Author Archives: Kent Walker

Transparency in the Shadowy World of Cyberattacks

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the International Conference on Cyber Security 2022on July 19, 2022.

Thank you for the chance to be a part of this important conversation about cybersecurity.

At Google we’re proud to say that we keep more people safe online than anyone else in the world. But that wasn’t always the case.

So let me start by telling you a story about how we got it wrong, and two things we all can learn from that experience. My dad always told me that it was cheapest to learn from the other guy’s mistake. So let me tell you about one of ours.

As some of you may recall, in late 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora.

We’ve long had some of the most attacked websites in the world. But Aurora was something special.

Aurora was an attack attributed to the Chinese government, a significant security incident that resulted in the theft of intellectual property from Google.

But Aurora wasn’t just any security incident. And it wasn’t just against Google.

As part of our investigation we discovered that several other high-profile companies were similarly targeted. Other companies either hadn’t discovered the attacks, or hadn’t wanted to disclose them. When I was a federal prosecutor specializing in technology crimes, one of the biggest challenges we encountered was getting companies to go public or even come to the authorities.

So we felt it was important to talk about the attack–to tell the world about its impact, the methods of the hackers, and the sectors at risk.

We worked with the US Government to share threat vectors and vulnerabilities.

And we didn’t stop there: After Aurora, we launched an entire team called Project Zero to find and promptly disclose previously undiscovered, zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

And today, Google’s Threat Analysis Group, or TAG, works to counter a range of persistent threats from government-backed attackers to commercial surveillance vendors to criminal operators. TAG does regular public disclosures of foreign state actor attacks, including doing the difficult work of attribution.

Without giving too much away, I can also tell you that, working with our team at VirusTotal (now called Chronicle), we have some projects in the works that will help us raise awareness of vulnerabilities from around the world. And we’re very excited about our upcoming partnership with Mandiant, one of the world’s premier security teams, to broaden and deepen this work.

So I’d say that the first lasting lesson from the Aurora attack is the need to weave openness and transparency into the fabric of a cybersecurity response. It’s not always comfortable work–we’ve had to have some tough conversations with partners and with our own teams along the way–but it’s necessary to move the industry forward and ensure bugs are getting fixed fast, before they can be exploited in the wild.

In the ensuing years, we’ve developed principles to ensure we can share learnings about vulnerabilities, cyber attacks (such as attacks on elections), and disinformation campaigns responsibly, transparently, and helpfully with the public, with our partners, and with law enforcement.

And the US government has in turn stood up its own process to facilitate more information sharing with industry partners in order to expedite patches that safeguard us all.

But the value of transparency isn’t the only reason I bring up the Aurora story.

Aurora not only taught us the need to embrace transparency, it also taught us a second, and even more important lesson: What works and what doesn’t when it comes to security architecture.

It’s possible to over-index on info sharing alone.

Focusing on the fundamentals of software security is in some ways more important to raise all of us above the level of insecurity we see today.

We curate and use threat intelligence to protect billions of users–and have been doing so for some time. But you need more than intelligence, and you need more than security products–you need secure products.

Security has to be built in, not just bolted on.

Aurora showed us that we (and many in the industry) were doing cybersecurity wrong.

Security back then was often “crunchy on the outside, chewy in the middle.” Great for candy bars, not so great for preventing attacks. We were building high walls to keep bad actors out, but if they got past those walls, they had wide internal access.

The attack helped us recognize that our approach needed to change–that we needed to double down on security by design.

We needed a future-oriented network, one that reflected the openness, flexibility, and interoperability of the internet, and the way people and organizations were already increasingly working.

In short, we knew that we had to redesign security for the Cloud.

So we launched an internal initiative called BeyondCorp, which pioneered the concept of zero trust and defense in depth and allowed every employee to work from untrusted networks without the use of a VPN. Today, organizations around the world are taking this same approach, shifting access controls from the network perimeter to the individual and the data.

If you fast forward to today’s hybrid-cloud environment, zero trust is a must.

At the core of zero trust is the idea that security doesn’t have a defined border. It travels with the user and the data. For example, as the Administration pushes for multi-factor authentication for government systems, we’re automatically enrolling users in two-step verification to confirm it’s really them with a tap on their phone when they sign into our products.

Practically, this means that employees can work from anywhere in the world, accessing the most sensitive internal services and data over the internet, without sacrificing security. It also means that if an attacker does happen to break through defenses, they don’t get carte-blanche to access internal data and services.

The most impactful thing a company, organization, or government can do to defend against cyber-attacks is to upgrade their legacy architecture.

Is it always easy? No, but when you consider that legacy architecture with its millions upon millions of lines of proprietary code, has thousands of bugs, each one a potential vulnerability, it’s worth it.

And beyond replacing existing plumbing, we need to be thinking about the next challenges, and deploying the latest tools.

In the same way the world is racing to upgrade encryption to deal with the threat of quantum decryption, we need to be investing in cutting-edge technologies that will help us keep ahead of increasingly sophisticated threats.

The good news is that cyber-security tools are evolving quickly, from artificial intelligence capabilities, to advanced cryptography, to quantum computing.

If today we talk about security by design, what comes next is security through innovation–security designed with AI and machine learning in mind–designed to counter bad actors using new tools to evade filters, break into encrypted communications, and generate customized phishing emails.

We’ve got some of the best AI work in the business, and we’re testing new approaches and using some of our leading-edge AI tools to detect malware and phishing at scale. AI allows us to see more threats faster, while reducing human error. AI, graph mining, and predictive analytics can dramatically improve our ability to identify and block phishing, malware, abusive apps, and code from malicious websites.

We look forward to sharing more of our findings so that organizations and governments can prepare. After all, this is no time for locking down learnings or successful techniques. Bad actors are not just on the lookout for ways to exploit your unknown vulnerabilities. As with Hafnium and SolarWinds, they are looking for the weak link in the security chain, letting them springboard from one attack to another. A vulnerability at one organization can do damage to entire industries and infrastructures.

Cybersecurity is a team sport, and we all need to get better together, building bridges not just within the security communities, but also between the national security community and academia and Silicon Valley.

Kent Walker speaking on stage

Having started with one story, let me leave you with another—cybersecurity and Russia’s war in Ukraine.

A lot has changed in our approach since Aurora. And perhaps no example illustrates that shift more clearly than our response to the war in Ukraine.

Russia’s invasion sparked, not just a military and economic war, but also a cyber war and an information war. In recent months, we have witnessed a growing number of threat actors– state actors and criminal networks–using the war as a lure in phishing and malware campaigns, embarking on espionage, and attempting to sow disinformation.

But this time, we were ready with a modern infrastructure and a process for monitoring and responding to threats as they happened.

We’ve sent thousands of warnings to users targeted by foreign-state actors–a practice we pioneered after Aurora. And in the vast majority of cases, we’ve blocked the attacks.

We launched Project Shield, bringing not just journalists, but vulnerable websites in Ukraine under Google’s security umbrella against DDOS attacks. While you can DDOS small sites, it turns out that it’s pretty tough to DDOS Google. We disrupted phishing campaigns from Ghostwriter, an actor attributed to Belarus. And we helped the Ukrainian government modernize its cyber infrastructure, helping fortify it against attack.

We are proud that we were the first company to receive the Ukrainian government’s special peace prize in recognition of these efforts.

But the work is far from done.

Even now, we’re seeing reports that the Kremlin could be planning to ratchet up attacks and coordinated disinformation campaigns across Eastern Europe and beyond in an attempt to divide and destabilize Western support for Ukraine. In fact, just today, our TAG team published a new report on activity from a threat group linked to Russia’s Federal Security Service, the FSB, and threat actors using phishing emails to target government and defense officials, politicians, NGOs, think tanks, and journalists.

And, looking beyond Russia and Ukraine, we see rising threats from Iran, China, and North Korea.

Google is a proud American company, committed to the defense of democracy and the safety and security of people around the world.

And we believe cybersecurity is one of the most important issues we face.

It’s why we invested $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security.

It’s why we’ve just created a new division–Google Public Sector–focused on supporting work with the US government. And it’s why we are always open to new partnerships and projects with the public sector.

In recent years, we’ve worked with the FBI’s Foreign Influence Taskforce to identify and counter align foreign influence operations targeting the U.S. We’ve worked with the NSA’s Cybersecurity Collaboration Center. And we’ve joined the Joint Cyber Defense Collaborative to help protect critical infrastructure and improve collective responses to incidents on a national scale.

Getting our whole digital economy on the front foot is essential. And there’s some encouraging progress. For example, we were glad to see last week’s Cyber Safety Review Board report deeply investigating the log4j vulnerability and making important recommendations about how to improve the ecosystem.

We need more of that.

Looking ahead, our collective ability to prevent cyber attacks will come, not only from transparency, but from a commitment to shoring up our defenses — moving away from legacy technology, modernizing infrastructure, and investing in cutting-edge tools to spot and stop tomorrow’s challenges.

We can’t beat tomorrow’s threats with yesterday’s tools. We need collective action to shore up our digital defenses. But by drawing on America’s collective abilities and advantages, we can achieve a higher level of collective security for all of us.

Thank you.

Source: The Keyword


It’s time for more transparency around government data demands

As our lives continue to become more digitized, laws governing government access to personal information need to evolve to protect both public safety and civil liberties.

America’s Stored Communications Act, passed in 1986 (before the internet became a part of daily life), sets the rules governing government demands to providers to disclose information about their users. One of those rules lets the government seek orders to prevent providers like Google from telling users about demands for data. These so-called Non-Disclosure Orders (NDOs) or “gag orders” have become commonplace.

We’re seeing NDOs issued for an increasing number of court orders, warrants, and subpoenas from U.S. authorities. That means that providers can’t notify users until long after compliance, if ever. And that people don’t have the opportunity to go to court to contest disclosure orders.

We’ve seen NDOs issued in cases where the user is already aware of the investigation, and even of the legal demand itself. Similarly, we’ve seen NDOs issued covering legal requests for the data of well-established reputable organizations, even though notifying the organization is highly unlikely to do harm. And we’ve seen some NDOs that might have been initially justified lasting years beyond the investigation, in some cases indefinitely.

It’s time to reform this practice, requiring more robust review before gag orders are issued.

We commend the bipartisan House passage of the NDO Fairness Act, a bill sponsored by Chairman Nadler and Representative Fitzgerald that would make much-needed improvements to the Stored Communications Act. This reform will ensure that gag orders are issued only where warranted and for reasonable periods.

This position is nothing new for us. We’ve long advocated for transparency for both our users and the public. We were the first major company to publish a Transparency Report on government requests for user data and co-founded both the Global Network Initiative and the Reform Government Surveillance coalition. We’ve long supported surveillance reform, including the Email Privacy Act, and legislation to allow providers to be more open about national security requests. We also contest inappropriate gag orders, going to court where necessary (with one case leading the U.S. Department of Justice to pledge to stop using court orders to get journalists’ information in leak investigations). We've also built industry-leading products to give business customers transparency and control over who has access to their data.

Transparency for government data demands is an important check-and-balance, and we urge both the House and Senate to advance this practical protection for Americans in the digital age.

Google at the Copenhagen Democracy Summit

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the Copenhagen Democracy Summit on June 10, 2022.

On February 24, the world watched in horror as Russia invaded Ukraine. While the tension had been building for weeks, that didn’t make the invasion any less shocking.

Tanks once again rumbled through European streets, and the world held its breath. People wondered whether this marked a return to the law of the jungle — a return to machtpolitik over cooperation in solving shared problems.

And we were reminded once again that democratic progress is not inevitable; that democracy and the rules-based international order are by no means guaranteed.

Even before the invasion of Ukraine, there had been worrying signs that democracy was under assault.

Freedom House found that the defining features of democracy — free expression and open debate, free association, and the rule of law — have retreated in nearly fifty countries.

I’d like to speak today about the debt technology owes democracy, and how technology can work with democracy to repay that debt.

But first, let’s talk about why that partnership is so critically important.

Democracy has always been fertile soil for innovation and basic research.

Inventors flourish when they can exchange ideas, take risks, test hypotheses, and explore new avenues for inquiry and collective innovation.

Democratic values of openness and pluralism allow cooperation and scientific inquiry to flourish.

It would be hard to argue that the advances made possible by democratic innovation — advances that have doubled life expectancies and lifted billions of people out of poverty — would have been possible under any other system of government.

But technology can also benefit democracy itself, by proving that democracies can deliver for citizens, expanding choice and raising living standards.

Future generations of technology will help us combat climate change, pioneer personalized medicine, and improve agricultural productivity.

But even beyond improving living standards — delivering on the substantive promises of democracy — technology and innovation can also be a force for democratic procedural legitimacy: Supporting democratic institutions, increasing transparency and accountability in governance, and protecting and promoting human rights.

When developed and used responsibly, technology can foster the essential exchange of ideas and broaden civic engagement in the democratic process.

After all, democracies need at least three elements to flourish:

  • A robust public square, where people can express ideas openly;
  • An active and vibrant press; and
  • Free and fair elections that create accountability, letting citizens check and balance power.

While there is no question that the misuse and abuse of technology has created challenges in each of these areas — from within and without — conversations over the last few months, with defense leaders in Munich, business leaders in Davos, and security experts in Eastern Europe, have made it clear that we need the responsible use of technology to support these essential elements.

So, first, how can technology defend the public square, safeguarding speech and debate?

Tech can promote and protect the marketplace of ideas by playing both offense and defense: Facilitating free and open discourse while combating disinformation.

The early days of Silicon Valley fostered a faith that more communication would be better for the world. And in many ways it has been, connecting people in remarkable new ways.

That said, we have come to recognize abuses of our platforms, harmful efforts to spread malicious or patently false information. We have responded by removing content that violates our policies; raising authoritative voices at critical times; rewarding trusted creators; and reducing borderline content.

That requires tough calls — millions of them every day. And we’re working on ways to provide more transparency into this critical process.

The latest and most dramatic chapter in the battle against disinformation came with the invasion of Ukraine where we all are witnessing not just a military and economic war, but also a cyber war and an information war.

An extraordinary situation called for an extraordinary response.

YouTube took the unprecedented step of globally blocking disinformation channels like RT and Sputnik, removing more than 8,000 channels and more than 70,000 videos for violating our content policies – content that minimized the war’s toll or spread harmful lies about what was happening on the ground. Meanwhile Google Search, Google News, and YouTube are some of the last independent sources of news about the war that remain available in Russia.

On the cybersecurity front, when we saw a spike of distributed denial-of-service (DDoS) attacks on Ukrainian websites, we protected access to information and kept sites online by bringing publishers and government websites under Google's security umbrella, Project Shield.

As a result of these efforts, we were proud to be the first company to receive the Ukrainian government’s special "peace prize,” showing how important tech’s role can be when the stakes are high.

Which brings me to the second cornerstone of a functioning democracy: A free and vibrant pressand how technology can help it adapt to a digital world.

Google was founded with the mission of organizing the world’s information and making it universally accessible and useful. Over the years our ad networks have provided billions of dollars to news publishers, and we have sponsored programs like the Google News Initiative, partnering with publishers to create innovative tools and approaches to reporting.

Of course, technology has had a significant impact on newspaper business models, unbundling different categories and making news more competitive and more freely available.

But technology will also be the key to the evolution of news business models for a digital era. As Herbert Simon said fifty years ago, a wealth of information creates a poverty of attention.

That means a growing role for editors and publishers, curators and analysts, who can help us all allocate our limited attention wisely.

It means there’s a growing need for us to support content creators and a thriving global press.

Third, technology has a vital role to play when it comes to the integrity of our elections.

At Google, we've long created tools and resources to make it easier for people to vote. Our services connect voters with up-to-date, authoritative information about polling locations, remote voting, and election times.

During election cycles, campaigns face increased security threats.

Our teams equip campaigns and election workers with best-in-class security tools. We collaborate with partners in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication.

That’s part of our Advanced Protection Program, which protects high-risk individuals – election officials, campaigns, journalists, and human rights activists – with access to high-visibility and sensitive information.

Finally, our Threat Analysis Group works to thwart cyber attacks, monitoring and exposing espionage, hacks, and phishing campaigns and taking steps to disrupt the threats. In recent months, we stopped coordinated attacks by government-backed actors from China, Iran, North Korea and Russia. And we stopped attempts by various unattributed groups to sow disinformation.

Our role is clear — we help protect people and prevent future attacks by identifying bad actors and sharing relevant information.

These are all examples of ways tech is helping today — across the public square, the free press, and elections themselves. But defending democracy and the rules-based international order is a task that requires tech, civil society, and governments to work together.

An Edelman survey found that people often think of governments and NGOs as well intentioned but ineffective; and often think of companies as effective but maybe not always well intentioned. But when the two worked together, they went to the upper right-hand quadrant — both well intentioned and effective.

It’s why we support The Copenhagen Pledge on Tech for Democracy and similar multilateral commitments by governments, organizations, industry, and civil society to make technology work for democracy and human rights.

Democracy is at a watershed moment. There’s a risk that democracies turn inward, focusing strictly on domestic challenges rather than defending the liberal democratic international order.

Tech, too, is at a crossroads — with a risk that concerns about abuses of technology obscure its many benefits.

In 1996, John Perry Barlow, a lyricist for the Grateful Dead, wrote "A Declaration of Independence of Cyberspace” arguing that the internet was beyond any government’s laws.

Well, perhaps it's now time for a “Declaration of Interdependence of Cyberspace.”

Our growing technological connections have become so important to our daily lives that technologists need to work ever more closely with governments on new and agile rules to promote progress, national security, and the defense of the public square.

International frameworks — from the UN to the WTO to the OECD — can be useful starting places as we work to promote international alignment. And only governments can drive this crucial work.

We need governments committed to open, democratic processes to step up and work together to reaffirm international norms of access to information and the free and open exchange of ideas.

At Google, we’re eager to roll up our sleeves and help.

We leave the politics to the politicians, but that doesn’t mean we leave it to others to defend the public square. Nor does it mean we dismiss the experience and ideas of government leaders in the cause of protecting democracy.

We hear the summons to defend democracy’s essential components – the open exchange of views, an independent press, and free and fair elections.

In moments of uncertainty and crisis, responsible tech companies feel a duty to do what our engineers do best: Unlock solutions to the most pressing problems.

We undertake that task with appreciation that those solutions will be – must be – the product of collaboration, building on the kind of collective innovation that has always made democracies stronger than their adversaries.

Connecting more Americans to in-demand digital skills

America’s employers are starting to look at the world differently as they look for talent to fill their growing needs. Many businesses are moving beyond narrowly defined degree requirements. They’re seeking employees who may have acquired skills through alternative routes, which may include career experiences and targeted training programs.

Since only 36% of American adults have four-year college degrees, requiring that piece of paper automatically screens out 70% of rural workers, almost 70% of African-American workers and 80% of Latino workers.

When employers hire for relevant skills, rather than screening for degrees, we get access to a talent pool that is qualified, ready to work, and significantly more diverse. But for employers to hire people with the requisite skills, people must have successful avenues to acquire those skills.

Today in the U.S., the reported number of unemployed people is 5.9 million. That number grows dramatically when we include people who are underemployed, are earning low wages or have stopped looking for work. At the same time, there are more than 11 million unfilled jobs, many open because employers say that they can’t find the people with the requisite skills.

By all indications, this is a skills gap problem that’s only going to get worse. By some estimates, 80% of “middle-skill” U.S. jobs now require digital skills. And the World Economic Forum estimates that up to 50% of workers will need to add new skills to keep up with the requirements of in-demand careers.

Fortunately, innovative initiatives are equipping people to gain relevant expertise. Since 2017, Google and Goodwill have partnered to bring digital skills to local communities and help people get good jobs that don’t require a degree.

Which brings us to some news we're sharing today: Google.org is announcing a $14 million reinvestment in the Goodwill Digital Career Accelerator. This includes grants and in-kind support to help Goodwill continue to provide digital training pathways and support job placement for people seeking jobs.

Google’s expanded support includes $7 million in Google.org grants and $7 million in donated Search ads, which will help Goodwill reach more than 200,000 people across the U.S. and Canada with digital skills and career training so they gain economic mobility. The funds support infrastructure development and expansion like tracking systems for hiring and training that will improve the reach and effectiveness of Goodwill’s services at the local level. Finally, through the Google.org Fellowship, ten Google employees are working full-time pro bono to help Goodwill better reach job seekers online so they can connect with local Goodwill career coaches and work toward brighter futures.

With support from Google.org, Goodwill has helped more than a million people gain digital awareness and new digital skills, and placed more than 300,000 overlooked job seekers in digital economy jobs.

There have been some valuable lessons learned along the way:

  1. Meet learners where they are. Many people don’t know that Goodwill places more people in jobs than any other non-government, nonprofit in America. Over the years, Goodwill teams have found access is one of the biggest barriers for people who want to gain digital skills. Goodwill makes training readily available and convenient at Goodwill locations within communities across the U.S. and Canada. More than 70% of the U.S. population lives within a 20-mile radius of a Goodwill mission services location.
  2. Remove barriers to learning with enhanced support. There are dozens of reasons why people might drop out of a learning program or not sign up in the first place. Living stipends, connectivity support, transportation credits, career navigators and other resources make it possible for people to participate in and complete training so that they can earn career certificates.
  3. Commit to creating pathways to upward mobility. Digital skilling must lead to real jobs with opportunities for growth. Close employer relationships are essential to connect graduates with hands-on internships, apprenticeships, and other learn-and-earn options. An example is Kara Isreal Gooch, a Google Career Certificate graduate who landed a job at Accenture with help from Goodwill and our consortium of employers who have agreed to consider Google Career Certificate graduates for jobs.

Through collaborations like the one between Goodwill and Google, we’re learning what works and what doesn’t. By aligning the right resources, we can build the systems and capacity needed to close the digital skills gap and connect Americans with the skills and support they need to compete in the 21st century economy. In every community, we need talent equipped and participating in our rapidly changing labor market.

Interested in learning more about ongoing initiatives to promote workforce development and connect job seekers with careers and resources? Join Goodwill’s Steve Preston, Google’s Kent Walker and experts from across the labor field today at the Rising Together Action Summit. The live-streamed event kicks off with a fireside chat at 10am EST/ 7am PST.

The urgent necessity of enacting a national privacy law

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at Beyond the Basics: The Many Pillars of U.S. Privacy Law, an event hosted by R Street Institute at The National Press Club in Washington, DC. Google also published an accompanying white paperon Responsible Data Practices.

Information is all around us. Americans sometimes take it for granted, but from the moment we walk out our front doors, information powers everything we do.

After a two-years-and-counting pandemic, when people have taken to tech at an unprecedented pace, they’re more aware of both the possibilities and the privacy challenges.

They may have even heard about the shadowy world of data brokers who buy and sell information to actors they’ve never heard of, for purposes that they can’t see or control, in ways that may risk their privacy and security.

And they may have a greater appreciation for the need for consistency across the country — not a patchwork of 50 different state laws, but a law that organizations and people can rely on as they go about their daily lives

There is a range of views when it comes to technology and technology regulation. But when it comes to national privacy regulation, there is a clear consensus: Americans want it.

A Pew Research poll found that 75 percent of people support government regulation of consumer data.

And the absence of a comprehensive federal privacy law has left a vacuum that states are trying to fill by scrambling to pass their own, often inconsistent, laws — a trend that actually risks fragmenting consumer protections.

People are counting on all of us to address this issue — and fast. The good news is that after many years of discussion, today, there seems to be a growing consensus on this. We are starting to see interest from both parties, from many different constituencies. They are coming together on how to do this well.

President Biden in his State of the Union address highlighted the importance of privacy, and there are growing reports that Congress is making progress toward comprehensive privacy legislation. We’ve long supported that goal, and we welcome the forward movement.

When data is misused, when consumers find their trust is misplaced, it hurts not just the whole digital ecosystem, but the potential for future innovation.

And let me be clear: We at Google get it, and we’ve rethought and adapted our own approaches to product development to promote privacy and security.

For example, because digital services should keep your information for only as long as you find it helpful, we introduced auto-delete controls to let you easily delete your location history, web history, and YouTube history.

Try to do that with any other business that holds data about you.

We were the first platform to make it easy for people to download or transfer personal data when they want to switch to other services.

And today, we keep more people safe online than anyone else in the world — because if it’s not secure, it’s not private.

To set new standards for responsible data use, we’ve also done what we do best – built new technological solutions, investing in privacy-preserving technologies.

Privacy-preserving technologies don’t just promote privacy by design, they achieve privacy through innovation. They help us minimize the collection of identifying data. They reduce the risk of data being misused — without undermining the tremendous value that people get from information services.

As an example, at the start of COVID, we had an unprecedented partnership with Apple to develop Exposure Notifications, helping public health authorities supplement contact-tracing. Our North Star had to be designing a system with privacy protections baked in. So we worked with public health officials, privacy experts, regulators, used our most advanced technology to keep data safe, and established strict guidelines – all of which built public trust and adoption, saving thousands of lives.

Now we’ve got a complex business, and we haven’t always gotten everything right, but we’ve learned from those experiences, and we know what’s possible when private industry and regulators work together.

Of course it’s not enough for some organizations to operate responsibly — we need a law that establishes consistent rules and reins in bad actors.

So how do we do that? What’s the best path forward?

We're not focused on pie-in-the-sky proposals like creating an entirely new agency to regulate all the different uses of digital tools. We don’t want snappy soundbites; we want sound solutions.

The reality is that all companies are becoming digital companies, each with the potential to create new technologies and use information in new ways. We need consistent rules across the economy, and across the country.

Instead of chasing theoretical approaches, we want to support the practical, real-world privacy work already being done by Congress.

Current legislative privacy proposals like the ones put forward by Senators Cantwell and Wicker reflect important areas of agreement on the practical points that matter to people. And we hope they will work closely with Chairman Pallone and Ranking Member McMorris Rodgers to move legislation through the committees expeditiously.

We can build on the work that has already happened in this space, like proposals put forward by Senators Cortez Masto and Fischer and Representatives Stevens and Gonzalez to promote privacy-preserving technologies.

With the right leadership from the White House and leadership in Congress, we can get this done – this year.

So what are the sticking points? Issues like when and how consumers can file suit? The scope of FTC rulemaking? How federal and state laws will work together?

Those issues are debated in some form nearly every time Congress passes new business regulations, including the sectoral privacy laws Congress has already passed. So, none of this is new or unresolvable. With the right working group and some reasonable compromises, these points can be reconciled.

In fact, those conversations are already happening. Of course there has been no shortage of positions when it comes to privacy, ranging from ideas of notice and choice to proposals around new duties of care or loyalty.

One possible finesse would be a responsible data approach that works in practice, across a growing digital economy.

For example, we could start by giving consumers reasonable baseline assurances around transparency and control.

And we could build on that, by requiring responsible data practices — like privacy reviews and data minimization — that could be easy to implement and promote shared processes for protecting people’s data. Norms around good development processes could improve privacy practices for everyone.

But the time to act is now.

A U.S. privacy law would align us all on the privacy measures that people want and promote confidence in U.S. companies and our digital ecosystem.

It would increase trust in U.S. leadership, as we promote cross-border data flows and compatible, pro-privacy, pro-innovation rules around the world.

It would give everyone much-needed clarity and consistency so that organizations spend less time trying to navigate inconsistent rules and more time preventing harm and responsibly innovating – the kind of work that yields research breakthroughs and a stronger U.S. economy.

There’s no question that getting it done will take thoughtful compromises. Compromises by different groups in Congress. Compromises by advocates. And compromises by companies, including Google, who are used to doing business in certain ways. But that’s what we need to get this done.

Whatever final legislation comes out of the negotiations won’t be perfect, and it won’t address every concern. But we urge both businesses and advocates not to make the perfect the enemy of the good. Or of better, more consistent protections for all Americans.

In closing, I’ll say this: Google is an engineering company — and we look at problems from an engineering perspective. When we spot an issue with our services, we make fixing it a priority, and we often move engineers from other projects to help.

This is that all-hands-on-deck moment for privacy.

The vast majority of Americans want a federal privacy law. In fact, we’ve never seen such broad-based, bipartisan consensus about the need for that law.

It’s a moment for Congress to come together, on a bipartisan basis, and deliver for the American people.

Lawmakers and regulators face an important challenge, and an important opportunity. We pledge our support for that effort, and we hope that a broad cross-section of stakeholders will join together in support of their work.

Helping Ukraine

The Russian invasion of Ukraine is both a tragedy and a humanitarian disaster in the making. The international community’s response to this war continues to evolve and governments are imposing new sanctions and restrictions.

Our teams are working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, surface high-quality, reliable information and ensure the safety and security of our colleagues and their families in the region.

Here are a few of the actions we’re taking.

Providing support from Google.org

Together, Google.org and Google employees are contributing $15 million in donations and in-kind support to aid relief efforts in Ukraine, including $5 million so far from our employee matching campaign and $5 million in direct grants. We’re also contributing $5 million in advertising credits to help trusted humanitarian and intergovernmental organizations connect people to important sources of aid and resettlement information.

A woman in a Red Cross uniform puts bedding in a pile on the floor

According to the Polish Red Cross, since Thursday last week over 300,000 people have arrived in Poland. (photo credit: Red Cross)

Updating Search and Maps in Ukraine

We've launched an SOS alert on Search across Ukraine. When people search for refugee and evacuation information, they will see an alert pointing them to United Nations resources for refugees and asylum seekers. We’re working with expert organizations to source helpful humanitarian information as the situation unfolds.

And after consulting with multiple sources on the ground, including local authorities, we’ve temporarily disabled some live Google Maps features in Ukraine, including the traffic layer and information about how busy places are, to help protect the safety of local communities and their citizens. We’ve also added information on refugee and migrant centers in neighboring countries.

Expanding security protections

Our security teams are on call 24/7. Russia-backed hacking and influence operations are not new to us; we’ve been taking action against them for years. Over the past 12 months alone, we’ve issued hundreds of government-backed attack warnings to people in Ukraine using products like Gmail. We’ve been particularly vigilant during the invasion and our products will continue to automatically detect and block suspicious activity.

While we have not seen meaningful changes in the levels of malicious activity in this region overall, our Threat Analysis Group (TAG) has seen threat actors refocus their efforts on Ukrainian targets. For example, we’ve seen the attackers behind the GhostWriter threat group targeting Ukrainian government and military officials. We blocked these attempts and have not seen any compromise of Google accounts as a result of this campaign.

We also automatically increased Google account security protections (including more frequent authentication challenges) for people in the region and will continue to do so as cyber threats evolve. Our Advanced Protection Program — which delivers Google’s highest level of security — is currently protecting the accounts of hundreds of high-risk users in Ukraine. And “Project Shield,” a service providing free unlimited protection against Distributed Denial of Service attacks, is already protecting over 100 Ukrainian websites, including local news services.

Promoting information quality

In this extraordinary crisis we are taking extraordinary measures to stop the spread of misinformation and disrupt disinformation campaigns online.

Beginning today, we’re blocking YouTube channels connected to RT and Sputnik across Europe. This builds on our indefinite pause of monetization of Russian state-funded media across our platforms, meaning media outlets such as RT are not allowed to monetize their content or advertise on our platforms.

We have also significantly limited recommendations globally for a number of Russian state-funded media outlets across our platforms. And in the past few days, YouTube has removed hundreds of channels and thousands of videos for violating its Community Guidelines, including a number of channels engaging in coordinated deceptive practices.

Of course we are working to not just reduce the reach of unreliable information, but also to make reliable and trustworthy information readily available. Our systems are built to prioritize the most authoritative information in moments of crisis and rapidly-changing news. When people around the world search for topics related to the war in Ukraine on Search or YouTube, our systems prominently surface information, videos and other key context from authoritative news sources.

Helping our colleagues in Ukraine

We remain extremely concerned for the safety and wellbeing of our Ukrainian team and their families. Our local Security and People Operations teams have been working since January to provide help, including physical security support, paid leave, assistance options and reimbursement for housing, travel and food for anyone forced to leave their homes.

Operating our services in Russia

We are committed to complying with all sanctions requirements and we continue to monitor the latest guidance. As individuals, regions and institutions like banks are sanctioned, products like Google Pay may become unavailable in certain countries.

Most of our services (like Search, Maps and YouTube) currently remain available in Russia, continuing to provide access to global information and perspectives.

We will continue to monitor the situation and take additional actions as needed – and we join the international community in expressing sincere hope for a return to a peaceful and sovereign Ukraine.

Google at the Munich Security Conference

Since its inception in 1963, the Munich Security Conference has been a vital venue for policymakers, experts and transatlantic leaders tackling the most pressing security issues of the day. Today, against the backdrop of an ongoing pandemic, geopolitical tensions, and increasingly sophisticated cyber attacks, the stakes for these discussions feel particularly high — with many participants perceiving this as a time of heightened risk.

Google’s mission statement has always been to “organize the world’s information and make it universally accessible and useful.” We provide tools that make people more informed, more connected, more productive — and more secure. That’s why I’m traveling to Munich this week and joining conversations about promoting and protecting the public square.

Fighting misinformation online and safeguarding elections

In the last few years, we’ve seen a marked uptick in online disinformation campaigns, attempts to influence democratic elections, and cyber attacks on democracies' critical infrastructure.

Google and YouTube have specialized teams of intelligence and security experts who work around the clock and around the world to thwart these threats and protect the people using our products. When it comes to the content we host on YouTube, our “4R’s” approach includes not just Removing violative content and Reducing the spread of borderline content, but also Raising up authoritative content, and Rewarding trusted creators. And we continuously assess our approach and look at changes we can make to promote thoughtful engagement.

During election cycles, we equip campaigns with best-in-class security features and protect their operations from attack. We work to help voters find high-quality, authoritative election information directly in our products. We employ teams who monitor elections from India to Europe to the United States. We use advanced technology to detect coordinated disinformation networks. And we work with partners like Defending Digital Campaigns and organizations in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication — as well as the International Foundation for Electoral Systems to develop global security programming, protecting those who work to safeguard human rights.

Advancing cybersecurity and moving towards collective standards

When it comes to cybersecurity, we have first-hand, real-world experience. Our systems stop attacks every single day, including attacks from sophisticated nation state actors. But it wasn’t always that way. In the past, when our defenses weren’t strong enough, we rebuilt our entire security infrastructure, sometimes inventing new technologies when state-of-the-art simply wouldn’t do. We know that “high walls” are not enough to stop bad actors, and we’ve learned to use “defense in depth” — creating access controls throughout our services and using multi-factor authentication as part of a zero-trust security approach, in which every node has to authenticate itself. As a result, today we keep more people safe online than any other company in the world.

Image of Google security statistics

We design our products to go beyond “security by design” to provide security by default. When that’s not enough, we invent new ways to keep our users more secure.

In Munich, I will be urging policymakers to work together on establishing collective security standards including those that move democratic governments toward secure cloud services and zero-trust architecture.

In the last fifty years, democratic governments helped advance some of the world’s most important innovations — including the Internet, microchips, computers, global positioning systems, and revolutionary vaccines against COVID. In the next fifty, I’m optimistic about the ability of science and advanced technology to help solve some of the world’s biggest challenges, like climate change, health care, and global development. To do that, we need to partner with governments and civil societies to rebuild trust and confidence in our institutions. Realizing the promise of tomorrow requires protecting the public square today.

It’s time for a new EU-US data transfer framework

If you rely on an open, global internet, you’ll want the European Union and the U.S. government to agree soon on a new data framework to keep the services you use up and running. People increasingly rely on data flows for everything from online shopping, travel, and shipping, to office collaboration, customer management, and security operations. The ability to share information underpins global economies and powers a range of services like high-value manufacturing, media, and information services. And over the next decade, these services will contribute hundreds of billion euros to Europe’s economy alone.

But those data flows, that convenience, and those economic benefits are more and more at risk. Last week, Austria’s data protection authority ruled that a local web publisher’s implementation of Google Analytics did not provide an adequate level of protection, on the grounds that U.S. national security agencies have a theoretical ability to access user data. But Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the DPA speculated about. And we don't expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law.

The European Court of Justice’s July 2020 ruling did not impose an inflexible standard under which the mere possibility of exposure of data to another government required stopping the global movement of data. We are convinced that the extensive supplementary measures we offer to our customers ensure the practical and effective protection of data to any reasonable standard.

While this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges. If a theoretical risk of data access were enough to block data flows, that would pose a risk for many publishers and small businesses who use the web, andhighlight the lack of legal stability for international data flows facing the entire European and American business ecosystem.

In 15 years of offering Analytics services, Google has never received the type of demand...speculated about Kent Walker

Businesses in both Europe and the U.S. are looking to the European Commission and the U.S. Department of Commerce to quickly finalize a successor agreement to the Privacy Shield that will resolve these issues. Both companies and civil society have been supporting reforms based on an evidence-based approach. The stakes are too high — and international trade between Europe and the U.S. too important to the livelihoods of millions of people — to fail at finding a prompt solution to this imminent problem.

A durable framework — one that provides stability for companies offering valuable services in Europe — will help everyone, at a critical moment for our economies. A new framework will bolster the transatlantic relationship, ensure the stability of transatlantic commerce, help businesses of all sizes to participate in the global digital economy, and avoid potentially serious disruptions of supply chains and transatlantic trade. And it will assure continued protection of people’s right to privacy on both sides of the Atlantic.

We strongly support an accord, and have for many years supported reasonable rules governing government access to user data. We have long advocated for government transparency, lawful processes, and surveillance reform. We were the first major company to create a Transparency Report on government requests for user data, were founding members of the Global Network Initiative and the Reform Government Surveillance coalition, and support the OECD’s workstream on government access to data. At this juncture, we urge both governments to take a flexible and aligned approach to resolving this important issue.

As the governments finalize an agreement, we remain committed to upholding the highest standards of data protection in all our products, and are focused on meeting the needs of our customers as we wait for a revised agreement. But we urge quick action to restore a practical framework that both protects privacy and promotes prosperity.

The harmful consequences of Congress’s anti-tech bills

Every day, millions of Americans use online services like Google Search, Maps and Gmail to find new information and get things done. Research shows these free services provide thousands of dollars a year in value to the average American, and polls show that 90% of Americans like our products and services.

However, legislation being debated in the House and Senate could break these and other popular online services, making them less helpful and less secure, and damaging American competitiveness. We’re deeply concerned about these unintended consequences.

Antitrust law is about ensuring that companies are competing hard to build their best products for consumers. But the vague and sweeping provisions of these bills would break popular products that help consumers and small businesses, only to benefit a handful of companies who brought their pleas to Washington.

Some specifics:

Harming U.S. technological leadership

These bills would impose one set of rules on American companies while giving a pass to foreign companies. And they would give the Federal Trade Commission and other government agencies unprecedented power over the design of consumer products. All of this would be a dramatic reversal of the approach that has made the U.S. a global technology leader, and risks ceding America’s technology leadership and threatening our national security, as bipartisan national security experts have warned:

  • Americans might get worse, less relevant, and less helpful versions of products like Google Search and Maps (see below for some examples).
  • An “innovation by permission” requirement could force American technology companies to get approval from government bureaucrats before launching new features or even fixing problems, while foreign companies would be free to innovate. Foreign companies could also routinely access American technology as well as Americans' data.
  • Handicapping America’s technology leaders would threaten our leading sources of research and development spending — just as bipartisan voices in Congress are recognizing the need to increase American R&D investment to stay competitive in the global race for AI, quantum, and other advanced technologies.
  • That’s why national security experts from both parties have aligned in warning that current anti-tech bills could threaten America’s national security.

Degrading security and privacy

Google is able to protect billions of people around the world from cyberattacks because we bake security and privacy protections into our services. Every day, Gmail automatically blocks more than 100 million phishing attempts and Google Play Protect runs security scans on 100 billion installed apps around the world.

These bills could prevent us from securing our products by default, and would introduce new privacy risks for you. For instance:

  • The bills could hamper our ability to integrate automated security features if other companies offer similar features. For example, we might be prevented from automatically including our SafeBrowsing service and spam filters in Chrome and Gmail to block pop-ups, viruses, scams and malware.
  • Breaking apart the connections between Google tools could limit our ability to detect and protect you against security risks that use security signals across our products.
  • These bills may compel us to share the sensitive data you store with us with unknown companies in ways that could compromise your privacy.
  • And when you use Google Search or Google Play, we might have to give equal prominence to a raft of spammy and low-quality services.

Breaking features that help consumers and small businesses

When you come to Google Search, you want to get the most helpful results. But these bills could prohibit us from giving you integrated, high-quality results — even when you prefer them — just because some other company might offer competing answers. In short, we’d have to prefer results that help competitors even if they don’t help you.

  • If you search for a place or an address, we may not be able to show you directions from Google Maps in your results. As just one example, if you search for “vaccine near me,” we might not be able to show you a map of vaccine locations in your community.
  • When you have an urgent question — like “stroke symptoms” — Google Search could be barred from giving you immediate and clear information, and instead be required to direct you to a mix of low quality results.
  • When you search for local businesses, Google Search and Maps may be prohibited from highlighting information we gather about hours of operation, contact information, and reviews. That could hurt small businesses and local retailers, as well as their customers.
  • The bills would also harm small businesses if tools like Gmail, Calendar and Docs were not allowed to be integrated or work together seamlessly.

A boost for competitors, not consumers

While these bills might help the companies campaigning for them, including some of our major competitors, that would come at a cost to consumers and small businesses. Moreover, the bills wouldn’t curb practices by our competitors that actually harm consumers and customers (they seem to be intentionally gerrymandered to exclude many other major companies). For example, they don’t address the problem of companies forcing governments and small businesses to pay higher prices for enterprise software. And of course, the online services targeted by these bills have reduced prices; these bills say nothing about sectors where prices have actually been rising and contributing to inflation.

The wrong focus

There are important discussions taking place about the rules of the road for the modern economy. We believe that updating technology regulations in areas like privacy, AI, and protections for kids and families could provide real benefits. But breaking our products wouldn’t address any of these issues. Instead, it would eliminate helpful features, expose people to new privacy and security risks, and weaken America’s technological leadership. There’s a better way. Congress shouldn’t rush to judgment, and should instead take more time to consider the unintended consequences of these bills.

Making Open Source software safer and more secure

We welcomed the opportunity to participate in the White House Open Source Software Security Summit today, building on our work with the Administration to strengthen America’s collective cybersecurity through critical areas like open source software.

Industries and governments have been making strides to tackle the frequent security issues that plague legacy, proprietary software. The recent log4j open source software vulnerability shows that we need the same attention and commitment to safeguarding open source tools, which are just as critical.

Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.

At Google, we’ve been working to raise awareness of the state of open source security. We’ve invested millions in developing frameworks and new protective tools. We’ve also contributed financial resources to groups and individuals working on securing foundational open source projects like Linux. Just last year, as part of our $10 billion commitment to advancing cybersecurity, we pledged to expand the application of our Supply chain Levels for Software Artifacts (SLSA or “Salsa”) framework to protect key open source components. That includes $100 million to support independent organizations, like the Open Source Security Foundation (OpenSSF), that manage open source security priorities and help fix vulnerabilities.

But we know more work is needed across the ecosystem to create new models for maintaining and securing open source software. During today’s meeting, we shared a series of proposals for how to do this:

Identifying critical projects

We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.

Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.

Establishing security, maintenance & testing baselines

Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.

Fortunately, the software community is off to a running start. Organizations like the OpenSSF are already working across industry to create these standards (including supporting efforts like our SLSA framework).

Increasing public and private support

Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source. That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort.

Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step towards addressing it. We applaud the efforts of the National Security Council, the Office of the National Cyber Director, and DHS CISA in leading a concerted response to cybersecurity challenges and we look forward to continuing to do our part to support that work.