Kent Walker (Google President, Global Affairs) reflects on a year of dramatic changes in geopolitics and technology at MSC.
Google announces new commitments and support for Ukraine
Location information lets us offer you a more helpful experience when you use our products. From Google Maps’ driving directions that show you how to avoid traffic, to Google Search surfacing local restaurants and letting you know how busy they are, location information helps connect experiences across Google to what’s most relevant and useful.
Over the past few years, we’ve introduced more transparency and tools to help you manage your data and minimize the data we collect. That’s why we:
These are just some ways that we have worked to provide more choice and transparency. Consistent with those improvements, we settled an investigation with 40 U.S. state attorneys general based on outdated product policies that we changed years ago. As well as a financial settlement, we will be making updates in the coming months to provide even greater controls and transparency over location data. The updates include:
Today’s settlement is another step along the path of giving more meaningful choices and minimizing data collection while providing more helpful services.
Open source software — code that is made freely available to the public to use or modify — is the foundation of the modern internet. It’s given us a world that is more innovative and more accessible. Yet the very openness that makes the digital world accessible to everyone, also leaves it uniquely vulnerable to security threats and cyber attacks.
At Google, we’ve been working to solve this paradox for years — and have arrived at the conclusion that modern digital security actually can come through embracing openness. We protect more people online than anyone, and we recently announced a $10 billion investment in making the internet safer and more secure. But with the dramatic rise of state-sponsored cyber attacks and malicious actors online, it’s clear that we not only need stronger public-private partnerships — but dynamic policy frameworks to shore up security for everyone.
That’s why we welcome efforts by the U.S. Government to advance open source software security, such as the Securing Open Source Software Act introduced in the Senate last month. This bipartisan bill proposes the creation of a framework to guide the federal government in their use of open source software. The proposed legislation reflects a helpful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the software supply chain.
We are glad to see a continued emphasis on the importance of open source software security from the U.S. Government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large.
The world of open source software development allows collaboration and rapid innovation by sharing solutions freely. This community, built on openness and sharing, contributes an enormous amount of code to a majority of the applications we use today.
However, despite the benefits of this openness, the unprecedented scale of recent attacks has emphasized gaps in infrastructure and tooling and the need for improved transparency into the security practices and attributes of open source projects. Seemingly simple questions about the open source supply chain are still difficult to answer:
Answering these questions requires specialized technical skills and capabilities, and given the primarily volunteer-driven nature of the open source community, we cannot expect open source developers to shoulder the full burden of advancing software security on their own.
Through our work with multiple industry collaborators, Google has helped create free tools, services and best practices to make it easier for the open source community to develop and distribute software securely, while providing consumers with information about the security of the software they use.
We envision a more secure future where the burden of security is shared, and there is increased trust in and resilience of the open source software ecosystem. To get there, we need freely available, automated solutions that make developer’s lives easier, such as:
We’re currently working to make these solutions a reality, at scale, with little to no additional work for developers.
We hope that the framework that will emerge due to U.S. Government efforts drives further investments in open source communities by both the public and private sectors. We’re already seeing the impact of the $100M Google pledged to non-profit organizations and software foundations like the Open Source Security Foundation to support open source creators.
This pledge backs efforts like our “open source maintenance crew,” a team of developers who spend 100 percent of their time directly enabling critical open source projects to adopt key security improvements. It also supports our Linux Kernel team, which continues to drive efforts to eliminate entire classes of bugs from open source code, including paving the way for greater memory safety using the Rust language.
We encourage other major consumers of open source to follow this lead and directly invest both funds and developer time in securing open source projects and ecosystems. Furthermore, we call on other major consumers of open source, both public and private, to implement similar policies around safe open source usage as well.
Securing open source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem.
The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the “Google Cybersecurity Summit: Protecting Europe's Digital Space” in Madridon October 26, 2022.
Today’s cybersecurity discussion couldn’t be more timely.
Against a backdrop of rising geo-political tensions, we are seeing more and more efforts to undercut our shared security.
Cyber and information wars have become tools of the trade in attempts to exploit our vulnerabilities and destabilize our economies and our democracies.
It is no wonder that when the European Commission unveiled its plan for Europe’s digital transformation by 2030, it called security a fundamental right central to its vision.
So where do we begin the task of securing the digital world?
On the one hand, some would embrace data localization requirements, limits on market access, and even restrictions to accessing some cross-border services.
Essentially walled gardens and high fortresses. But we would suggest a different tack.
Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.
Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.
That’s because in today’s mobile, hybrid environment, cybersecurity is a team sport. We are each only as strong as our weakest link. But when we work together, we spur innovation and advance best practices that benefit all.
I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.
We hope to use what we have learned to help secure Europe’s “digital decade.”
To that end, we recently published a white paper with recommendations like investing in technology that’s secure by default; working with private and international partners on new areas of cooperation, and building security based on openness and interoperability.
These recommendations are based on first-hand experience. In 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora. We learned that transparency, coupled with security by design, was the best way to secure the digital ecosystem.
As we detail in our recently released docuseries, HACKING GOOGLE, Aurora changed everything. It spurred us to shift away from the old “perimeter defense” model of crunchy on the outside, chewy in the middle (with high outside walls but no interior defenses) to a zero-trust model in which all users, all devices, and all applications are continuously checked for security risks, and yet security comes easily and naturally for users.
After Aurora, we launched our Threat Analysis Group, or TAG, to spot, disclose, and attribute threats, whether they were coming from nation-state actors or commercial spyware and surveillance vendors. We also launched our Project Zero team to find and promptly disclose previously unknown zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.
It hasn’t always been comfortable work–but that kind of transparency is key to security. As the computer engineering saying goes, “with enough eyes, all bugs are shallow.”
Today, by adopting advanced security innovation and threat intelligence, we ensure vulnerabilities are fixed fast, before they can be widely exploited.
You can see our approach in action whenever TAG discloses a new threat. For example, in 2017, our Android operating system was the first mobile platform to warn users about NSO Group’s Pegasus spyware–“zero-click” malware designed to allow an attacker to compromise a smartphone without a user taking any action.
By sharing information early and widely, we raised awareness of this threat, helped victims understand if they were compromised, and promoted a greater focus on mitigations. Since then, TAG has continued to report on Pegasus and other commercial spyware tools, shining a light on this murky industry.
So when the war came in Ukraine, open security principles kept us one step ahead. Since the war began, we’ve sent thousands of warnings to users targeted by nation-state actors–another practice we pioneered after Aurora. We’ve succeeded in blocking the vast majority of the attacks. And we launched Project Shield, bringing not just journalists, but human rights organizations and even government websites in Ukraine under Google’s security umbrella against distributed denial of service attacks.
Because while it can be easy to DDOS small sites, it turns out that it’s pretty tough to DDOS Google.
We are all in on this collaborative approach to security. Currently, we are working with our team at VirusTotal to launch a new Google Safety Engineering Center in Málaga, Spain, which we hope will become a European hub for joint research on advanced threats.
In 2023, our newest Google Safety Engineering Center will be launching in Málaga.
Since we acquired VirusTotal in 2012, they have grown from a scrappy startup to become the world’s leading malware scanner and repository, what many call “the Google of cybersecurity tools.” VirusTotal enables people to search for malware against the millions of new samples submitted daily.
On top of that, when Google combined our existing security solutions with Mandiant’s cyber threat intelligence, we laid the groundwork to help public and private sector organizations in Europe anticipate, warn about, and mitigate threats.
What are the larger lessons for all of us as we work toward open security?
First, partnerships and agreements among democratic and rule-of-law societies are key. We need to set aside siloed approaches and embrace an ecosystem of innovation where security experts can share threats, evolve best practices, and adopt new technologies.
In support of that ecosystem, I’m pleased to announce that in 2023, we will be hosting a new Google for Startups Growth Academy for EU Cybersecurity, a growth program to help cybersecurity startups across Europe grow into success stories.
Second, interoperability and aligned security standards between technologies and among countries makes compliance easier for businesses, innovators, and manufacturers of all sizes–which makes for more secure hardware and better software.
The third and final thing to keep in mind is that when we shift away from buggy legacy technology and perimeter defense models and toward modern infrastructure, we can accommodate today’s increasingly global, hybrid workforces, without sacrificing security.
Collective security requires not just walls, but bridges.
By adopting an approach built on open principles like security-by-default, zero-trust architecture, transparency, and principled partnerships, we can advance the frontiers of information security, letting all of us sleep better at night.
The World Trade Organization recently predicted global trade growth will slow sharply next year, and the World Bank believes that declining growth rates will undermine efforts to reduce poverty. Meanwhile, inflation, high energy prices and fiscal pressures are in focus for policymakers everywhere.
Against this gloomy backdrop, one area that remains a source of optimism is the potential for digital transformation to jumpstart economic growth and create new opportunities — particularly for micro-, small- and medium-sized enterprises (MSMEs) who often are most vulnerable to economic downturns. As more people and businesses come online, particularly in emerging markets, the internet continues to create new opportunities for businesses to export and grow.
A report that we’re launching today gives us a sense of the scale of the opportunity, estimating that the right investments in digital transformation can boost the exports of six Latin American countries up to $140 billion annually, by 2030 – a four-fold increase over current levels.
Today’s report builds on our 2020 Digital Sprinters framework, which offered a blueprint for how emerging economies can accelerate their digital transformation with investments in four key areas:
To assess the potential for Latin America, we commissioned new research to better understand digital exports and their potential to impact six economies in the region. The results are noteworthy. Overall, researchers projected digital exports to contribute more than 2% of GDP for Argentina, Brazil, Chile, Colombia, Mexico and Uruguay by 2030, or approximately $140 billion per year – an increase from the current $34 billion, or 0.8% of GDP.
The research identifies three ways in which the digitization is changing trade in Latin America:
Leveraging digitization for exports is already taking place today. For example, Doris Canseco opened a traditional flower shop in Mexico, but the limited local market led her to move online. Using Google Ads to get the word out about her business, Flores de Oaxaca's customers in Europe, the United States and Canada, among other places. The business doubled in size and today online sales account for between 60 and 85 percent of its total revenue.
Similarly, Germán Garmendia was born in the small town of Copiapó, in the Atacama desert in Chile. A shy and quiet child, his mother signed him up for drama classes. A few years later, Germán started posting videos online. Today, he is one of the world’s most popular YouTubers, with more than 43 million subscribers on HolaSoyGerman and 46 million on JuegaGerman, and has used the platform to break into other fields.
Doris’ and Germán’s stories reflect a broader trend in Latin America and beyond, where digital tools are democratizing access to the global economy and creating new opportunities that didn’t exist a generation ago. The new report suggests that governments, together with the private sector and civil society, should adopt policies and invest to reinforce this trend.
The report looked at how policymakers can unlock export opportunities in a way that is inclusive and sustainable. Based on prior experience across Latin America, they identified 11 recommendations across five areas, which are aligned with the Digital Sprinters framework: — (1) lead from the top, (2) build physical capital, (3) develop human capital, (4) enhance competitiveness, and (5) enable technology usage. While progress and priorities vary among countries, the most common recommendations involve boosting digital infrastructure, digital skilling, digital security and policies that promote trade.
The report estimates that Google's digital products enabled 13% of the export growth across these economies in 2021. We are proud of this contribution and look forward to supporting future growth. We’re also committed to supporting entrepreneurship and skills development across the region.
When we opened our Google for Startups campus in Brazil in 2016, there were no “unicorns” — startups valued at $1 billion or more – in the region. Today, there are 35, including 13 that have been part of our Google for Startups programs. Many of these startups develop digital exports, provide their services across borders, and help traditional small businesses to grow. With investment, resources and training from Google, we have supported more than 450 startups in the region. These startups have gone on to raise more than $9 billion in investments while creating 25,000 jobs.
We’re also supporting digital skills—like cross-border marketing online — which are key to unlocking opportunities for entrepreneurs. Through our Grow with Google program and Google.org grantees, we’ve trained nearly eight million people across Latin America in digital skills since 2017. To build on this momentum, we’ve recently announced that we’ll provide Google Career Certificate scholarships to train one million more people in Latin America — opening paths to well-paying jobs in high-growth fields.
At a time of global macroeconomic uncertainty, it is more important than ever to double down on digitally-led trade growth . We hope this research we are releasing today sheds further light on the opportunities and policies needed to achieve them —and helps communities and policymakers in Latin America as they seek to harness digital transformation to become Digital Sprinters.