Google Asks NSA to Help Secure Its Network
- February 4, 2010 |
- | Edit
Google is teaming up with the National Security Agency to investigate the recent hack attack against its network in a bid to prevent another assault, according to The Washington Post.
The internet search giant is working on an agreement with the controversial agency to determine the attacker’s methods and what Google can do to shore up its network.
Sources assured the Post that the deal does not mean the NSA will have access to users’ searches or e-mail communications and accounts. Nor will Google share proprietary data with the agency.
But the move is raising concerns among privacy and civil rights advocates.
The Electronic Privacy Information Center filed a Freedom of Information Act request on Thursday, shortly after the agreement was made public, seeking more information about the arrangement (.pdf).
Executive Director Marc Rotenberg believes the agreement covers much more than the Google hack and that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked.
“What they’ve told you is that this is about an investigation of a hack involving China,” he told Threat Level in a phone interview. “I think and have good reason to believe that there’s a lot more going on.”
Google declined to comment.
“At the time [of the hack announcement], we said we are working with the relevant US authorities, but we don’t have any comment beyond that,” wrote spokesman Jay Nancarrow in an e-mail.
The FOIA request also seeks NSA communications with Google regarding Google’s failure to encrypt Gmail and cloud computing services. Rotenberg says EPIC wants to know what role the NSA has played in shaping privacy and security standards for Google’s services.
EPIC also filed a lawsuit against the NSA and the National Security Council, seeking a key document governing the government’s broader national cybersecurity policy, which has been shrouded in secrecy.
“We can’t afford to have secret cybersecurity policy that impacts the privacy rights of millions of internet users,” he said.
Google announced earlier this month that it had been the target of a “highly sophisticated” and coordinated hack attack, since dubbed Operation Aurora, against its network and other companies in the defense, technology and finance industries. Google said the hackers had stolen intellectual property — presumed to be its source code — and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.
Computer security firm iDefense has said that 34 companies were targeted by the attackers, who were primarily after source code.
A recent report has provided details into the nature of the persistent espionage attack that mirrored attacks on thousands of companies over the last few years, which have largely gone unpublicized.
The agreement between Google and the NSA, still being finalized, would allow Google to share critical information with the NSA about the attacks and its network — such as the malicious code that was used and its network configurations — without violating Google’s policies or laws that protect the privacy of users’ communications, the sources say.
The NSA’s general counsel began drafting the cooperative research and development agreement the day that Google announced it had been hacked, according to The Wall Street Journal. The agreement was finalized within 24 hours, but the information sharing at that time was limited, and only allowed the NSA to examine some of the data related to the hack. Most of the data that was shared concerned the nature of the data that was stolen, the paper said. Both the FBI and NSA worked directly with Google on the investigation.
The agreement between Google and the NSA would reportedly be the first time Google entered into such a formal information-sharing relationship — apart from its general cooperation with subpoenas and national security letters.
Matthew Aid, NSA historian and author of The Secret Sentry, said the move troubled him.
“I’m a little uncomfortable with Google cooperating this closely with the nation’s largest intelligence agency, even if it’s strictly for defensive purposes,” he told the Post.
The NSA has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications. Giving the agency authority over coordination of the government’s cybersecurity plan — which would include working with telecoms and other critical companies in the private sector — could put the agency in the position of surreptitiously monitoring communications.
Last year Director of National Intelligence Admiral Dennis Blair raised a ruckus when he told the House intelligence committee that the NSA, rather than the Department of Homeland Security which currently oversees cybersecurity for the government, should be in charge of securing cyberspace for government and critical infrastructures.
“The National Security Agency has the greatest repository of cybertalent,” Blair said. “[T]here are some wizards out there at Fort Meade who can do stuff.”
NSA Director Lt. Gen. Keith Alexander later balked at claims that his agency wanted to control the government’s cybersecurity plan and said it wanted to partner with DHS and others in securing networks. Speaking at the RSA Security Conference in San Francisco, he told the audience of security professionals that the NSA does “not want to run cybersecurity for the United States government.”
This week Blair, commenting on the Google hack, said cyberspace could not be secured without a “collaborative effort that incorporates both the U.S. private sector and our international partners.”
“As part of its information-assurance mission,” NSA spokeswoman Judi Emmel told the Post, “NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers.”