Author Archives: Annette Kroeber-Riel

Advancing security across Central and Eastern Europe

Since the start of the war in Ukraine, our teams have been working around the clock to support the humanitarian effort, provide trustworthy information and promote cybersecurity.

We were humbled to receive a special Peace Prize award from Ukraine's President Zelenskyy at Davos last week and we remain committed to doing everything we can to support Ukraine and the broader region as it navigates these challenging times.

To build on our efforts, we are expanding our cybersecurity partnerships and investment in Central and Eastern Europe. Last month, a delegation of our top security engineers and leaders met with organizations and individuals in Czechia, Poland, Lithuania and Latvia - they trained high risk groups, distributed security keys, engaged in technical discussions with government experts, and supported local businesses in shoring up their defenses.

Securing high-risk users

Throughout this war, there has been no shortage of news around targeted cyber attacks aimed at high profile individuals in this region. Our Threat Analysis Group has provided regular updates on this activity, and worked diligently to alert users, organizations and governments through our government-backed attacker warnings.

To help address these threats, our high-risk user team conducted workshops throughout the region for dozens of non-governmental organizations (NGOs), publishers and journalists, including groups and individuals sanctioned by the Kremlin. We distributed around 1,000 security keys - the strongest form of authentication - and trained over 30 high risk user groups on account security. We also launched, in collaboration with Jigsaw, the Protect Your Democracy Toolkit, which provides free tools and expertise to democratic institutions and civil society.

We heard directly from high-risk organizations like the Casimir Pulaski Foundation, the International Center for Ukrainian Victory, NGOs supporting refugees and exiled activists, and leading publishers across Europe who told us just how critical Google's no-cost security tools, like the Advanced Protection Program and Project Shield, are to keeping them safe online. We are grateful for their valuable insights to inform future product development.

Our High-Risk team meets with NGO representatives at Google Prague

Our High-Risk team meets with NGO representatives at Google Prague

Shoring up cyber defenses

As companies and government agencies grapple with the ever changing security landscape and the role that they find themselves in during this conflict, we wanted to showcase how Google’s enterprise security tools and advisory services can give them the confidence to pursue digital transformation on a secure foundation.

Our delegation of security experts included leaders from the Google Cybersecurity Action Team (GCAT). This team’s mission was to advise governments, critical infrastructure providers, enterprises, and small businesses on cloud security and IT modernization. We hosted round-table discussions with Chief Information Security Officers (CISOs) from around the region to learn about the challenges they face, and shared resources on how they can accelerate their response to threats, secure theiropen source software supply chains, and stay up-to-date with evolving regulations.

Google VP of Privacy, Safety & Security Royal Hansen meets with Polish minister Janusz Cieszyński at the CYBERSEC Forum in Katowice

Google VP of Privacy, Safety & Security Royal Hansen meets with Polish minister Janusz Cieszyński at the CYBERSEC Forum in Katowice

Building stronger partnerships

While observers speculate about whether the war in Ukraine will lead to broader cyber escalation, government cybersecurity organizations in Central and Eastern Europe are contending with cyber conflict on a daily basis. That’s why Google experts regularly meet with national cyber emergency response teams (CERTs), cybersecurity agencies, and digital ministries to promote the exchange of knowledge and build partnerships to advance shared goals.

What we heard across the board was: we need to help our partners in the region address the shortage of cybersecurity skills and training; improve operational partnerships and information sharing; and promote better cyber hygiene for citizens. We are pleased to work with governments and industry to advance innovative solutions on all of these fronts. Deepening our partnerships in this region will not only protect our users, it will make the Internet safer for all.

Welcoming US-EU collaboration on cybersecurity

Armistice Day is a perennial reminder of the perils of unchecked escalation and the sacrifices of prior generations to protect peace and security. Multilateralism, borne out of the 20th century’s conflicts, is just as relevant in a world of 21st-century threats. That’s particularly true for one of the most pressing multi-stakeholder challenges today: cybersecurity.

The internet itself is a multi-stakeholder system, and protecting citizens online requires cooperation among governments and businesses. For example, this week’s crackdown on ransomware operators by Europol and the U.S. Department of Justice, resulting in the arrests of two REvil operators, capped off an enforcement effort that spanned a year and as many as 17 nations. These actions, coming just ahead of the 20th anniversary of the Budapest Convention, highlight the value of cross-border cooperation in fighting cybercrime, as well as the importance of protecting individuals and their rights online.

Likewise, we applaud the news, announced by U.S. Vice President Kamala Harris in Paris, that the United States is expanding its efforts to advance international cooperation in cybersecurity, by joining the Paris Call for Trust and Security in Cyberspace — a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable Internet.

Google was among the first signatories to the Paris Call in 2018 when it was initially advanced by the government of President Macron of France.

The Paris Call’s 9 principles are something we should all agree to, but it is past time to put them into action. Google has unique expertise supporting many of these principles. To name a few:

  • Defend electoral processes. Through our Advanced Protection Program (APP), we partner with organizations around the world to protect elected officials, campaign offices, and other high-risk users such as human rights workers and journalists. During the 2020 United States elections, APP was the go-to choice for 140 federal campaigns. Since the launch of APP, there have been zero identified instances of a successful targeted attack on an APP user.
  • Lifecycle Security. The Solarwinds attack underscored the real risks and ramifications of supply chain attacks. To improve our own security and support the broader community, we worked with the Open Source Security Foundation (OpenSSF) to develop and release Supply-chain Levels for Software Artifacts (SLSA or “salsa”), a proven framework for securing the software supply chain. We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.
  • Cyber Hygiene. Advancing cyber hygiene is a simple way to reduce the majority of successful attacks. At our Google Safety Engineering Center (GSEC) in Munich and at Google security engineering hubs around the world, we are making it easier for our users to stay safe. For example, Google has been at the forefront of innovation in two-step verification (2SV) for years. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state. By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on.

Though there is much we can do as a community, what we have learned in the wake of SolarWinds, Hafnium, and other attacks is that companies need to contribute more of their technology and expertise to solving these challenges. In that vein, we are doubling down to develop solutions to protect users, organizations, and society. Earlier this year, we announced that we will invest $10 billion over the next five years to keep users and customers safer, including expanding access to zero-trust security tools and offering free security skills training programs for workers in the U.S. and Europe.

Google keeps more people safe online than anyone else by putting security at the core of everything we do. We are committed to advancing community-driven, multi-stakeholder approaches to cybersecurity. We look forward to expanding our work with governments and the private sector to develop security technologies and standards that make us all safer.