Report: Google in talks with NSA to team up on defense partnership

goog.jpg

"The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity," reads the opening line from this Washington Post report. The National Security Agency is reported to be finalizing an agreement with Google to analyze the recent and much-publicized hack attack Google says originated in China, targeting its networks. The point of the partnership is to help defend Google and Google users from future breaches. Snip:

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data.

The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners."

Washington Post: Google to enlist NSA to help it ward off cyberattacks (via Danger Room)

More around the web: CNET, Reuters, Wall Street Journal, Firedoglake.

29

  1. I think the crowd who have long claimed Google was funded by US intelligence agencies in the first place, are going to be walking around with a smug little grin today.

  2. If I didn’t know that U.S. intelligence agencies were too incompetent to fake the Chinese attack on Google, then I would think they had done it to provoke exactly this sort of reaction. If Google is worried about what they might catch from sleeping with the Chinese government they had better double up on the condoms if they plan to get in bed with the NSA.

  3. From the post: “The sources said the deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data. ”

    So why are you (commenters, at least) freaking out about this?

    1. Because the NSA isn’t exactly a beacon of honesty. And how will we ever know what they’re really looking at?

    2. Talia’s right, we shouldn’t be freaking out about this article. We should be freaking out because the NSA does that anyway and would never tell us about it (as that would breach national security somehow).

  4. No one is evil in his own story. “Don’t DO evil” is much stronger.

    And we all knew this was coming, right?

    1. If it weren’t for the fact that Google approached the NSA and not the other way around (assuming it’s true), I would have to wonder if the attacks against Google were staged specifically as a pretext to form this partnership. /tinfoil hatter

  5. Reading that someone believes the NSA to be “the world’s most powerful electronic surveillance organization” is going to have me chuckling all day.

  6. Read the article, people. This is not about Google helping the NSA catch terrorists / spy on you. This is about the NSA helping Google catch hackers.

    “Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google — and its users — from future attack.”

  7. This makes perfect sense. We often think of NSA as the U.S. government agency responsible for eavesdropping; which it is. But it’s actually more than that. It’s also the primary U.S. government agency responsible for cybersecurity, and protecting the U.S. information infrastructure against foreign cyberattacks. So it’s only natural that Google and NSA would want to cooperate to investigate Chinese cyberattacks against Google.

  8. Remember that the NSA is not just a communications interception organisation, it is also partly responsible for US communications security (especially wrt government comms).

    That is why it was involved in the development of the AES encryption standard that most of us use every day without realising it.

    Also, in pretty much any circumstances, techies/math geeks from the NSA are the smartest people in the room. If you want to secure your systems, they are the people you want to help you.

    1. “Remember that the NSA is not just a communications interception organisation, it is also partly responsible for US communications security (especially wrt government comms).

      That is why it was involved in the development of the AES encryption standard that most of us use every day without realising it.”

      And that dual mission (and the ensuing conflict of interest) are why the NSA has repeatedly argued in the past for encryption standards that are JUST adequate for the average threat profile, without being strong enough that they can’t break it themselves. One example (There are many, many other examples. Remember the clipper chip?) is the DES encryption algorithm: the NSA pushed for a weaker implementation with reduced key length. The NSA did improve the implementation with stronger S-boxes that made differential cryptanalysis more difficult (which was not public knowledge at the time) but they pushed for reduction of the key length from 128 bits to 48 bits. Eventually the NSA settled for the 56 bits with 8 bits of parity that we know today due to complaints from the original developers.

      It is also common policy within the US government to classify private sector and academic security research and development that is believed to be too strong should it get into the public’s hands. The RSA algorithm is one of the most famous examples of technology that slipped through and created a huge ruckus (IIRC, I read this in The Code Book by Simon Singh). Rivest, Shamir and Adleman wrote the algorithm itself in one night, but spent about a week writing the patent application in such a way that it would have a chance of slipping through the NSA’s scrutiny (as the NSA has the ability to classify any patented or copyrighted work that falls under any of their fields of interest). When the patent was applied for, the algorithm was specifically described as an algorithm for financial transactions. This caused it to be waved through instead of being reviewed by the NSA as a potential national security issue. In fact, while many of the publication and export restrictions have now been lifted, it is still required to go through an approval process with the Bureau of Industry and Security, which forwards all applications to the NSA for their approval before any computer security or encryption technology can be released to the public.

      In summary, the NSA has both an offensive mission (gathering intelligence about potential threats) and a defensive mission (developing or guiding development of security technologies to protect against those threats). Those two things just can’t coexist peacefully, and historically the offensive mission has been given priority.

  9. Honestly what makes me shudder is the thought of places like Google being hacked. The idea of an internet 9/11 isn’t so far fetched.

  10. NSA scratches Googles back and Google returns the favor.

    @1 The state inevitably moving toward tyranny is always a good bet, but it doesn’t put a grin on my face.

  11. >This is not about Google helping the NSA catch terrorists / spy on you. This is about the NSA helping Google catch hackers.

    The cry of every authoritarian state everywhere – you have nothing to fear unless you are a terrorist.

    A company that we trust to be private has no business dealing with an organization who’s job is to undermine it.

    Google may not be evil but it is dancing with the devil.

    1. “The cry of every authoritarian state everywhere – you have nothing to fear unless you are a terrorist.”

      How does the saying go? The 8 scariest words you can ever hear are “I’m from the government. I’m here to help.”

  12. Can’t shake the devil’s hand and say you’re only kidding.

    My question is: what’s our alternative to unplugging from google? their technology is quite useful, so what simple, user-friendly open-source options are there for those of us who want to live off the google grid but aren’t tech geeks?

  13. @Anon 19:
    >”A company that we trust to be private has no business dealing with an organization who’s job is to undermine it.”
    Sure it does. No one cries foul when Walmart hands over security tapes to police investigating shoplifting, do they? As I read it that’s exactly what is happening here.

    @Anon 20:
    For some things, Google is your best bet for open-source software off the Google grid. Build your own Chromium. In practice, though, if “they” were after you they’d go through the telcos anyway.

  14. This is just the NSA paying Google for access to the newly-uncensored Google results. The spooks want to see what the…Chinese…are curious about, what they search for when they can finally get unhindered results.

  15. “…allow the two organizations to share critical information without violating Google’s policies or laws that protect the privacy of Americans’ online communications…”

    Uhmm… and what about online communicatons of non-Americans?
    Just asking.

  16. http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/

    Quoted from article, “Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday. The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies. Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe echnologies were used as the attack vector in this incident.” Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.”

    Most likely Adobe Flash…

Comments are closed.