Author Archives: Kent Walker

In Madrid, a pitch for “open security”

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the “Google Cybersecurity Summit: Protecting Europe's Digital Space” in Madridon October 26, 2022.

Kent Walker is on a platform stage addressing a room full of people

Today’s cybersecurity discussion couldn’t be more timely.

Against a backdrop of rising geo-political tensions, we are seeing more and more efforts to undercut our shared security.

Cyber and information wars have become tools of the trade in attempts to exploit our vulnerabilities and destabilize our economies and our democracies.

It is no wonder that when the European Commission unveiled its plan for Europe’s digital transformation by 2030, it called security a fundamental right central to its vision.

So where do we begin the task of securing the digital world?

On the one hand, some would embrace data localization requirements, limits on market access, and even restrictions to accessing some cross-border services.

Essentially walled gardens and high fortresses. But we would suggest a different tack.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness. Kent Walker

That’s because in today’s mobile, hybrid environment, cybersecurity is a team sport. We are each only as strong as our weakest link. But when we work together, we spur innovation and advance best practices that benefit all.

I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.

We hope to use what we have learned to help secure Europe’s “digital decade.”

To that end, we recently published a white paper with recommendations like investing in technology that’s secure by default; working with private and international partners on new areas of cooperation, and building security based on openness and interoperability.

These recommendations are based on first-hand experience. In 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora. We learned that transparency, coupled with security by design, was the best way to secure the digital ecosystem.

As we detail in our recently released docuseries, HACKING GOOGLE, Aurora changed everything. It spurred us to shift away from the old “perimeter defense” model of crunchy on the outside, chewy in the middle (with high outside walls but no interior defenses) to a zero-trust model in which all users, all devices, and all applications are continuously checked for security risks, and yet security comes easily and naturally for users.

After Aurora, we launched our Threat Analysis Group, or TAG, to spot, disclose, and attribute threats, whether they were coming from nation-state actors or commercial spyware and surveillance vendors. We also launched our Project Zero team to find and promptly disclose previously unknown zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

It hasn’t always been comfortable work–but that kind of transparency is key to security. As the computer engineering saying goes, “with enough eyes, all bugs are shallow.”

Today, by adopting advanced security innovation and threat intelligence, we ensure vulnerabilities are fixed fast, before they can be widely exploited.

You can see our approach in action whenever TAG discloses a new threat. For example, in 2017, our Android operating system was the first mobile platform to warn users about NSO Group’s Pegasus spyware–“zero-click” malware designed to allow an attacker to compromise a smartphone without a user taking any action.

By sharing information early and widely, we raised awareness of this threat, helped victims understand if they were compromised, and promoted a greater focus on mitigations. Since then, TAG has continued to report on Pegasus and other commercial spyware tools, shining a light on this murky industry.

So when the war came in Ukraine, open security principles kept us one step ahead. Since the war began, we’ve sent thousands of warnings to users targeted by nation-state actors–another practice we pioneered after Aurora. We’ve succeeded in blocking the vast majority of the attacks. And we launched Project Shield, bringing not just journalists, but human rights organizations and even government websites in Ukraine under Google’s security umbrella against distributed denial of service attacks.

Because while it can be easy to DDOS small sites, it turns out that it’s pretty tough to DDOS Google.

We are all in on this collaborative approach to security. Currently, we are working with our team at VirusTotal to launch a new Google Safety Engineering Center in Málaga, Spain, which we hope will become a European hub for joint research on advanced threats.

Image of the exterior of a tall building on a tree-lined city street

In 2023, our newest Google Safety Engineering Center will be launching in Málaga.

Since we acquired VirusTotal in 2012, they have grown from a scrappy startup to become the world’s leading malware scanner and repository, what many call “the Google of cybersecurity tools.” VirusTotal enables people to search for malware against the millions of new samples submitted daily.

On top of that, when Google combined our existing security solutions with Mandiant’s cyber threat intelligence, we laid the groundwork to help public and private sector organizations in Europe anticipate, warn about, and mitigate threats.

What are the larger lessons for all of us as we work toward open security?

First, partnerships and agreements among democratic and rule-of-law societies are key. We need to set aside siloed approaches and embrace an ecosystem of innovation where security experts can share threats, evolve best practices, and adopt new technologies.

In support of that ecosystem, I’m pleased to announce that in 2023, we will be hosting a new Google for Startups Growth Academy for EU Cybersecurity, a growth program to help cybersecurity startups across Europe grow into success stories.

Second, interoperability and aligned security standards between technologies and among countries makes compliance easier for businesses, innovators, and manufacturers of all sizes–which makes for more secure hardware and better software.

The third and final thing to keep in mind is that when we shift away from buggy legacy technology and perimeter defense models and toward modern infrastructure, we can accommodate today’s increasingly global, hybrid workforces, without sacrificing security.

Collective security requires not just walls, but bridges.

By adopting an approach built on open principles like security-by-default, zero-trust architecture, transparency, and principled partnerships, we can advance the frontiers of information security, letting all of us sleep better at night.

Supporting the EU and securing the digital space

Citizens, companies and governments across the European Union agree that everyone should be free to live their lives and use technology without fear that their information will be stolen or held ransom by cybercriminals or other malicious actors.

But with each passing week, cyber threats are growing more costly and more aggressive, undermining the trust essential to a vibrant, inclusive digital society. This is a moment that calls for international leadership, which is why it’s notable that the European Commission has featured security at the center of its vision for digital transformation.

Today, Google is publishing a set of recommendations and white paper supporting the Commission’s efforts, and we commit to extending our full capabilities to help secure Europe’s “digital decade”.

The need

We applaud the European Commission’s effort to meet this moment, and believe that companies should step up to do their part as well.

The stakes have never been clearer. Even before Russia’s invasion of Ukraine — a ground assault accompanied by an attack on Europe’s cyberspace — there were troubling signs that Europe’s democratic values were being challenged by authoritarian governments.

I spoke about the importance of these values recently at the Copenhagen Democracy Summit. Democracies provide fertile ground for advances in science and technology. Technology owes its success to the conditions — openness, pluralism, free exchange — that democracy creates, enabling inventors to take risks and pursue new avenues for inquiry and collective innovation. So it’s no surprise that Ukraine’s tech sector thrived in recent years under the flag of a free European democracy.

But how can technology, in turn, contribute to the defense of Europe’s digital space? We have been reflecting on lessons we learned the hard way more than a decade ago, and how we used them to create a next-generation security infrastructure.

In the months ahead, we plan to share our experience in proactive digital defense with leaders in Europe. We are keenly aware of our responsibility to support the work of Europe’s democratic governments and institutions on economic progress, national security, and defense of the public square.

Google’s role

Our white paper recommends several areas where the European Union can make progress in securing Europe’s digital space, including:

  • Open security: Driving European resilience through “open security,” on the principle that openness and interoperability encourage scrutiny, threat sharing, and rapid adoption of best practices and new technologies.
  • Security by default: Promoting systemic investments in digital transformation, zero-trust architectures, and operating systems and devices that are secure by default, helping organizations overcome an overreliance on outdated and hard-to-patch technology infrastructures and devices that lie open to risks of espionage and extortion.
  • Partnership: Engaging partners by facilitating public-private threat information exchanges and briefings involving EU policymakers and technical experts — and by increasing dialogue to explore new areas of cooperation, such as applying artificial intelligence to improve security.
  • Encryption: Prioritizing strong encryption as superior means of protecting sensitive data compared to data localization requirements, which can have the unintended effect of actually undermining security and resilience.

These recommendations reflect both our decades of security expertise and our deep interest in the EU’s digital defense. Some of our leading security initiatives, and top security researchers, are based in Europe.

At the Google Safety Engineering Centers (GSEC) in Munich and Dublin, Google engineers don’t just talk about digital safety, they build it. And they do so on Europe’s distinctive strengths: respected technical universities, many thousands of Google employees, and top expertise in fields including privacy and computer science.

VirusTotal, a Google team that began as a small Málaga-based startup in 2004 and grew into a European champion before its acquisition by Google in 2012, helps millions in the public sector, commerce and research to understand malware and cybersecurity trends. In 2023, VirusTotal will open a brand new headquarters in the heart of Andalusia’s tech hub.

And, as we announced last week, Mandiant, one of the world’s premier cybersecurity teams, has now joined Google — bringing with it hundreds of industry-leading European experts in the field of threat intelligence and incident response.

These teams and others like them will ensure we’re countering tomorrow’s challenges with tomorrow’s tools. And our commitment to Europe’s digital security will be accompanied by a commitment to collaboration — building on the kind of innovation that has always made democracies stronger than their adversaries.

Transparency in the Shadowy World of Cyberattacks

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the International Conference on Cyber Security 2022on July 19, 2022.

Thank you for the chance to be a part of this important conversation about cybersecurity.

At Google we’re proud to say that we keep more people safe online than anyone else in the world. But that wasn’t always the case.

So let me start by telling you a story about how we got it wrong, and two things we all can learn from that experience. My dad always told me that it was cheapest to learn from the other guy’s mistake. So let me tell you about one of ours.

As some of you may recall, in late 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora.

We’ve long had some of the most attacked websites in the world. But Aurora was something special.

Aurora was an attack attributed to the Chinese government, a significant security incident that resulted in the theft of intellectual property from Google.

But Aurora wasn’t just any security incident. And it wasn’t just against Google.

As part of our investigation we discovered that several other high-profile companies were similarly targeted. Other companies either hadn’t discovered the attacks, or hadn’t wanted to disclose them. When I was a federal prosecutor specializing in technology crimes, one of the biggest challenges we encountered was getting companies to go public or even come to the authorities.

So we felt it was important to talk about the attack–to tell the world about its impact, the methods of the hackers, and the sectors at risk.

We worked with the US Government to share threat vectors and vulnerabilities.

And we didn’t stop there: After Aurora, we launched an entire team called Project Zero to find and promptly disclose previously undiscovered, zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

And today, Google’s Threat Analysis Group, or TAG, works to counter a range of persistent threats from government-backed attackers to commercial surveillance vendors to criminal operators. TAG does regular public disclosures of foreign state actor attacks, including doing the difficult work of attribution.

Without giving too much away, I can also tell you that, working with our team at VirusTotal (now called Chronicle), we have some projects in the works that will help us raise awareness of vulnerabilities from around the world. And we’re very excited about our upcoming partnership with Mandiant, one of the world’s premier security teams, to broaden and deepen this work.

So I’d say that the first lasting lesson from the Aurora attack is the need to weave openness and transparency into the fabric of a cybersecurity response. It’s not always comfortable work–we’ve had to have some tough conversations with partners and with our own teams along the way–but it’s necessary to move the industry forward and ensure bugs are getting fixed fast, before they can be exploited in the wild.

In the ensuing years, we’ve developed principles to ensure we can share learnings about vulnerabilities, cyber attacks (such as attacks on elections), and disinformation campaigns responsibly, transparently, and helpfully with the public, with our partners, and with law enforcement.

And the US government has in turn stood up its own process to facilitate more information sharing with industry partners in order to expedite patches that safeguard us all.

But the value of transparency isn’t the only reason I bring up the Aurora story.

Aurora not only taught us the need to embrace transparency, it also taught us a second, and even more important lesson: What works and what doesn’t when it comes to security architecture.

It’s possible to over-index on info sharing alone.

Focusing on the fundamentals of software security is in some ways more important to raise all of us above the level of insecurity we see today.

We curate and use threat intelligence to protect billions of users–and have been doing so for some time. But you need more than intelligence, and you need more than security products–you need secure products.

Security has to be built in, not just bolted on.

Aurora showed us that we (and many in the industry) were doing cybersecurity wrong.

Security back then was often “crunchy on the outside, chewy in the middle.” Great for candy bars, not so great for preventing attacks. We were building high walls to keep bad actors out, but if they got past those walls, they had wide internal access.

The attack helped us recognize that our approach needed to change–that we needed to double down on security by design.

We needed a future-oriented network, one that reflected the openness, flexibility, and interoperability of the internet, and the way people and organizations were already increasingly working.

In short, we knew that we had to redesign security for the Cloud.

So we launched an internal initiative called BeyondCorp, which pioneered the concept of zero trust and defense in depth and allowed every employee to work from untrusted networks without the use of a VPN. Today, organizations around the world are taking this same approach, shifting access controls from the network perimeter to the individual and the data.

If you fast forward to today’s hybrid-cloud environment, zero trust is a must.

At the core of zero trust is the idea that security doesn’t have a defined border. It travels with the user and the data. For example, as the Administration pushes for multi-factor authentication for government systems, we’re automatically enrolling users in two-step verification to confirm it’s really them with a tap on their phone when they sign into our products.

Practically, this means that employees can work from anywhere in the world, accessing the most sensitive internal services and data over the internet, without sacrificing security. It also means that if an attacker does happen to break through defenses, they don’t get carte-blanche to access internal data and services.

The most impactful thing a company, organization, or government can do to defend against cyber-attacks is to upgrade their legacy architecture.

Is it always easy? No, but when you consider that legacy architecture with its millions upon millions of lines of proprietary code, has thousands of bugs, each one a potential vulnerability, it’s worth it.

And beyond replacing existing plumbing, we need to be thinking about the next challenges, and deploying the latest tools.

In the same way the world is racing to upgrade encryption to deal with the threat of quantum decryption, we need to be investing in cutting-edge technologies that will help us keep ahead of increasingly sophisticated threats.

The good news is that cyber-security tools are evolving quickly, from artificial intelligence capabilities, to advanced cryptography, to quantum computing.

If today we talk about security by design, what comes next is security through innovation–security designed with AI and machine learning in mind–designed to counter bad actors using new tools to evade filters, break into encrypted communications, and generate customized phishing emails.

We’ve got some of the best AI work in the business, and we’re testing new approaches and using some of our leading-edge AI tools to detect malware and phishing at scale. AI allows us to see more threats faster, while reducing human error. AI, graph mining, and predictive analytics can dramatically improve our ability to identify and block phishing, malware, abusive apps, and code from malicious websites.

We look forward to sharing more of our findings so that organizations and governments can prepare. After all, this is no time for locking down learnings or successful techniques. Bad actors are not just on the lookout for ways to exploit your unknown vulnerabilities. As with Hafnium and SolarWinds, they are looking for the weak link in the security chain, letting them springboard from one attack to another. A vulnerability at one organization can do damage to entire industries and infrastructures.

Cybersecurity is a team sport, and we all need to get better together, building bridges not just within the security communities, but also between the national security community and academia and Silicon Valley.

Kent Walker speaking on stage

Having started with one story, let me leave you with another—cybersecurity and Russia’s war in Ukraine.

A lot has changed in our approach since Aurora. And perhaps no example illustrates that shift more clearly than our response to the war in Ukraine.

Russia’s invasion sparked, not just a military and economic war, but also a cyber war and an information war. In recent months, we have witnessed a growing number of threat actors– state actors and criminal networks–using the war as a lure in phishing and malware campaigns, embarking on espionage, and attempting to sow disinformation.

But this time, we were ready with a modern infrastructure and a process for monitoring and responding to threats as they happened.

We’ve sent thousands of warnings to users targeted by foreign-state actors–a practice we pioneered after Aurora. And in the vast majority of cases, we’ve blocked the attacks.

We launched Project Shield, bringing not just journalists, but vulnerable websites in Ukraine under Google’s security umbrella against DDOS attacks. While you can DDOS small sites, it turns out that it’s pretty tough to DDOS Google. We disrupted phishing campaigns from Ghostwriter, an actor attributed to Belarus. And we helped the Ukrainian government modernize its cyber infrastructure, helping fortify it against attack.

We are proud that we were the first company to receive the Ukrainian government’s special peace prize in recognition of these efforts.

But the work is far from done.

Even now, we’re seeing reports that the Kremlin could be planning to ratchet up attacks and coordinated disinformation campaigns across Eastern Europe and beyond in an attempt to divide and destabilize Western support for Ukraine. In fact, just today, our TAG team published a new report on activity from a threat group linked to Russia’s Federal Security Service, the FSB, and threat actors using phishing emails to target government and defense officials, politicians, NGOs, think tanks, and journalists.

And, looking beyond Russia and Ukraine, we see rising threats from Iran, China, and North Korea.

Google is a proud American company, committed to the defense of democracy and the safety and security of people around the world.

And we believe cybersecurity is one of the most important issues we face.

It’s why we invested $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security.

It’s why we’ve just created a new division–Google Public Sector–focused on supporting work with the US government. And it’s why we are always open to new partnerships and projects with the public sector.

In recent years, we’ve worked with the FBI’s Foreign Influence Taskforce to identify and counter align foreign influence operations targeting the U.S. We’ve worked with the NSA’s Cybersecurity Collaboration Center. And we’ve joined the Joint Cyber Defense Collaborative to help protect critical infrastructure and improve collective responses to incidents on a national scale.

Getting our whole digital economy on the front foot is essential. And there’s some encouraging progress. For example, we were glad to see last week’s Cyber Safety Review Board report deeply investigating the log4j vulnerability and making important recommendations about how to improve the ecosystem.

We need more of that.

Looking ahead, our collective ability to prevent cyber attacks will come, not only from transparency, but from a commitment to shoring up our defenses — moving away from legacy technology, modernizing infrastructure, and investing in cutting-edge tools to spot and stop tomorrow’s challenges.

We can’t beat tomorrow’s threats with yesterday’s tools. We need collective action to shore up our digital defenses. But by drawing on America’s collective abilities and advantages, we can achieve a higher level of collective security for all of us.

Thank you.

Source: The Keyword


It’s time for more transparency around government data demands

As our lives continue to become more digitized, laws governing government access to personal information need to evolve to protect both public safety and civil liberties.

America’s Stored Communications Act, passed in 1986 (before the internet became a part of daily life), sets the rules governing government demands to providers to disclose information about their users. One of those rules lets the government seek orders to prevent providers like Google from telling users about demands for data. These so-called Non-Disclosure Orders (NDOs) or “gag orders” have become commonplace.

We’re seeing NDOs issued for an increasing number of court orders, warrants, and subpoenas from U.S. authorities. That means that providers can’t notify users until long after compliance, if ever. And that people don’t have the opportunity to go to court to contest disclosure orders.

We’ve seen NDOs issued in cases where the user is already aware of the investigation, and even of the legal demand itself. Similarly, we’ve seen NDOs issued covering legal requests for the data of well-established reputable organizations, even though notifying the organization is highly unlikely to do harm. And we’ve seen some NDOs that might have been initially justified lasting years beyond the investigation, in some cases indefinitely.

It’s time to reform this practice, requiring more robust review before gag orders are issued.

We commend the bipartisan House passage of the NDO Fairness Act, a bill sponsored by Chairman Nadler and Representative Fitzgerald that would make much-needed improvements to the Stored Communications Act. This reform will ensure that gag orders are issued only where warranted and for reasonable periods.

This position is nothing new for us. We’ve long advocated for transparency for both our users and the public. We were the first major company to publish a Transparency Report on government requests for user data and co-founded both the Global Network Initiative and the Reform Government Surveillance coalition. We’ve long supported surveillance reform, including the Email Privacy Act, and legislation to allow providers to be more open about national security requests. We also contest inappropriate gag orders, going to court where necessary (with one case leading the U.S. Department of Justice to pledge to stop using court orders to get journalists’ information in leak investigations). We've also built industry-leading products to give business customers transparency and control over who has access to their data.

Transparency for government data demands is an important check-and-balance, and we urge both the House and Senate to advance this practical protection for Americans in the digital age.

Google at the Copenhagen Democracy Summit

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the Copenhagen Democracy Summit on June 10, 2022.

On February 24, the world watched in horror as Russia invaded Ukraine. While the tension had been building for weeks, that didn’t make the invasion any less shocking.

Tanks once again rumbled through European streets, and the world held its breath. People wondered whether this marked a return to the law of the jungle — a return to machtpolitik over cooperation in solving shared problems.

And we were reminded once again that democratic progress is not inevitable; that democracy and the rules-based international order are by no means guaranteed.

Even before the invasion of Ukraine, there had been worrying signs that democracy was under assault.

Freedom House found that the defining features of democracy — free expression and open debate, free association, and the rule of law — have retreated in nearly fifty countries.

I’d like to speak today about the debt technology owes democracy, and how technology can work with democracy to repay that debt.

But first, let’s talk about why that partnership is so critically important.

Democracy has always been fertile soil for innovation and basic research.

Inventors flourish when they can exchange ideas, take risks, test hypotheses, and explore new avenues for inquiry and collective innovation.

Democratic values of openness and pluralism allow cooperation and scientific inquiry to flourish.

It would be hard to argue that the advances made possible by democratic innovation — advances that have doubled life expectancies and lifted billions of people out of poverty — would have been possible under any other system of government.

But technology can also benefit democracy itself, by proving that democracies can deliver for citizens, expanding choice and raising living standards.

Future generations of technology will help us combat climate change, pioneer personalized medicine, and improve agricultural productivity.

But even beyond improving living standards — delivering on the substantive promises of democracy — technology and innovation can also be a force for democratic procedural legitimacy: Supporting democratic institutions, increasing transparency and accountability in governance, and protecting and promoting human rights.

When developed and used responsibly, technology can foster the essential exchange of ideas and broaden civic engagement in the democratic process.

After all, democracies need at least three elements to flourish:

  • A robust public square, where people can express ideas openly;
  • An active and vibrant press; and
  • Free and fair elections that create accountability, letting citizens check and balance power.

While there is no question that the misuse and abuse of technology has created challenges in each of these areas — from within and without — conversations over the last few months, with defense leaders in Munich, business leaders in Davos, and security experts in Eastern Europe, have made it clear that we need the responsible use of technology to support these essential elements.

So, first, how can technology defend the public square, safeguarding speech and debate?

Tech can promote and protect the marketplace of ideas by playing both offense and defense: Facilitating free and open discourse while combating disinformation.

The early days of Silicon Valley fostered a faith that more communication would be better for the world. And in many ways it has been, connecting people in remarkable new ways.

That said, we have come to recognize abuses of our platforms, harmful efforts to spread malicious or patently false information. We have responded by removing content that violates our policies; raising authoritative voices at critical times; rewarding trusted creators; and reducing borderline content.

That requires tough calls — millions of them every day. And we’re working on ways to provide more transparency into this critical process.

The latest and most dramatic chapter in the battle against disinformation came with the invasion of Ukraine where we all are witnessing not just a military and economic war, but also a cyber war and an information war.

An extraordinary situation called for an extraordinary response.

YouTube took the unprecedented step of globally blocking disinformation channels like RT and Sputnik, removing more than 8,000 channels and more than 70,000 videos for violating our content policies – content that minimized the war’s toll or spread harmful lies about what was happening on the ground. Meanwhile Google Search, Google News, and YouTube are some of the last independent sources of news about the war that remain available in Russia.

On the cybersecurity front, when we saw a spike of distributed denial-of-service (DDoS) attacks on Ukrainian websites, we protected access to information and kept sites online by bringing publishers and government websites under Google's security umbrella, Project Shield.

As a result of these efforts, we were proud to be the first company to receive the Ukrainian government’s special "peace prize,” showing how important tech’s role can be when the stakes are high.

Which brings me to the second cornerstone of a functioning democracy: A free and vibrant pressand how technology can help it adapt to a digital world.

Google was founded with the mission of organizing the world’s information and making it universally accessible and useful. Over the years our ad networks have provided billions of dollars to news publishers, and we have sponsored programs like the Google News Initiative, partnering with publishers to create innovative tools and approaches to reporting.

Of course, technology has had a significant impact on newspaper business models, unbundling different categories and making news more competitive and more freely available.

But technology will also be the key to the evolution of news business models for a digital era. As Herbert Simon said fifty years ago, a wealth of information creates a poverty of attention.

That means a growing role for editors and publishers, curators and analysts, who can help us all allocate our limited attention wisely.

It means there’s a growing need for us to support content creators and a thriving global press.

Third, technology has a vital role to play when it comes to the integrity of our elections.

At Google, we've long created tools and resources to make it easier for people to vote. Our services connect voters with up-to-date, authoritative information about polling locations, remote voting, and election times.

During election cycles, campaigns face increased security threats.

Our teams equip campaigns and election workers with best-in-class security tools. We collaborate with partners in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication.

That’s part of our Advanced Protection Program, which protects high-risk individuals – election officials, campaigns, journalists, and human rights activists – with access to high-visibility and sensitive information.

Finally, our Threat Analysis Group works to thwart cyber attacks, monitoring and exposing espionage, hacks, and phishing campaigns and taking steps to disrupt the threats. In recent months, we stopped coordinated attacks by government-backed actors from China, Iran, North Korea and Russia. And we stopped attempts by various unattributed groups to sow disinformation.

Our role is clear — we help protect people and prevent future attacks by identifying bad actors and sharing relevant information.

These are all examples of ways tech is helping today — across the public square, the free press, and elections themselves. But defending democracy and the rules-based international order is a task that requires tech, civil society, and governments to work together.

An Edelman survey found that people often think of governments and NGOs as well intentioned but ineffective; and often think of companies as effective but maybe not always well intentioned. But when the two worked together, they went to the upper right-hand quadrant — both well intentioned and effective.

It’s why we support The Copenhagen Pledge on Tech for Democracy and similar multilateral commitments by governments, organizations, industry, and civil society to make technology work for democracy and human rights.

Democracy is at a watershed moment. There’s a risk that democracies turn inward, focusing strictly on domestic challenges rather than defending the liberal democratic international order.

Tech, too, is at a crossroads — with a risk that concerns about abuses of technology obscure its many benefits.

In 1996, John Perry Barlow, a lyricist for the Grateful Dead, wrote "A Declaration of Independence of Cyberspace” arguing that the internet was beyond any government’s laws.

Well, perhaps it's now time for a “Declaration of Interdependence of Cyberspace.”

Our growing technological connections have become so important to our daily lives that technologists need to work ever more closely with governments on new and agile rules to promote progress, national security, and the defense of the public square.

International frameworks — from the UN to the WTO to the OECD — can be useful starting places as we work to promote international alignment. And only governments can drive this crucial work.

We need governments committed to open, democratic processes to step up and work together to reaffirm international norms of access to information and the free and open exchange of ideas.

At Google, we’re eager to roll up our sleeves and help.

We leave the politics to the politicians, but that doesn’t mean we leave it to others to defend the public square. Nor does it mean we dismiss the experience and ideas of government leaders in the cause of protecting democracy.

We hear the summons to defend democracy’s essential components – the open exchange of views, an independent press, and free and fair elections.

In moments of uncertainty and crisis, responsible tech companies feel a duty to do what our engineers do best: Unlock solutions to the most pressing problems.

We undertake that task with appreciation that those solutions will be – must be – the product of collaboration, building on the kind of collective innovation that has always made democracies stronger than their adversaries.

Connecting more Americans to in-demand digital skills

America’s employers are starting to look at the world differently as they look for talent to fill their growing needs. Many businesses are moving beyond narrowly defined degree requirements. They’re seeking employees who may have acquired skills through alternative routes, which may include career experiences and targeted training programs.

Since only 36% of American adults have four-year college degrees, requiring that piece of paper automatically screens out 70% of rural workers, almost 70% of African-American workers and 80% of Latino workers.

When employers hire for relevant skills, rather than screening for degrees, we get access to a talent pool that is qualified, ready to work, and significantly more diverse. But for employers to hire people with the requisite skills, people must have successful avenues to acquire those skills.

Today in the U.S., the reported number of unemployed people is 5.9 million. That number grows dramatically when we include people who are underemployed, are earning low wages or have stopped looking for work. At the same time, there are more than 11 million unfilled jobs, many open because employers say that they can’t find the people with the requisite skills.

By all indications, this is a skills gap problem that’s only going to get worse. By some estimates, 80% of “middle-skill” U.S. jobs now require digital skills. And the World Economic Forum estimates that up to 50% of workers will need to add new skills to keep up with the requirements of in-demand careers.

Fortunately, innovative initiatives are equipping people to gain relevant expertise. Since 2017, Google and Goodwill have partnered to bring digital skills to local communities and help people get good jobs that don’t require a degree.

Which brings us to some news we're sharing today: Google.org is announcing a $14 million reinvestment in the Goodwill Digital Career Accelerator. This includes grants and in-kind support to help Goodwill continue to provide digital training pathways and support job placement for people seeking jobs.

Google’s expanded support includes $7 million in Google.org grants and $7 million in donated Search ads, which will help Goodwill reach more than 200,000 people across the U.S. and Canada with digital skills and career training so they gain economic mobility. The funds support infrastructure development and expansion like tracking systems for hiring and training that will improve the reach and effectiveness of Goodwill’s services at the local level. Finally, through the Google.org Fellowship, ten Google employees are working full-time pro bono to help Goodwill better reach job seekers online so they can connect with local Goodwill career coaches and work toward brighter futures.

With support from Google.org, Goodwill has helped more than a million people gain digital awareness and new digital skills, and placed more than 300,000 overlooked job seekers in digital economy jobs.

There have been some valuable lessons learned along the way:

  1. Meet learners where they are. Many people don’t know that Goodwill places more people in jobs than any other non-government, nonprofit in America. Over the years, Goodwill teams have found access is one of the biggest barriers for people who want to gain digital skills. Goodwill makes training readily available and convenient at Goodwill locations within communities across the U.S. and Canada. More than 70% of the U.S. population lives within a 20-mile radius of a Goodwill mission services location.
  2. Remove barriers to learning with enhanced support. There are dozens of reasons why people might drop out of a learning program or not sign up in the first place. Living stipends, connectivity support, transportation credits, career navigators and other resources make it possible for people to participate in and complete training so that they can earn career certificates.
  3. Commit to creating pathways to upward mobility. Digital skilling must lead to real jobs with opportunities for growth. Close employer relationships are essential to connect graduates with hands-on internships, apprenticeships, and other learn-and-earn options. An example is Kara Isreal Gooch, a Google Career Certificate graduate who landed a job at Accenture with help from Goodwill and our consortium of employers who have agreed to consider Google Career Certificate graduates for jobs.

Through collaborations like the one between Goodwill and Google, we’re learning what works and what doesn’t. By aligning the right resources, we can build the systems and capacity needed to close the digital skills gap and connect Americans with the skills and support they need to compete in the 21st century economy. In every community, we need talent equipped and participating in our rapidly changing labor market.

Interested in learning more about ongoing initiatives to promote workforce development and connect job seekers with careers and resources? Join Goodwill’s Steve Preston, Google’s Kent Walker and experts from across the labor field today at the Rising Together Action Summit. The live-streamed event kicks off with a fireside chat at 10am EST/ 7am PST.

The urgent necessity of enacting a national privacy law

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at Beyond the Basics: The Many Pillars of U.S. Privacy Law, an event hosted by R Street Institute at The National Press Club in Washington, DC. Google also published an accompanying white paperon Responsible Data Practices.

Information is all around us. Americans sometimes take it for granted, but from the moment we walk out our front doors, information powers everything we do.

After a two-years-and-counting pandemic, when people have taken to tech at an unprecedented pace, they’re more aware of both the possibilities and the privacy challenges.

They may have even heard about the shadowy world of data brokers who buy and sell information to actors they’ve never heard of, for purposes that they can’t see or control, in ways that may risk their privacy and security.

And they may have a greater appreciation for the need for consistency across the country — not a patchwork of 50 different state laws, but a law that organizations and people can rely on as they go about their daily lives

There is a range of views when it comes to technology and technology regulation. But when it comes to national privacy regulation, there is a clear consensus: Americans want it.

A Pew Research poll found that 75 percent of people support government regulation of consumer data.

And the absence of a comprehensive federal privacy law has left a vacuum that states are trying to fill by scrambling to pass their own, often inconsistent, laws — a trend that actually risks fragmenting consumer protections.

People are counting on all of us to address this issue — and fast. The good news is that after many years of discussion, today, there seems to be a growing consensus on this. We are starting to see interest from both parties, from many different constituencies. They are coming together on how to do this well.

President Biden in his State of the Union address highlighted the importance of privacy, and there are growing reports that Congress is making progress toward comprehensive privacy legislation. We’ve long supported that goal, and we welcome the forward movement.

When data is misused, when consumers find their trust is misplaced, it hurts not just the whole digital ecosystem, but the potential for future innovation.

And let me be clear: We at Google get it, and we’ve rethought and adapted our own approaches to product development to promote privacy and security.

For example, because digital services should keep your information for only as long as you find it helpful, we introduced auto-delete controls to let you easily delete your location history, web history, and YouTube history.

Try to do that with any other business that holds data about you.

We were the first platform to make it easy for people to download or transfer personal data when they want to switch to other services.

And today, we keep more people safe online than anyone else in the world — because if it’s not secure, it’s not private.

To set new standards for responsible data use, we’ve also done what we do best – built new technological solutions, investing in privacy-preserving technologies.

Privacy-preserving technologies don’t just promote privacy by design, they achieve privacy through innovation. They help us minimize the collection of identifying data. They reduce the risk of data being misused — without undermining the tremendous value that people get from information services.

As an example, at the start of COVID, we had an unprecedented partnership with Apple to develop Exposure Notifications, helping public health authorities supplement contact-tracing. Our North Star had to be designing a system with privacy protections baked in. So we worked with public health officials, privacy experts, regulators, used our most advanced technology to keep data safe, and established strict guidelines – all of which built public trust and adoption, saving thousands of lives.

Now we’ve got a complex business, and we haven’t always gotten everything right, but we’ve learned from those experiences, and we know what’s possible when private industry and regulators work together.

Of course it’s not enough for some organizations to operate responsibly — we need a law that establishes consistent rules and reins in bad actors.

So how do we do that? What’s the best path forward?

We're not focused on pie-in-the-sky proposals like creating an entirely new agency to regulate all the different uses of digital tools. We don’t want snappy soundbites; we want sound solutions.

The reality is that all companies are becoming digital companies, each with the potential to create new technologies and use information in new ways. We need consistent rules across the economy, and across the country.

Instead of chasing theoretical approaches, we want to support the practical, real-world privacy work already being done by Congress.

Current legislative privacy proposals like the ones put forward by Senators Cantwell and Wicker reflect important areas of agreement on the practical points that matter to people. And we hope they will work closely with Chairman Pallone and Ranking Member McMorris Rodgers to move legislation through the committees expeditiously.

We can build on the work that has already happened in this space, like proposals put forward by Senators Cortez Masto and Fischer and Representatives Stevens and Gonzalez to promote privacy-preserving technologies.

With the right leadership from the White House and leadership in Congress, we can get this done – this year.

So what are the sticking points? Issues like when and how consumers can file suit? The scope of FTC rulemaking? How federal and state laws will work together?

Those issues are debated in some form nearly every time Congress passes new business regulations, including the sectoral privacy laws Congress has already passed. So, none of this is new or unresolvable. With the right working group and some reasonable compromises, these points can be reconciled.

In fact, those conversations are already happening. Of course there has been no shortage of positions when it comes to privacy, ranging from ideas of notice and choice to proposals around new duties of care or loyalty.

One possible finesse would be a responsible data approach that works in practice, across a growing digital economy.

For example, we could start by giving consumers reasonable baseline assurances around transparency and control.

And we could build on that, by requiring responsible data practices — like privacy reviews and data minimization — that could be easy to implement and promote shared processes for protecting people’s data. Norms around good development processes could improve privacy practices for everyone.

But the time to act is now.

A U.S. privacy law would align us all on the privacy measures that people want and promote confidence in U.S. companies and our digital ecosystem.

It would increase trust in U.S. leadership, as we promote cross-border data flows and compatible, pro-privacy, pro-innovation rules around the world.

It would give everyone much-needed clarity and consistency so that organizations spend less time trying to navigate inconsistent rules and more time preventing harm and responsibly innovating – the kind of work that yields research breakthroughs and a stronger U.S. economy.

There’s no question that getting it done will take thoughtful compromises. Compromises by different groups in Congress. Compromises by advocates. And compromises by companies, including Google, who are used to doing business in certain ways. But that’s what we need to get this done.

Whatever final legislation comes out of the negotiations won’t be perfect, and it won’t address every concern. But we urge both businesses and advocates not to make the perfect the enemy of the good. Or of better, more consistent protections for all Americans.

In closing, I’ll say this: Google is an engineering company — and we look at problems from an engineering perspective. When we spot an issue with our services, we make fixing it a priority, and we often move engineers from other projects to help.

This is that all-hands-on-deck moment for privacy.

The vast majority of Americans want a federal privacy law. In fact, we’ve never seen such broad-based, bipartisan consensus about the need for that law.

It’s a moment for Congress to come together, on a bipartisan basis, and deliver for the American people.

Lawmakers and regulators face an important challenge, and an important opportunity. We pledge our support for that effort, and we hope that a broad cross-section of stakeholders will join together in support of their work.

Helping Ukraine

The Russian invasion of Ukraine is both a tragedy and a humanitarian disaster in the making. The international community’s response to this war continues to evolve and governments are imposing new sanctions and restrictions.

Our teams are working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, surface high-quality, reliable information and ensure the safety and security of our colleagues and their families in the region.

Here are a few of the actions we’re taking.

Providing support from Google.org

Together, Google.org and Google employees are contributing $15 million in donations and in-kind support to aid relief efforts in Ukraine, including $5 million so far from our employee matching campaign and $5 million in direct grants. We’re also contributing $5 million in advertising credits to help trusted humanitarian and intergovernmental organizations connect people to important sources of aid and resettlement information.

A woman in a Red Cross uniform puts bedding in a pile on the floor

According to the Polish Red Cross, since Thursday last week over 300,000 people have arrived in Poland. (photo credit: Red Cross)

Updating Search and Maps in Ukraine

We've launched an SOS alert on Search across Ukraine. When people search for refugee and evacuation information, they will see an alert pointing them to United Nations resources for refugees and asylum seekers. We’re working with expert organizations to source helpful humanitarian information as the situation unfolds.

And after consulting with multiple sources on the ground, including local authorities, we’ve temporarily disabled some live Google Maps features in Ukraine, including the traffic layer and information about how busy places are, to help protect the safety of local communities and their citizens. We’ve also added information on refugee and migrant centers in neighboring countries.

Expanding security protections

Our security teams are on call 24/7. Russia-backed hacking and influence operations are not new to us; we’ve been taking action against them for years. Over the past 12 months alone, we’ve issued hundreds of government-backed attack warnings to people in Ukraine using products like Gmail. We’ve been particularly vigilant during the invasion and our products will continue to automatically detect and block suspicious activity.

While we have not seen meaningful changes in the levels of malicious activity in this region overall, our Threat Analysis Group (TAG) has seen threat actors refocus their efforts on Ukrainian targets. For example, we’ve seen the attackers behind the GhostWriter threat group targeting Ukrainian government and military officials. We blocked these attempts and have not seen any compromise of Google accounts as a result of this campaign.

We also automatically increased Google account security protections (including more frequent authentication challenges) for people in the region and will continue to do so as cyber threats evolve. Our Advanced Protection Program — which delivers Google’s highest level of security — is currently protecting the accounts of hundreds of high-risk users in Ukraine. And “Project Shield,” a service providing free unlimited protection against Distributed Denial of Service attacks, is already protecting over 100 Ukrainian websites, including local news services.

Promoting information quality

In this extraordinary crisis we are taking extraordinary measures to stop the spread of misinformation and disrupt disinformation campaigns online.

Beginning today, we’re blocking YouTube channels connected to RT and Sputnik across Europe. This builds on our indefinite pause of monetization of Russian state-funded media across our platforms, meaning media outlets such as RT are not allowed to monetize their content or advertise on our platforms.

We have also significantly limited recommendations globally for a number of Russian state-funded media outlets across our platforms. And in the past few days, YouTube has removed hundreds of channels and thousands of videos for violating its Community Guidelines, including a number of channels engaging in coordinated deceptive practices.

Of course we are working to not just reduce the reach of unreliable information, but also to make reliable and trustworthy information readily available. Our systems are built to prioritize the most authoritative information in moments of crisis and rapidly-changing news. When people around the world search for topics related to the war in Ukraine on Search or YouTube, our systems prominently surface information, videos and other key context from authoritative news sources.

Helping our colleagues in Ukraine

We remain extremely concerned for the safety and wellbeing of our Ukrainian team and their families. Our local Security and People Operations teams have been working since January to provide help, including physical security support, paid leave, assistance options and reimbursement for housing, travel and food for anyone forced to leave their homes.

Operating our services in Russia

We are committed to complying with all sanctions requirements and we continue to monitor the latest guidance. As individuals, regions and institutions like banks are sanctioned, products like Google Pay may become unavailable in certain countries.

Most of our services (like Search, Maps and YouTube) currently remain available in Russia, continuing to provide access to global information and perspectives.

We will continue to monitor the situation and take additional actions as needed – and we join the international community in expressing sincere hope for a return to a peaceful and sovereign Ukraine.

Google at the Munich Security Conference

Since its inception in 1963, the Munich Security Conference has been a vital venue for policymakers, experts and transatlantic leaders tackling the most pressing security issues of the day. Today, against the backdrop of an ongoing pandemic, geopolitical tensions, and increasingly sophisticated cyber attacks, the stakes for these discussions feel particularly high — with many participants perceiving this as a time of heightened risk.

Google’s mission statement has always been to “organize the world’s information and make it universally accessible and useful.” We provide tools that make people more informed, more connected, more productive — and more secure. That’s why I’m traveling to Munich this week and joining conversations about promoting and protecting the public square.

Fighting misinformation online and safeguarding elections

In the last few years, we’ve seen a marked uptick in online disinformation campaigns, attempts to influence democratic elections, and cyber attacks on democracies' critical infrastructure.

Google and YouTube have specialized teams of intelligence and security experts who work around the clock and around the world to thwart these threats and protect the people using our products. When it comes to the content we host on YouTube, our “4R’s” approach includes not just Removing violative content and Reducing the spread of borderline content, but also Raising up authoritative content, and Rewarding trusted creators. And we continuously assess our approach and look at changes we can make to promote thoughtful engagement.

During election cycles, we equip campaigns with best-in-class security features and protect their operations from attack. We work to help voters find high-quality, authoritative election information directly in our products. We employ teams who monitor elections from India to Europe to the United States. We use advanced technology to detect coordinated disinformation networks. And we work with partners like Defending Digital Campaigns and organizations in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication — as well as the International Foundation for Electoral Systems to develop global security programming, protecting those who work to safeguard human rights.

Advancing cybersecurity and moving towards collective standards

When it comes to cybersecurity, we have first-hand, real-world experience. Our systems stop attacks every single day, including attacks from sophisticated nation state actors. But it wasn’t always that way. In the past, when our defenses weren’t strong enough, we rebuilt our entire security infrastructure, sometimes inventing new technologies when state-of-the-art simply wouldn’t do. We know that “high walls” are not enough to stop bad actors, and we’ve learned to use “defense in depth” — creating access controls throughout our services and using multi-factor authentication as part of a zero-trust security approach, in which every node has to authenticate itself. As a result, today we keep more people safe online than any other company in the world.

Image of Google security statistics

We design our products to go beyond “security by design” to provide security by default. When that’s not enough, we invent new ways to keep our users more secure.

In Munich, I will be urging policymakers to work together on establishing collective security standards including those that move democratic governments toward secure cloud services and zero-trust architecture.

In the last fifty years, democratic governments helped advance some of the world’s most important innovations — including the Internet, microchips, computers, global positioning systems, and revolutionary vaccines against COVID. In the next fifty, I’m optimistic about the ability of science and advanced technology to help solve some of the world’s biggest challenges, like climate change, health care, and global development. To do that, we need to partner with governments and civil societies to rebuild trust and confidence in our institutions. Realizing the promise of tomorrow requires protecting the public square today.