Tag Archives: Safety & Security

Expanding testing for the Privacy Sandbox for the Web

Improving people's privacy, while giving businesses the tools they need to succeed online, is vital to the future of the open web. That's why we started the Privacy Sandbox initiative to collaborate with the ecosystem on developing privacy-preserving alternatives to third-party cookies and other forms of cross-site tracking. Over the past several months, we've released trial versions of a number of new Privacy Sandbox APIs in Chrome for developers to test.

Throughout this process, we’ve worked closely to refine our design proposals based on input from developers, publishers, marketers, and regulators via forums like the W3C, and earlier this year, we reached an agreement with the UK’s Competition and Markets Authority (CMA) on how we develop and release the Privacy Sandbox in Chrome worldwide.

The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. This deliberate approach to transitioning from third-party cookies ensures that the web can continue to thrive, without relying on cross-site tracking identifiers or covert techniques like fingerprinting.

For these reasons, we are expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome.

Developers can already test these APIs today, and beginning in early August, the Privacy Sandbox trials will expand to millions of users globally, and we’ll gradually increase the trial population throughout the rest of the year and into 2023. Before users are added into the trials, they will be shown a prompt giving them the option to manage their participation. As the web community tests these APIs, we’ll continue to listen and respond to feedback.

By Q3 2023, we expect the Privacy Sandbox APIs to be launched and generally available in Chrome. As developers adopt these APIs, we now intend to begin phasing out third-party cookies in Chrome in the second half of 2024.

Updated Privacy Sandbox for Web timeline

The updated timeline will soon be available on privacysandbox.com.

We're grateful to be working with companies across the industry who are invested in developing privacy-first experiences on the web, and will be testing Privacy Sandbox in the coming months.

The Privacy Sandbox initiative is an ambitious undertaking for the entire industry, and we look forward to continuing to engage with the web community as testing expands.

Source: Google Chrome


Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.

Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.

Transparency in the Shadowy World of Cyberattacks

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the International Conference on Cyber Security 2022on July 19, 2022.

Thank you for the chance to be a part of this important conversation about cybersecurity.

At Google we’re proud to say that we keep more people safe online than anyone else in the world. But that wasn’t always the case.

So let me start by telling you a story about how we got it wrong, and two things we all can learn from that experience. My dad always told me that it was cheapest to learn from the other guy’s mistake. So let me tell you about one of ours.

As some of you may recall, in late 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora.

We’ve long had some of the most attacked websites in the world. But Aurora was something special.

Aurora was an attack attributed to the Chinese government, a significant security incident that resulted in the theft of intellectual property from Google.

But Aurora wasn’t just any security incident. And it wasn’t just against Google.

As part of our investigation we discovered that several other high-profile companies were similarly targeted. Other companies either hadn’t discovered the attacks, or hadn’t wanted to disclose them. When I was a federal prosecutor specializing in technology crimes, one of the biggest challenges we encountered was getting companies to go public or even come to the authorities.

So we felt it was important to talk about the attack–to tell the world about its impact, the methods of the hackers, and the sectors at risk.

We worked with the US Government to share threat vectors and vulnerabilities.

And we didn’t stop there: After Aurora, we launched an entire team called Project Zero to find and promptly disclose previously undiscovered, zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

And today, Google’s Threat Analysis Group, or TAG, works to counter a range of persistent threats from government-backed attackers to commercial surveillance vendors to criminal operators. TAG does regular public disclosures of foreign state actor attacks, including doing the difficult work of attribution.

Without giving too much away, I can also tell you that, working with our team at VirusTotal (now called Chronicle), we have some projects in the works that will help us raise awareness of vulnerabilities from around the world. And we’re very excited about our upcoming partnership with Mandiant, one of the world’s premier security teams, to broaden and deepen this work.

So I’d say that the first lasting lesson from the Aurora attack is the need to weave openness and transparency into the fabric of a cybersecurity response. It’s not always comfortable work–we’ve had to have some tough conversations with partners and with our own teams along the way–but it’s necessary to move the industry forward and ensure bugs are getting fixed fast, before they can be exploited in the wild.

In the ensuing years, we’ve developed principles to ensure we can share learnings about vulnerabilities, cyber attacks (such as attacks on elections), and disinformation campaigns responsibly, transparently, and helpfully with the public, with our partners, and with law enforcement.

And the US government has in turn stood up its own process to facilitate more information sharing with industry partners in order to expedite patches that safeguard us all.

But the value of transparency isn’t the only reason I bring up the Aurora story.

Aurora not only taught us the need to embrace transparency, it also taught us a second, and even more important lesson: What works and what doesn’t when it comes to security architecture.

It’s possible to over-index on info sharing alone.

Focusing on the fundamentals of software security is in some ways more important to raise all of us above the level of insecurity we see today.

We curate and use threat intelligence to protect billions of users–and have been doing so for some time. But you need more than intelligence, and you need more than security products–you need secure products.

Security has to be built in, not just bolted on.

Aurora showed us that we (and many in the industry) were doing cybersecurity wrong.

Security back then was often “crunchy on the outside, chewy in the middle.” Great for candy bars, not so great for preventing attacks. We were building high walls to keep bad actors out, but if they got past those walls, they had wide internal access.

The attack helped us recognize that our approach needed to change–that we needed to double down on security by design.

We needed a future-oriented network, one that reflected the openness, flexibility, and interoperability of the internet, and the way people and organizations were already increasingly working.

In short, we knew that we had to redesign security for the Cloud.

So we launched an internal initiative called BeyondCorp, which pioneered the concept of zero trust and defense in depth and allowed every employee to work from untrusted networks without the use of a VPN. Today, organizations around the world are taking this same approach, shifting access controls from the network perimeter to the individual and the data.

If you fast forward to today’s hybrid-cloud environment, zero trust is a must.

At the core of zero trust is the idea that security doesn’t have a defined border. It travels with the user and the data. For example, as the Administration pushes for multi-factor authentication for government systems, we’re automatically enrolling users in two-step verification to confirm it’s really them with a tap on their phone when they sign into our products.

Practically, this means that employees can work from anywhere in the world, accessing the most sensitive internal services and data over the internet, without sacrificing security. It also means that if an attacker does happen to break through defenses, they don’t get carte-blanche to access internal data and services.

The most impactful thing a company, organization, or government can do to defend against cyber-attacks is to upgrade their legacy architecture.

Is it always easy? No, but when you consider that legacy architecture with its millions upon millions of lines of proprietary code, has thousands of bugs, each one a potential vulnerability, it’s worth it.

And beyond replacing existing plumbing, we need to be thinking about the next challenges, and deploying the latest tools.

In the same way the world is racing to upgrade encryption to deal with the threat of quantum decryption, we need to be investing in cutting-edge technologies that will help us keep ahead of increasingly sophisticated threats.

The good news is that cyber-security tools are evolving quickly, from artificial intelligence capabilities, to advanced cryptography, to quantum computing.

If today we talk about security by design, what comes next is security through innovation–security designed with AI and machine learning in mind–designed to counter bad actors using new tools to evade filters, break into encrypted communications, and generate customized phishing emails.

We’ve got some of the best AI work in the business, and we’re testing new approaches and using some of our leading-edge AI tools to detect malware and phishing at scale. AI allows us to see more threats faster, while reducing human error. AI, graph mining, and predictive analytics can dramatically improve our ability to identify and block phishing, malware, abusive apps, and code from malicious websites.

We look forward to sharing more of our findings so that organizations and governments can prepare. After all, this is no time for locking down learnings or successful techniques. Bad actors are not just on the lookout for ways to exploit your unknown vulnerabilities. As with Hafnium and SolarWinds, they are looking for the weak link in the security chain, letting them springboard from one attack to another. A vulnerability at one organization can do damage to entire industries and infrastructures.

Cybersecurity is a team sport, and we all need to get better together, building bridges not just within the security communities, but also between the national security community and academia and Silicon Valley.

Kent Walker speaking on stage

Having started with one story, let me leave you with another—cybersecurity and Russia’s war in Ukraine.

A lot has changed in our approach since Aurora. And perhaps no example illustrates that shift more clearly than our response to the war in Ukraine.

Russia’s invasion sparked, not just a military and economic war, but also a cyber war and an information war. In recent months, we have witnessed a growing number of threat actors– state actors and criminal networks–using the war as a lure in phishing and malware campaigns, embarking on espionage, and attempting to sow disinformation.

But this time, we were ready with a modern infrastructure and a process for monitoring and responding to threats as they happened.

We’ve sent thousands of warnings to users targeted by foreign-state actors–a practice we pioneered after Aurora. And in the vast majority of cases, we’ve blocked the attacks.

We launched Project Shield, bringing not just journalists, but vulnerable websites in Ukraine under Google’s security umbrella against DDOS attacks. While you can DDOS small sites, it turns out that it’s pretty tough to DDOS Google. We disrupted phishing campaigns from Ghostwriter, an actor attributed to Belarus. And we helped the Ukrainian government modernize its cyber infrastructure, helping fortify it against attack.

We are proud that we were the first company to receive the Ukrainian government’s special peace prize in recognition of these efforts.

But the work is far from done.

Even now, we’re seeing reports that the Kremlin could be planning to ratchet up attacks and coordinated disinformation campaigns across Eastern Europe and beyond in an attempt to divide and destabilize Western support for Ukraine. In fact, just today, our TAG team published a new report on activity from a threat group linked to Russia’s Federal Security Service, the FSB, and threat actors using phishing emails to target government and defense officials, politicians, NGOs, think tanks, and journalists.

And, looking beyond Russia and Ukraine, we see rising threats from Iran, China, and North Korea.

Google is a proud American company, committed to the defense of democracy and the safety and security of people around the world.

And we believe cybersecurity is one of the most important issues we face.

It’s why we invested $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security.

It’s why we’ve just created a new division–Google Public Sector–focused on supporting work with the US government. And it’s why we are always open to new partnerships and projects with the public sector.

In recent years, we’ve worked with the FBI’s Foreign Influence Taskforce to identify and counter align foreign influence operations targeting the U.S. We’ve worked with the NSA’s Cybersecurity Collaboration Center. And we’ve joined the Joint Cyber Defense Collaborative to help protect critical infrastructure and improve collective responses to incidents on a national scale.

Getting our whole digital economy on the front foot is essential. And there’s some encouraging progress. For example, we were glad to see last week’s Cyber Safety Review Board report deeply investigating the log4j vulnerability and making important recommendations about how to improve the ecosystem.

We need more of that.

Looking ahead, our collective ability to prevent cyber attacks will come, not only from transparency, but from a commitment to shoring up our defenses — moving away from legacy technology, modernizing infrastructure, and investing in cutting-edge tools to spot and stop tomorrow’s challenges.

We can’t beat tomorrow’s threats with yesterday’s tools. We need collective action to shore up our digital defenses. But by drawing on America’s collective abilities and advantages, we can achieve a higher level of collective security for all of us.

Thank you.

Source: The Keyword


Continued cyber activity in Eastern Europe observed by TAG

Google’s Threat Analysis Group (TAG) continues to closely monitor the cybersecurity environment in Eastern Europe with regard to the war in Ukraine. Many Russian government cyber assets have remained focused on Ukraine and related issues since the invasion began, while Russian APT activity outside of Ukraine largely remains the same. TAG continues to disrupt campaigns from multiple sets of Russian government-backed attackers, some of which are detailed in our previous updates.

Similarly, Russian observed disinformation efforts are also focused on the war in Ukraine and TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm as detailed in the TAG Bulletin. Most of these coordinated influence operations are Russian language efforts aimed at ensuring domestic support in Russia for the war.

Here is a deeper look at some campaign activity TAG has observed since our last update:

Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment. This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule.

The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective. The list of target websites for the app can be seen in the CyberChef recipe here.

An example of the Turla website disseminating fake DoS Android Apps.

Turla website disseminating fake DoS Android Apps.

During our investigation into the Turla CyberAzov apps, we identified another Android app first seen in the wild in March 2022 that also claimed to conduct DoS attacks against Russian websites. In this case, the Android app name was stopwar.apk (com.ddos.stopwar) and was distributed from the website stopwar.pro. This app is quite different from the Turla apps described above and written by a different developer. It also downloads a list of targets from an external site, but unlike the Turla apps, it continually sends requests to the target websites until it is stopped by the user.

An example of a pro-Ukrainian website used for disseminating StopWar.apk.

Pro-Ukrainian website used for disseminating StopWar.apk.

Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of.

The Follina vulnerability (CVE-2022-30190), first disclosed in late May, received significant usage from both APT and cybercrime groups throughout June after it was patched by Microsoft. Follina is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Consistent with CERT-UA reporting, TAG observed multiple Russian GRU actors - APT28 and Sandworm - conduct campaigns exploiting the Follina vulnerability. The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine.

TAG has also observed an increasing number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor.

Ghostwriter/UNC1151, a threat actor attributed to Belarus, has remained active targeting accounts of webmail and social media networks of Polish users. They continue to use the 'Browser in the Browser' phishing technique that TAG first observed and described in March. An example of this technique, used to target Facebook users, can be seen in the screenshot below.

An image of a technique used to target Facebook users

An example of this technique used to target Facebook users

COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists. In addition to including phishing links directly in the email, the attackers also link to PDFs and/or DOCs, hosted on Google Drive and Microsoft One Drive, that contain a link to an attacker-controlled phishing domain. In at least one case, unrelated to Ukraine, they have leaked information from a compromised account.

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Image of an example of a recent COLDRIVER phishing lure

Example of a recent COLDRIVER phishing lure

Recently observed COLDRIVER indicators:

In another campaign tracked by CERT-UA as UAC-0056 we observed compromised email addresses of a Regional Prosecutor’s office of Ukraine leveraged to send malicious Microsoft Excel documents with VBA macros delivering Cobalt Strike. In just two days, the volume observed and categorized as spam by Gmail exceeded 4,500 emails. Email contents vary from COVID-19 vaccine policy to the humanitarian crisis in Ukraine.

Source: The Keyword


Protecting people’s privacy on health topics

Protecting our users’ privacy and securing their data is core to Google’s work. That’s why we design products to help people keep their personal information private, safe, and secure — with easy-to-use tools and built-in protections.

Privacy matters to people — especially around topics such as their health. Given that these issues apply to healthcare providers, telecommunications companies, banks, tech platforms, and many more, we know privacy protections cannot be solely up to individual companies or states acting individually. That’s why we’ve long advocated for a comprehensive and nationwide U.S. privacy law that guarantees protections for everyone, and we’re pleased to see recent progress in Congress.

But we haven’t waited for a law to take action. We understand that people rely on Google to keep their personal data secure. We’ve long been committed to this work, and today we're sharing additional steps we're taking to protect user privacy around health issues.

Protecting user privacy

We offer a variety of easy-to-use privacy tools and settings that put people in control of their data. This is particularly important to people around health topics, which is why our data policies include a number of restrictions. In addition, we have protections around:

  • Location History: Location History is a Google account setting that is off by default, and for those that turn it on, we provide simple controls like auto-delete so users can easily delete parts, or all, of their data at any time. Some of the places people visit — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — can be particularly personal. Today, we’re announcing that if our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit. This change will take effect in the coming weeks.
  • User Data on Apps: Google Play has strict protocols to protect user privacy — including policies that prohibit developers from selling personal and sensitive user data and a requirement that they handle that data securely and only for purposes directly related to operating the app. To further promote transparency and control for users, we also recently introduced Play’s new data safety section that developers use to give people more information about how apps collect, share, and secure their data. For Google Fit and Fitbit, we give users settings and tools to easily access and control their personal data, including the option to change and delete personal information, at any time. For example, Fitbit users who have chosen to track their menstrual cycles in the app can currently delete menstruation logs one at a time, and we will be rolling out updates that let users delete multiple logs at once.
  • Law Enforcement Demands for User Data: Google has a long track record of pushing back on overly broad demands from law enforcement, including objecting to some demands entirely. We take into account the privacy and security expectations of people using our products, and we notify people when we comply with government demands, unless we’re prohibited from doing so or lives are at stake — such as in an emergency situation. In fact, we were the first major company to regularly share the number and types of government demands we receive in a Transparency Report. We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable. We also will continue to support bipartisan legislation, such as the NDO Fairness Act recently passed by the House of Representatives, to reduce secrecy and increase transparency around government data demands.

We’re committed to delivering robust privacy protections for people who use our products, and we will continue to look for new ways to strengthen and improve these protections. We support Congressional efforts to reach bipartisan agreement on nationwide privacy protections that move the burden of privacy off individuals and establish good data practices across the board. In the meantime, we will continue our focus on securing our products and protecting the privacy of our users around the world.

Protecting people’s privacy on health topics

Protecting our users’ privacy and securing their data is core to Google’s work. That’s why we design products to help people keep their personal information private, safe, and secure — with easy-to-use tools and built-in protections.

Privacy matters to people — especially around topics such as their health. Given that these issues apply to healthcare providers, telecommunications companies, banks, tech platforms, and many more, we know privacy protections cannot be solely up to individual companies or states acting individually. That’s why we’ve long advocated for a comprehensive and nationwide U.S. privacy law that guarantees protections for everyone, and we’re pleased to see recent progress in Congress.

But we haven’t waited for a law to take action. We understand that people rely on Google to keep their personal data secure. We’ve long been committed to this work, and today we're sharing additional steps we're taking to protect user privacy around health issues.

Protecting user privacy

We offer a variety of easy-to-use privacy tools and settings that put people in control of their data. This is particularly important to people around health topics, which is why our data policies include a number of restrictions. In addition, we have protections around:

  • Location History: Location History is a Google account setting that is off by default, and for those that turn it on, we provide simple controls like auto-delete so users can easily delete parts, or all, of their data at any time. Some of the places people visit — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — can be particularly personal. Today, we’re announcing that if our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit. This change will take effect in the coming weeks.
  • User Data on Apps: Google Play has strict protocols to protect user privacy — including policies that prohibit developers from selling personal and sensitive user data and a requirement that they handle that data securely and only for purposes directly related to operating the app. To further promote transparency and control for users, we also recently introduced Play’s new data safety section that developers use to give people more information about how apps collect, share, and secure their data. For Google Fit and Fitbit, we give users settings and tools to easily access and control their personal data, including the option to change and delete personal information, at any time. For example, Fitbit users who have chosen to track their menstrual cycles in the app can currently delete menstruation logs one at a time, and we will be rolling out updates that let users delete multiple logs at once.
  • Law Enforcement Demands for User Data: Google has a long track record of pushing back on overly broad demands from law enforcement, including objecting to some demands entirely. We take into account the privacy and security expectations of people using our products, and we notify people when we comply with government demands, unless we’re prohibited from doing so or lives are at stake — such as in an emergency situation. In fact, we were the first major company to regularly share the number and types of government demands we receive in a Transparency Report. We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable. We also will continue to support bipartisan legislation, such as the NDO Fairness Act recently passed by the House of Representatives, to reduce secrecy and increase transparency around government data demands.

We’re committed to delivering robust privacy protections for people who use our products, and we will continue to look for new ways to strengthen and improve these protections. We support Congressional efforts to reach bipartisan agreement on nationwide privacy protections that move the burden of privacy off individuals and establish good data practices across the board. In the meantime, we will continue our focus on securing our products and protecting the privacy of our users around the world.

Staying safe online with our updated Google Password Manager

Strong, unique passwords are key to helping keep your personal information secure online. That's why Google Password Manager can help you create, remember and autofill passwords on your computer or phone: on the web in Chrome, and in your favorite Android and iOS apps.

Today we've started rolling out a number of updates that help make the experience easier to use, with even stronger protections built in.

A consistent look and feel, across web and apps

We're always grateful for feedback, and many of you have shared that managing passwords between Chrome and Android has been confusing at times: "It's the same info in both places, so why does it look so different?" With this release, we're rolling out a simplified and unified management experience that's the same in Chrome and Android settings. If you have multiple passwords for the same sites or apps, we’ll automatically group them. And for your convenience, you can create a shortcut on your Android home screen to access your passwords with a single tap.

GIF showing new Google Password Manager shortcut on an Android homescreen.

You can now add a shortcut to Google Password Manager to your Android homescreen.

More powerful password protections

Google Password Manager can create unique, strong passwords for you across platforms, and helps ensure your passwords aren’t compromised as you browse the web. We’re constantly working to expand these capabilities, which is why we’re giving you the ability to generate passwords for your iOS apps when you set Chrome as your autofill provider.

Image showing how Chrome can automatically generate strong passwords on iOS

You can now create strong passwords on your computer or mobile, on any operating system.

Chrome can automatically check your passwords when you enter them into a site, but you can have an added layer of confidence by checking them in bulk with Password Checkup. We’ll now flag not only compromised credentials, but also weak and re-used passwords on Android. If Google warns you about a password, you can now fix them without hassle with our automated password change feature on Android.

Image showing how the Password Checkup feature flags compromised passwords on Android

For your peace of mind, Password Checkup on Android can flag compromised, weak and reused passwords.

To help protect even more people, we’re expanding our compromised password warnings to all Chrome users on Android, Chrome OS, iOS, Windows, MacOS and Linux.

Simplified access and password management

Google built its password manager to stay out of your way — letting you save passwords when you log in, filling them when you need them and ensuring they aren’t compromised. However, you might want to add your passwords to the app directly, too. That's why, due to popular demand, we're adding this functionality to Google Password Manager on all platforms.

GIF showing how you can add your passwords directly on all platforms.

Adding your passwords directly is now possible on all platforms.

In 2020, we announced Touch-to-Fill to help you fill your passwords in a convenient and recognizable way. We’re now bringing Touch-to-Login to Chrome on Android to make logging in even quicker by allowing you to securely log in to sites directly from the overlay at the bottom of your screen.

GIF showing new touch-to-login feature

Touch-to-Login signs you in directly from a recognizable overlay.

Many of these features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security experts based in Munich, so Guten Tag from the team! Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification, to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.

Renewing our commitment to Brazil

New technology advancements during the pandemic have reshaped the way we connect, work and run businesses around the world. Today, we gathered Googlers, journalists, business leaders, civil society representatives and public figures for our Google for Brazil event in São Paulo to demonstrate how we’ll contribute to Brazil’s continued digital transformation.

The event happened on the heels of the IX Summit of the Americas, where our CEO Sundar Pichai announced a five-year, $1.2 billion commitment to Latin America. Here’s how that will unfold in Brazil:

Reinforcing Brazil as an innovation hub

In January, we announced our goal to increase our engineering workforce in the country. At today’s event, we shared our plans to open a new multidisciplinary engineering center in São Paulo. Located on the São Paulo University campus, the new center will be part of the IPT Open Experience, a program created by the Technological Research Institute (IPT) of the State of São Paulo to promote innovation.

A 3D rendering of an office building with three floors, a large staircase and various outdoor spaces

A 3D render of the new multidisciplinary engineering center in São Paulo

The Google São Paulo Engineering Center, which should be complete at the end of 2024, will accommodate up to 400 Googlers from various technical areas. Initially, this new hub will host Google engineers working on areas like privacy, security and safety. They will join teams focused on delivering simple user protection and controls to help people stay safe online.

This important work happens both inside and outside of Google. So in partnership with our Google Safety Engineering Center (GSEC), we're launching a dedicated outreach program for content responsibility in Brazil — engaging with tech experts, educators, regulators and key opinion formers to discuss our approach to content responsibility and online safety, and provide more transparency into our work.

Using technology in service of recovery

Being online is essential for any business to grow, and even more so to recover from the pandemic. According to our most recent Economic Impact Report from consulting firm AlphaBeta, thousands of businesses, nonprofits, publishers, creators and developers relied on Google Search, Google Ads, Google AdSense, Google Play and YouTube to generate US$19.4 billion in economic impact in Brazil in 2021.

When it comes to selling products or services in physical stores, it's important for businesses to keep their online information up to date. We’re continuing to experiment with Duplex, our AI technology for natural voice conversations, to call Brazilian businesses and update their hours in their business profile on Maps. All calls are conducted respecting local privacy laws.

Another way to help people in times of recovery is to connect them with the information they need. According to the latest report by research network Rede Penssan, hunger affects more than 33 million Brazilians today. So we partnered with Ação Cidadania to make it easier for Brazilians to find reliable information about soup kitchens and food banks on Search and Maps, with 1,000 currently pinned across the country.

Brazilians can now find soup kitchens and food banks on Search and Maps

Supporting digital inclusion

Since 2017, we’ve invested over 1.6 billion reais to strengthen our technical infrastructure in Brazil, including our subsea cables and cloud region in São Paulo. All these projects aim to improve the quality of digital services for Brazilians and support the growth of our Cloud business. And as our employee base grows, our local Cloud team will move to a new office in São Paulo city in 2023.

To help people and entrepreneurs make the most of this infrastructure, we need to equip them with knowledge and skills. This is especially important for job seekers, as Brazil currently has 11.9 million unemployed people. Today, we announced a commitment to provide 500,000 Google Career Certificate scholarships over the next four years. This year, we’ll offer 30,000 of them in partnership with Centro de Integração Empresa-Escola (CIEE), helping Brazilians get access to jobs in high-growth fields like data analysis and UX design. We’ve also expanded Capacita+, our educational content hub for cloud computing.

A video of Patricia Alves talking about her professional journey
10:25

This builds on the work Google.org and the InterAmerican Development Bank have been supporting since 2019 with JA Brazil to bring Google Career Certificates to over 2,000 young Brazilians across the country. Additionally, we recently renewed our commitment with Instituto Rede Mulher Empreendedora (RME) through a new $2 million Google.org grant to train 200,000 women all over the country on entrepreneurship, with a focus on Northern Brazil. This complements our new Google for Startups scholarship program in partnership with Instituto Vamo Que Vamo to train 200 young Black people, mostly women, in software development.

Promoting a more sustainable planet

Each day, more people ask themselves what they can do to help protect our planet from environmental threats like climate change. Many of these questions start in Google Search. So in partnership with the United Nations, we’ve released an information panel that appears above results for climate change-related queries. In addition to sharing basic facts about the topic, the panel also offers tips for living a more sustainable life.

As a technology company, we can also help others use digital solutions to increase the scale and impact of their work. Through a $500,000 Google.org commitment ($250,000 in cash grants and $250,000 in Ad Grants), we’ll support The Nature Conservancy (TNC) to develop solutions to protect biodiversity in the Amazon rainforest.

Reaffirming our mission

Our Google for Brazil event was a special moment to demonstrate our long-term commitment to the country and celebrate Brazil's unique contributions to the world. In fact, to cap off the day, we revealed a new Google Arts & Culture collection dedicated to Gilberto Gil, one of Brazil's best-known musicians. It's the platform’s first large retrospective dedicated to a living artist, unpacking Gil’s life, career and influences on Brazilian and global culture on the month of his 80th birthday.

Through all of these initiatives, we are reaffirming our mission to help Brazilians use technology to build a more inclusive, innovative, sustainable, democratic and equitable future.

Google at the Copenhagen Democracy Summit

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the Copenhagen Democracy Summit on June 10, 2022.

On February 24, the world watched in horror as Russia invaded Ukraine. While the tension had been building for weeks, that didn’t make the invasion any less shocking.

Tanks once again rumbled through European streets, and the world held its breath. People wondered whether this marked a return to the law of the jungle — a return to machtpolitik over cooperation in solving shared problems.

And we were reminded once again that democratic progress is not inevitable; that democracy and the rules-based international order are by no means guaranteed.

Even before the invasion of Ukraine, there had been worrying signs that democracy was under assault.

Freedom House found that the defining features of democracy — free expression and open debate, free association, and the rule of law — have retreated in nearly fifty countries.

I’d like to speak today about the debt technology owes democracy, and how technology can work with democracy to repay that debt.

But first, let’s talk about why that partnership is so critically important.

Democracy has always been fertile soil for innovation and basic research.

Inventors flourish when they can exchange ideas, take risks, test hypotheses, and explore new avenues for inquiry and collective innovation.

Democratic values of openness and pluralism allow cooperation and scientific inquiry to flourish.

It would be hard to argue that the advances made possible by democratic innovation — advances that have doubled life expectancies and lifted billions of people out of poverty — would have been possible under any other system of government.

But technology can also benefit democracy itself, by proving that democracies can deliver for citizens, expanding choice and raising living standards.

Future generations of technology will help us combat climate change, pioneer personalized medicine, and improve agricultural productivity.

But even beyond improving living standards — delivering on the substantive promises of democracy — technology and innovation can also be a force for democratic procedural legitimacy: Supporting democratic institutions, increasing transparency and accountability in governance, and protecting and promoting human rights.

When developed and used responsibly, technology can foster the essential exchange of ideas and broaden civic engagement in the democratic process.

After all, democracies need at least three elements to flourish:

  • A robust public square, where people can express ideas openly;
  • An active and vibrant press; and
  • Free and fair elections that create accountability, letting citizens check and balance power.

While there is no question that the misuse and abuse of technology has created challenges in each of these areas — from within and without — conversations over the last few months, with defense leaders in Munich, business leaders in Davos, and security experts in Eastern Europe, have made it clear that we need the responsible use of technology to support these essential elements.

So, first, how can technology defend the public square, safeguarding speech and debate?

Tech can promote and protect the marketplace of ideas by playing both offense and defense: Facilitating free and open discourse while combating disinformation.

The early days of Silicon Valley fostered a faith that more communication would be better for the world. And in many ways it has been, connecting people in remarkable new ways.

That said, we have come to recognize abuses of our platforms, harmful efforts to spread malicious or patently false information. We have responded by removing content that violates our policies; raising authoritative voices at critical times; rewarding trusted creators; and reducing borderline content.

That requires tough calls — millions of them every day. And we’re working on ways to provide more transparency into this critical process.

The latest and most dramatic chapter in the battle against disinformation came with the invasion of Ukraine where we all are witnessing not just a military and economic war, but also a cyber war and an information war.

An extraordinary situation called for an extraordinary response.

YouTube took the unprecedented step of globally blocking disinformation channels like RT and Sputnik, removing more than 8,000 channels and more than 70,000 videos for violating our content policies – content that minimized the war’s toll or spread harmful lies about what was happening on the ground. Meanwhile Google Search, Google News, and YouTube are some of the last independent sources of news about the war that remain available in Russia.

On the cybersecurity front, when we saw a spike of distributed denial-of-service (DDoS) attacks on Ukrainian websites, we protected access to information and kept sites online by bringing publishers and government websites under Google's security umbrella, Project Shield.

As a result of these efforts, we were proud to be the first company to receive the Ukrainian government’s special "peace prize,” showing how important tech’s role can be when the stakes are high.

Which brings me to the second cornerstone of a functioning democracy: A free and vibrant pressand how technology can help it adapt to a digital world.

Google was founded with the mission of organizing the world’s information and making it universally accessible and useful. Over the years our ad networks have provided billions of dollars to news publishers, and we have sponsored programs like the Google News Initiative, partnering with publishers to create innovative tools and approaches to reporting.

Of course, technology has had a significant impact on newspaper business models, unbundling different categories and making news more competitive and more freely available.

But technology will also be the key to the evolution of news business models for a digital era. As Herbert Simon said fifty years ago, a wealth of information creates a poverty of attention.

That means a growing role for editors and publishers, curators and analysts, who can help us all allocate our limited attention wisely.

It means there’s a growing need for us to support content creators and a thriving global press.

Third, technology has a vital role to play when it comes to the integrity of our elections.

At Google, we've long created tools and resources to make it easier for people to vote. Our services connect voters with up-to-date, authoritative information about polling locations, remote voting, and election times.

During election cycles, campaigns face increased security threats.

Our teams equip campaigns and election workers with best-in-class security tools. We collaborate with partners in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication.

That’s part of our Advanced Protection Program, which protects high-risk individuals – election officials, campaigns, journalists, and human rights activists – with access to high-visibility and sensitive information.

Finally, our Threat Analysis Group works to thwart cyber attacks, monitoring and exposing espionage, hacks, and phishing campaigns and taking steps to disrupt the threats. In recent months, we stopped coordinated attacks by government-backed actors from China, Iran, North Korea and Russia. And we stopped attempts by various unattributed groups to sow disinformation.

Our role is clear — we help protect people and prevent future attacks by identifying bad actors and sharing relevant information.

These are all examples of ways tech is helping today — across the public square, the free press, and elections themselves. But defending democracy and the rules-based international order is a task that requires tech, civil society, and governments to work together.

An Edelman survey found that people often think of governments and NGOs as well intentioned but ineffective; and often think of companies as effective but maybe not always well intentioned. But when the two worked together, they went to the upper right-hand quadrant — both well intentioned and effective.

It’s why we support The Copenhagen Pledge on Tech for Democracy and similar multilateral commitments by governments, organizations, industry, and civil society to make technology work for democracy and human rights.

Democracy is at a watershed moment. There’s a risk that democracies turn inward, focusing strictly on domestic challenges rather than defending the liberal democratic international order.

Tech, too, is at a crossroads — with a risk that concerns about abuses of technology obscure its many benefits.

In 1996, John Perry Barlow, a lyricist for the Grateful Dead, wrote "A Declaration of Independence of Cyberspace” arguing that the internet was beyond any government’s laws.

Well, perhaps it's now time for a “Declaration of Interdependence of Cyberspace.”

Our growing technological connections have become so important to our daily lives that technologists need to work ever more closely with governments on new and agile rules to promote progress, national security, and the defense of the public square.

International frameworks — from the UN to the WTO to the OECD — can be useful starting places as we work to promote international alignment. And only governments can drive this crucial work.

We need governments committed to open, democratic processes to step up and work together to reaffirm international norms of access to information and the free and open exchange of ideas.

At Google, we’re eager to roll up our sleeves and help.

We leave the politics to the politicians, but that doesn’t mean we leave it to others to defend the public square. Nor does it mean we dismiss the experience and ideas of government leaders in the cause of protecting democracy.

We hear the summons to defend democracy’s essential components – the open exchange of views, an independent press, and free and fair elections.

In moments of uncertainty and crisis, responsible tech companies feel a duty to do what our engineers do best: Unlock solutions to the most pressing problems.

We undertake that task with appreciation that those solutions will be – must be – the product of collaboration, building on the kind of collective innovation that has always made democracies stronger than their adversaries.