the American workforce

Robust cybersecurity ultimately depends on having the people to implement it. That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population. In short, we need more and better computer security education and training.  

Over the next three years, we're pledging to help 100,000 Americans earn Google Career Certificates in fields like IT Support and Data Analytics to learn in-demand skills including data privacy and security. The certificates are industry-recognized and supported credentials that equip Americans with the skills they need to get high-paying, high-growth jobs. To date, more than half of our graduates have come from backgrounds underserved in tech (Black, Latinx, veteran, or female). 46% of our graduates come from the lowest income tertile in the country. And the results are strong: 82% of our graduates report a positive career impact within six months of graduation. Additionally, we will train over 10 million Americans in digital skills from basic to advanced by 2023.

Leading the world in cybersecurity is critical to our national security. Today’s meeting at the White House was both an acknowledgment of the threats we face and a call to action to address them. It emphasized cybersecurity as a global imperative and encouraged new ways of thinking and partnering across government, industry and academia. We look forward to working with the Administration and others to define and drive a new era in cybersecurity. Our collective safety, economic growth, and future innovation depend on it.