Tag Archives: Safety & Security

Google at the Munich Security Conference

Since its inception in 1963, the Munich Security Conference has been a vital venue for policymakers, experts and transatlantic leaders tackling the most pressing security issues of the day. Today, against the backdrop of an ongoing pandemic, geopolitical tensions, and increasingly sophisticated cyber attacks, the stakes for these discussions feel particularly high — with many participants perceiving this as a time of heightened risk.

Google’s mission statement has always been to “organize the world’s information and make it universally accessible and useful.” We provide tools that make people more informed, more connected, more productive — and more secure. That’s why I’m traveling to Munich this week and joining conversations about promoting and protecting the public square.

Fighting misinformation online and safeguarding elections

In the last few years, we’ve seen a marked uptick in online disinformation campaigns, attempts to influence democratic elections, and cyber attacks on democracies' critical infrastructure.

Google and YouTube have specialized teams of intelligence and security experts who work around the clock and around the world to thwart these threats and protect the people using our products. When it comes to the content we host on YouTube, our “4R’s” approach includes not just Removing violative content and Reducing the spread of borderline content, but also Raising up authoritative content, and Rewarding trusted creators. And we continuously assess our approach and look at changes we can make to promote thoughtful engagement.

During election cycles, we equip campaigns with best-in-class security features and protect their operations from attack. We work to help voters find high-quality, authoritative election information directly in our products. We employ teams who monitor elections from India to Europe to the United States. We use advanced technology to detect coordinated disinformation networks. And we work with partners like Defending Digital Campaigns and organizations in Europe to give political campaigns access to free Titan Security Keys — the strongest form of two-factor authentication — as well as the International Foundation for Electoral Systems to develop global security programming, protecting those who work to safeguard human rights.

Advancing cybersecurity and moving towards collective standards

When it comes to cybersecurity, we have first-hand, real-world experience. Our systems stop attacks every single day, including attacks from sophisticated nation state actors. But it wasn’t always that way. In the past, when our defenses weren’t strong enough, we rebuilt our entire security infrastructure, sometimes inventing new technologies when state-of-the-art simply wouldn’t do. We know that “high walls” are not enough to stop bad actors, and we’ve learned to use “defense in depth” — creating access controls throughout our services and using multi-factor authentication as part of a zero-trust security approach, in which every node has to authenticate itself. As a result, today we keep more people safe online than any other company in the world.

Image of Google security statistics

We design our products to go beyond “security by design” to provide security by default. When that’s not enough, we invent new ways to keep our users more secure.

In Munich, I will be urging policymakers to work together on establishing collective security standards including those that move democratic governments toward secure cloud services and zero-trust architecture.

In the last fifty years, democratic governments helped advance some of the world’s most important innovations — including the Internet, microchips, computers, global positioning systems, and revolutionary vaccines against COVID. In the next fifty, I’m optimistic about the ability of science and advanced technology to help solve some of the world’s biggest challenges, like climate change, health care, and global development. To do that, we need to partner with governments and civil societies to rebuild trust and confidence in our institutions. Realizing the promise of tomorrow requires protecting the public square today.

Introducing the Privacy Sandbox on Android

Mobile apps are a core part of our everyday lives. Currently over 90% of the apps on Google Play are free, providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible. But in order to ensure a healthy app ecosystem — benefiting users, developers and businesses — the industry must continue to evolve how digital advertising works to improve user privacy. That’s why we originally developed advertising ID to give users more control. Last year we introduced improvements to these controls, but we believe it’s important to go further.

Today, we’re announcing a multi-year initiative to build the Privacy Sandbox on Android, with the goal of introducing new, more private advertising solutions. Specifically, these solutions will limit sharing of user data with third parties and operate without cross-app identifiers, including advertising ID. We’re also exploring technologies that reduce the potential for covert data collection, including safer ways for apps to integrate with advertising SDKs.

The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk.

Blunt approaches are proving ineffective

​​We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers. We believe that — without first providing a privacy-preserving alternative path — such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses.

Our goal with the Privacy Sandbox on Android is to develop effective and privacy enhancing advertising solutions, where users know their information is protected, and developers and businesses have the tools to succeed on mobile. While we design, build and test these new solutions, we plan to support existing ads platform features for at least two years, and we intend to provide substantial notice ahead of any future changes.

Working with the industry

Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We'll provide regular updates on designs and timelines, and you can also sign up to receive updates.

We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.

  • Quote from Snap Inc. saying "“At Snap, we've made privacy a priority and placed it at the center of how we design our products. We are excited to collaborate with Google to develop new privacy-preserving standards for Android."
  • Quote from Rovio saying “We support Google's effort to elevate privacy standards on the platform, while making it easier for users to understand how their data is being used. It's great they are involving developers in the process early to make sure we have time to react and participate in such an important change.”
  • Quote from Duolingo saying "“User privacy is a priority for Duolingo and we appreciate the deliberative process Android is taking to publish new proposals and solicit feedback from the ecosystem.”

We’re also committed to working closely with regulators. We’ve offered public commitments for our Privacy Sandbox efforts on the web, including ensuring that we don’t give preferential treatment to Google's ads products or sites. We'll apply these principles to our Android work as well, and continue working with the U.K. Competition and Markets Authority, and others.

The Privacy Sandbox on Android is an important part of our mission to raise the bar for user privacy, while giving developers and businesses the tools they need to succeed on mobile. We look forward to working with the industry on this journey.

Connect confidently with Google Meet security features

Safer Internet Day is about coming together for a better, safer internet – and we at Google for Education are committed to working with schools and families to provide a safe online learning environment. Every day, Google keeps more people safe online than anyone else in the world with products that are secure by default, private by design and put you in control. And this promise extends to all that we build for you, school leaders.

Constant online protections for education

At Google for Education, we’re always looking for new ways to keep you safe. All of our products are private by design, which means they support compliance with the most rigorous data privacy standards — including FERPA, COPPA and GDPR — and are regularly audited by independent, third-party organizations. By making Google for Education products secure by default, we provide additional layers of protection, with ad-free learning experiences that help keep students safe from online threats and age-inappropriate content. And we put you in control, with a dashboard that gives you full visibility of your data and security, regular Google Security Checkups that help you maintain a secure account and additional security features in your security center to protect your school’s data and devices.

Our goal is to support and protect each member of your education community so they can focus on what matters most: teaching and learning.

Google Meet offers more moderation, control and integration

With our ongoing effort to provide a safer learning environment, we’ve been focusing on combating a prominent security pain point for many schools today: video meetings. We’re excited to share some recently announced enhanced security measures for Google Meet to help educators and students connect in a full class setting or one-on-one with fewer distractions and more privacy and security.

In-meeting moderation controls: To help educators engage with their students, we’ve added more ways to help moderate class meetings and eliminate unwanted intrusions or interruptions. With these new features hosts can:

  • Control who can use the chat and present features
  • Turn on or off audio and video of individuals or everyone in the main call and breakout rooms
  • Move participants from breakout rooms[f18fc6]back to the main room
  • Share moderation controls with up to 25 co-hosts

Control and visibility: We know admins need more ways to protect their schools and more data and insights to drive comprehensive decision making, so we’ve rolled out additional admin features that allow them to:

  • Apply safety settings across their domain
  • End meetings for everyone and prevent people from rejoining
  • Get insights into how people are using Meet
  • Identify, triage and act upon any security breaches[f3304d]

Google Classroom integration: We’re making Meet and Classroom work even better together. The Google Meet integration with Classroom helps educators meet and work with their classes more easily and securely, allowing them to:

  • Access the Class Meet link from the stream to limit distribution to class members only, while making meeting links easier for teachers to manage and for students to find
  • Keep students in a waiting room until the teacher joins, and uninvited guests must ask to join to ensure a safer environment for class interaction
  • All designated co-teachers are co-hosts by default so multiple teachers can help keep the class meeting on track and secure

Built-in security

In addition to these newly added moderation and security features, Google Meet runs on one of the world's most advanced security infrastructures for scalability and control. Meet adheres to IETF security standards for Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). In Meet, all data is encrypted in transit by default, whether meeting on a web browser, on the Android and iOS apps, or in meeting rooms with Google meeting room hardware. Meeting IDs are 10 characters long, with 25 characters in the set, making unauthorized access by guessing the ID extremely difficult.

We look forward to sharing more about our work to keep you safer with Google, including details on our new partnership with Khan Academy to develop free, online lessons that will help teach people how to stay safe online.

We remain committed to providing industry-leading privacy and security protections built into Google for Education products, which enable students and teachers to work better together by connecting safely and securely.

Making you safer with 2SV

Today’s cyber criminals don’t discriminate when it comes to who they target online. Everyone from politicians and celebrities to everyday citizens run the risk of having their personal information stolen.

That’s why Google has made security the cornerstone of our product strategy. We don’t just plug security holes; we work to eliminate entire classes of threats for people who depend on our services. Today alone, billions of people around the world will use our products to help with things big and small – whether it's paying for coffee with Google Pay or teaching an online class full of students – and it’s our responsibility to keep your personal information safe and secure. We know that your Gmail is often the link to accessing your non-Google accounts, for banking, social media, shopping and more. That’s why the security of Gmail is fundamental to our work to keep you safe online.

By making all of our products secure by default, we keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and cyber attacks.

Last year, we accelerated our journey to eliminating password threats by starting to auto-enroll users in 2-Step Verification (2SV), giving people an extra layer of protection when cyber criminals try to hack into their accounts, by requiring a second form of verification beyond the password. Since last year’s initiative, we’ve successfully auto-enabled 2SV for over 150 million people, and we've also required it for over 2 million of our YouTube creators. As a result of this effort, we have seen a 50% decrease in accounts being compromised among those users.

This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information. And while we’re proud of these initial results, and happy with the response we have received from our users and the community, we’re excited about other ongoing work we’re doing behind the scenes to make our users even safer.

Making sign-in safer and more convenient

Higher security doesn’t have to mean less convenience. We are actively working on technologies that provide a secure, seamless sign-in experience and eliminate reliance on passwords – as passwords are often involved in data breaches and phishing attempts, are hard to remember, and are a pain to constantly update.

security key

As part of this work, we led the adoption of security keys — another form of verification that requires you to simply plug in and tap your key. We know security keys provide the highest degree of sign-in security possible; that’s why we built the capability right into Android phones and our Google Smart Lock app on Apple devices. Today, almost every mobile device around the world automatically supports this technology, likely including the phone in your pocket.

Phone as a security key

Keeping You Safe Today

Ultimately, we want all of our users to have the best security protections in place — by default — across their devices and accounts. While we automatically protect users from a range of evolving threats, there are just a couple of small things we recommend that users do to be even safer:

  • Take aSecurity Checkup, our quick step-by-step guide that gives you personalized and actionable recommendations that will instantly strengthen the security of your Google Account. It will also allow you to prepare your account for recovery, which is as simple as adding a phone number and a backup email to your account. Not only does this help us verify it's you if you forget your password, but it also makes it harder for a bad actor to gain access to your account.
  • Turn on2SV(or we will!), as it makes all the difference in the event your password is compromised. Don’t just take our word for it; many in the private and public sectors are also rallying behind 2SV. In the U.S., the Biden Administration has taken a strong position on multi-factor authentication (MFA), signing an Executive Order requiring government agencies to implement MFA for the protection of government data. We are seeing governments around the world take similar approaches.
  • UtilizeGoogle Password Manager, which is built directly into Chrome, Android and the Google App. Password Manager helps create strong passwords for all your online accounts without the need to remember them, check if they’ve been involved in a breach and ensure you won’t fall victim to phishing attempts by verifying the authenticity of sign-in pages before logging you in. Even better, it’s convenient. Instead of typing passwords, especially on small mobile keyboards, you can simply press a button after the Password Manager fills in the password for you.

In 2022, we’ll continue our 2SV auto enrollments, make signing in even more seamless, and spread awareness on all of the ways we make every day safer with Google. Visit our Safety Center for more online safety resources.

Keeping you safe online with Google and beyond

Keeping you safer online is at the heart of everything we do. On Safer Internet Day, we’re sharing updates on this work and some significant new partnerships. We’re also announcing our strongest protections to date for high risk users and groups, and new enhanced browsing security for everyone.

Helping you learn how to stay safe online

We’re partnering with Khan Academy, a non-profit educational organization, to develop free, online lessons that will help teach people how to stay safe online. We’ll contribute $5 million so that Khan Academy can create accessible, easy to understand and actionable online safety content for its 18 million monthly users around the globe. Last year alone, searches for “how to stop identity theft" spiked over 110%, so we know people are looking for tips on how to protect themselves online. Our previous work in educating people about online safety has shown us the positive impact this can have. To expand our impact, we’re excited to be partnering with Khan Academy to make internet safety more accessible for everyone.

Keeping your information safe

We provide easy, simple-to-use tools like Security Checkup to give you actionable recommendations on how to strengthen the security of your Google Account. In 2021, people took more than 1.5 billion Security Checkups, and we hope to see that number grow in 2022. In 2021, we enrolled over 150 million people in two-step verification (2SV). As a result of this effort, we have seen a 50% decrease in accounts being compromised.

2sv prompt

Today we are announcing:

  • More protection for high risk users: We are the first-choice for high risk users like election workers, journalists, and human rights workers. Ahead of the upcoming 2022 U.S. midterm elections, we’re expanding our efforts to protect these high risk users. We’ve teamed up with organizations across the political spectrum to establish the Campaign Security Project, providing organizations with the tools to train candidates and campaign workers on how to stay safe online. Groups include the Veterans Campaign, Collective Future, Women’s Public Leadership Network, LGBTQ Victory Institute,Center for American Ideas, University of San Francisco, Emerge, Latino Victory and more. This will build on our ongoing work with Defending Digital Campaigns, USC Election Cybersecurity Initiative and Cybersecurity for State Leaders.

    Globally, we’re also working with organizations like the International Foundation for Electoral Systems (IFES) to help enhance the security of campaigns and affiliated high risk users. As always, we encourage all high risk users to enroll in our free Advanced Protection Program, which bundles the strongest Google Account security options together, and proactively protects against new and evolving threats.

  • Introducing Account Level Enhanced Safe Browsing: Coming next month, you will be able to opt in to Google’s account-level enhanced safe browsing feature - which provides our broadest security protection against threats you encounter on the web and against your Google Account. Soon you will be able to turn this setting on when you take a Security Checkup or manually in your account settings.

Putting you in control

You should have control over your data. That’s why we build tools like Privacy Checkup that put you in the driver’s seat with helpful reminders of what activity is being saved, which third-party apps have permission to access your data, and the option to adjust your settings accordingly with simple controls.

We’re also introducing new product features, and expanding current ones, to give you more control and keep you safe online:

  • Google Assistant: Building on our launch ofGuest Mode, an easy way to control your privacy by saying "Hey Google, turn on Guest Mode," we're expanding this feature in 9 new languages in the coming months for global availability on Smart Displays and speakers, like Nest Hub Max and Nest Audio. While in Guest Mode, these devices won’t save your Assistant activity to your Google Account and won’t show personal results, like your calendar entries or contacts, until you exit the mode. This helps keep your personal information private while others are around your shared device. If you ask Assistant to interact with other apps and services, they might still save that activity or provide personalized results.
Assistant guest mode image
  • Google One: When we launched the VPN by Google One for Android, we wanted to give subscribers an extra layer of online protection and a safer connection, no matter what carrier you’re on. To bring protection to even more people, we are rolling out the VPN to iOS devices. Similar to Android, the VPN will be available to Google One members on Premium plans (2 TB and higher) through the Google One app on iOS.

  • Google Fi: If you have a Google Fi phone plan, soon you’ll have the option to start sharing your location with your family members when you’re on the go in real-time right from the Fi app — at no extra cost. Your family members can choose to share their location for a set period of time, until the setting is turned off, or not at all.

Safer Internet Day might come around once a year, but here at Google we want you to stay safe online every day. Visit our Safety Center to learn all the ways we’re making every day safer with Google.

Partnerships to build a safer internet in Asia Pacific

Over the past two years, millions of people throughout Asia-Pacific have started using the internet for the first time, lifting the region’s online population to more than 2.5 billion. This wave of digital adoption has created new opportunities, helping people communicate, find information, and access vital services like health and education. But it’s also reinforced the need for vigilance in the face of a growing range of threats to online safety and privacy. Google Search reflects people’s concerns, with trends showing that searches related to privacy and data breaches grew by more than 20% in 2021, across places as diverse as Australia, Hong Kong, India, Indonesia and Singapore.

This week, as we mark Safer Internet Day on February 8, we’re focused on the ways Google can help protect people in Asia-Pacific as they go about more of their lives and work online.

Our highest priority is to safeguard the Google tools that people use every day. We have hundreds of engineers and other experts, many based in Asia-Pacific, working to make sure that people’s accounts are secure and Google infrastructure is defended against intruders. These teams also develop simple tools — like Security Checkup and Privacy Checkup — which people can use to strengthen their security and privacy settings.

But we recognize that our responsibility for internet safety goes beyond our own tools and technology. Keeping people safe online is a shared challenge, not something that any one organization can do alone. One of the most powerful ways we can help protect people is by equipping them with the skills and knowledge to navigate the internet safely.

In Asia-Pacific, Google is supporting the work of organizations like the Sejiwa Foundation, which is dedicated to helping younger members of the community and their parents make safe decisions online. I was struck by the story of 24-year old Indah from West Sulawesi, who came across a job vacancy that required her to fill out a form online with personal information. Drawing on the knowledge she’d learned through the Sejiwa Foundation’s "Tangkas Berinternet" program, Nazwa was able to take simple steps to identify that the request was a scam — preventing her from sharing her data and making suspicious purchases on behalf of the scammer.

“Tangkas Beinternet” is the Indonesian version of Be Internet Awesome, an internet safety initiative delivered by Google and our partners around the world, including the Sejiwa Foundation and the Indonesian government. It’s an example of the collaborative approach that’s needed to deepen online safety knowledge in communities that too often miss out on digital education — and we want to enable more partnerships like these.

Representatives of the Sejwa Foundation and participants in Indonesia's Be Internet Awesome online safety program speak about the impact of the initiative.
10:25

This year, through Google.org — Google’s philanthropic arm — we’re supporting nonprofit organizations in Asia-Pacific with approximately $5 million in grant funding to raise awareness about security and media literacy and promote positive online habits among underserved communities. This builds on the more than $11 million that Google.org has committed to digital responsibility initiatives over the past five years. Organizations Google.org has supported include Maarif Institute — whose Tular Nalar program with MAFINDO and Love Frankie is helping educators and young people in Indonesia become more media-literate — and Internews in India, whose FactShala initiative with Data Leads is helping people evaluate online information critically.

With the new funding from Google.org, we aim to help nonprofits give more people in every part of the region access to such educational opportunities. Together with the investments we’ll continue making to safeguard our own tools and platforms, we hope these efforts will contribute to global progress towards a safer internet for everyone.

How Google puts you in control of your location data

You may have seen news about lawsuits brought against Google concerning how we handle location data. These suits mischaracterize and inaccurately describe the settings and controls we provide users over location data.

Today, a court in Arizona made a significant legal ruling against the Arizona Attorney General. The AG is somehow claiming this as a big victory but in reality, a judge rejected his central argument. Unfortunately, just before today’s decision, four other state attorneys general rushed to file similar lawsuits making similarly inaccurate and outdated claims.

We wanted to take this opportunity to set the record straight about the location settings we offer, and how you are in control of your location data.

All smartphones use location data — it’s integral to how they work. It’s collected and used by network operators, device makers, apps, websites and operating systems. For our part, location makes Google products work better for you — it’s what helps you navigate around a traffic jam, helps you find your phone when you’ve misplaced it, and lets you find a pizza shop in your neighborhood instead of suggesting one in a different state.

We recognize that you have a lot of decisions to make around the use of location data by various apps and services. That’s why we’ve worked hard over the past few years to build more control and transparency directly into our products to make location easy to understand and simple to manage:

  • Easy-to-use settings: We offer settings like Location History, which creates a timeline of where you have been, saved to your Google Account. You can delete this data or pause saving it at any time. Web & App Activity saves activity like the things you do on Google sites and apps, including associated info like location. Again, you can delete this data or pause saving it at any time.
  • Auto-delete by default: Two years ago, we updated our data retention practices — in addition to turning Location History and Web & App Activity off, you can choose to automatically auto-delete them after a set period of time (3 months, 18 months or 36 months). (For new users, the default is to auto-delete them after 18 months).
  • Transparency: You can instantly see your settings and manage them right from your favorite Google products — for example, on every search results page, we indicate the location information that was used to deliver results, and enable you to change your settings directly. And if you have Location History enabled, we send monthly and annual emails to remind you about places you’ve visited, along with easy access to your settings.
  • Maps Incognito mode: With Google Maps Incognito mode, the places you search for or navigate to in Google Maps won’t be saved to your Google Account.
  • Advertisers and apps: Location data helps you get relevant offers such as local pizza restaurants but we never sell your location data to advertisers — or to anyone. And from Android 10 onwards, you can choose to share your device’s location with third party apps only while they’re in use — or not at all.

As we design our products, we focus on three important principles: keeping your information safe, treating it responsibly, and putting you in control. We aim to strike a balance between offering granular customization for users who want to pick and choose between options, while keeping our controls simple and easy to understand. We will continue to focus on providing simple, easy-to-understand privacy settings to our users, and will not be distracted from this work by meritless lawsuits that mischaracterize our efforts.

How Google protects your privacy and keeps you in control of your ad experience

Whether you’re managing your inbox, browsing the web, or interacting with ads, we know that your privacy is a top priority. That’s why this week, to celebrate Data Privacy Day, we’re highlighting how we keep you safe online – and reminding you of the controls available to you.

First, to keep your private information private, everything we build at Google is secure by default, private by design and keeps you in control. It's how we ensure that everyday, you're Safer with Google.

Your Google Account is a one-stop-shop for your key privacy and security settings. You can control what activity gets saved to your account, download your data, or delete your activity at any time. We’ve also created tools like Dashboard and My Activity, which make it easy to view and control information saved in your Google Account.

To start using these controls, we recommend taking your Privacy Checkup, which helps you choose the settings that are right for you. You can also take a Security Checkup to check your Google Account security status and get personalized recommendations to strengthen your account protection. To learn more about our privacy tools and settings, you can visit our Safety Center.

You’re in control of your ad experience

Our commitment to privacy also applies to your ad experience. We follow a set of core principles about the data we use for ads. For example, we never sell your personal information and we don’t use the content you create, store, and share in apps like Drive, Gmail, and Photos for any ads purposes. It’s simply off limits. We also prohibit advertisers from using sensitive interest categories like personal hardships (including health conditions), identity and beliefs, and sexual interests to target ads.

We’ve also built easy-to-use controls for you in Ad Settings to help you tailor your ad experience by reviewing and updating information in your ads profile. You can even turn off ad personalization altogether.

At the same time, we’ve started rolling out new innovations on features like our “About this ad” menu to help you understand why an ad was shown, and which advertiser ran it. You can report an ad if you believe it violates one of our policies, see the ads a specific verified advertiser has run over the past 30 days, or mute ads or advertisers you aren’t interested in.

Finally, we’ve heard that sometimes there are certain ads you might not want to engage with at all. Currently, you can turn off sensitive ads related to alcohol or gambling on YouTube. We’ll continue to expand our sensitive ad categories soon so that you can choose the ad experience that’s right for you.

Giving you a better ad experience in 2022

This year, we’ll focus on strengthening protections for vulnerable groups, leading the industry towards a more privacy safe future, and delivering new ways to put you in control.

We’ve already made progress on delivering a safer experience to kids and teens online by expanding safeguards to prevent age-sensitive ad categories from being shown to teens, and we will block ad targeting based on the age, gender, or interests of people under 18.

We’re also collaborating with our industry to define the future of the privacy-safe internet together. Chrome is leading a collaborative effort to make the web private by default with Privacy Sandbox, which seeks to help transform digital marketing in a way that meets your privacy expectations.

Finally, we’ll continue to work on introducing exciting new ways to put you in control of your experiences with our products.

Making Open Source software safer and more secure

We welcomed the opportunity to participate in the White House Open Source Software Security Summit today, building on our work with the Administration to strengthen America’s collective cybersecurity through critical areas like open source software.

Industries and governments have been making strides to tackle the frequent security issues that plague legacy, proprietary software. The recent log4j open source software vulnerability shows that we need the same attention and commitment to safeguarding open source tools, which are just as critical.

Open source software code is available to the public, free for anyone to use, modify, or inspect. Because it is freely available, open source facilitates collaborative innovation and the development of new technologies to help solve shared problems. That’s why many aspects of critical infrastructure and national security systems incorporate it. But there’s no official resource allocation and few formal requirements or standards for maintaining the security of that critical code. In fact, most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, is done on an ad hoc, volunteer basis.

For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.

At Google, we’ve been working to raise awareness of the state of open source security. We’ve invested millions in developing frameworks and new protective tools. We’ve also contributed financial resources to groups and individuals working on securing foundational open source projects like Linux. Just last year, as part of our $10 billion commitment to advancing cybersecurity, we pledged to expand the application of our Supply chain Levels for Software Artifacts (SLSA or “Salsa”) framework to protect key open source components. That includes $100 million to support independent organizations, like the Open Source Security Foundation (OpenSSF), that manage open source security priorities and help fix vulnerabilities.

But we know more work is needed across the ecosystem to create new models for maintaining and securing open source software. During today’s meeting, we shared a series of proposals for how to do this:

Identifying critical projects

We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.

Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.

Establishing security, maintenance & testing baselines

Growing reliance on open source means that it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance, and testing — to ensure national infrastructure and other important systems can rely on open source projects. These standards should be developed through a collaborative process, with an emphasis on frequent updates, continuous testing, and verified integrity.

Fortunately, the software community is off to a running start. Organizations like the OpenSSF are already working across industry to create these standards (including supporting efforts like our SLSA framework).

Increasing public and private support

Many leading companies and organizations don’t recognize how many parts of their critical infrastructure depend on open source. That’s why it’s essential that we see more public and private investment in keeping that ecosystem healthy and secure. In the discussion today, we proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. Google stands ready to contribute resources to this effort.

Given the importance of digital infrastructure in our lives, it’s time to start thinking of it in the same way we do our physical infrastructure. Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges. Today’s meeting at the White House was both a recognition of the challenge and an important first step towards addressing it. We applaud the efforts of the National Security Council, the Office of the National Cyber Director, and DHS CISA in leading a concerted response to cybersecurity challenges and we look forward to continuing to do our part to support that work.