Friday, February 5, 2010

NSA Deal: Kill Google?/Google to enlist NSA to help it ward off cyberattacks

 

‘Don’t Be Evil,’ Meet ‘Spy on Everyone’: How the NSA Deal Could Kill Google

mf_googlopoly4_f

The company once known for its “don’t be evil” motto is now in bed with the spy agency known for the mass surveillance of American citizens.

 The National Security Agency is widely understood to have the government’s biggest and smartest collection of geeks — the guys that are more skilled at network warfare than just about anyone on the planet. So, in a sense, it’s only natural that Google would turn to the NSA after the company was hit by an ultrasophisticated hack attack. After all, the military has basically done the same thing, putting the NSA in charge of its new “Cyber Command.” The Department of Homeland Security is leaning heavily on the NSA to secure .gov networks.

But there’s a problem. The NSA and its predecessors also have a long history of spying on huge numbers of people, both at home and abroad. During the Cold War, the agency worked with companies like Western Union to intercept and read millions of telegrams. During the war on terror years, the NSA teamed up with the telecommunications companies to eavesdrop on customers’ phone calls and internet traffic right from the telcos’ switching stations. And even after the agency pledged to clean up its act — and was given wide new latitude to spy on whom they liked – the NSA was still caught “overcollecting” on U.S. citizens. According to The New York Times, the agency even “tried to wiretap a member of Congress without a warrant.”

All of which makes the NSA a particularly untrustworthy partner for a company that is almost wholly reliant on its customers’ trust and goodwill. We all know that Google automatically reads our Gmail and scans our Google Calendars and dives into our Google searches, all in an attempt to put the most relevant ads in front of us. But we’ve tolerated the automated intrusions, because Google’s products are so good, and we believed that the company was sincere in its “don’t be evil” mantra.

That’s a lot harder to swallow, when Google starts working cheek-to-jowl with the overcollectors. The company pinkie-swears that its agreement with the NSA won’t violate the company’s privacy policies or compromise user data. Those promises are a little hard to believe, given the NSA’s track record of getting private enterprises to cooperate, and Google’s willingness to take this first step.

Google may need help in fighting off these hacks. But turning to Ft. Meade could wind up permanently damaging the company’s image — and the foundation of its incredible success. Already, the Russian press are talking about Google’s decision to spy with NSA, for instance. Hackers might be able to compromise some of Google’s services, for a little while. The association with the NSA could permanently cripple the company. The telegram companies and the old-school telcos were virtually monopolies; customers had nowhere to turn, if they wanted private communications. Bing and Yahoo Mail are just a click away.

Photo: Joe Raedie/Getty Images

Read More http://www.wired.com/dangerroom/2010/02/from-dont-be-evil-to-spy-on-everyone#ixzz0efe650UV

Wired.com © 2009 Condé Nast Digital. All rights reserved.

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057_pf.html

 

Google to enlist NSA to help it ward off cyberattacks

By Ellen Nakashima
Thursday, February 4, 2010; A01

The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity.

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data.

The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners."

But achieving collaboration is not easy, in part because private companies do not trust the government to keep their secrets and in part because of concerns that collaboration can lead to continuous government monitoring of private communications. Privacy advocates, concerned about a repeat of the NSA's warrantless interception of Americans' phone calls and e-mails after the Sept. 11, 2001, terrorist attacks, say information-sharing must be limited and closely overseen.

"The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?" said Ellen McCarthy, president of the Intelligence and National Security Alliance, an organization of current and former intelligence and national security officials that seeks ways to foster greater sharing of information between government and industry.

On Jan. 12, Google took the rare step of announcing publicly that its systems had been hacked in a series of intrusions beginning in December.

The intrusions, industry experts said, targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised.

So significant was the attack that Google threatened to shutter its business operation in China if the government did not agree to let the firm operate an uncensored search engine there. That issue is still unresolved.

Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program.

Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance."

One senior defense official, while not confirming or denying any agreement the NSA might have with any firm, said: "If a company came to the table and asked for help, I would ask them . . . 'What do you know about what transpired in your system? What deficiencies do you think they took advantage of? Tell me a little bit about what it was they did.' " Sources said the NSA is reaching out to other government agencies that play key roles in the U.S. effort to defend cyberspace and might be able to help in the Google investigation.

These agencies include the FBI and the Department of Homeland Security.

Over the past decade, other Silicon Valley companies have quietly turned to the NSA for guidance in protecting their networks.

"As a general matter," NSA spokeswoman Judi Emmel said, "as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers."

Despite such precedent, Matthew Aid, an expert on the NSA, said Google's global reach makes it unique.

"When you rise to the level of Google . . . you're looking at a company that has taken great pride in its independence," said Aid, author of "The Secret Sentry," a history of the NSA. "I'm a little uncomfortable with Google cooperating this closely with the nation's largest intelligence agency, even if it's strictly for defensive purposes."

The pact would be aimed at allowing the NSA help Google understand whether it is putting in place the right defenses by evaluating vulnerabilities in hardware and software and to calibrate how sophisticated the adversary is. The agency's expertise is based in part on its analysis of cyber-"signatures" that have been documented in previous attacks and can be used to block future intrusions.

The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said.

Greg Nojeim, senior counsel for the Center for Democracy & Technology, a privacy advocacy group, said companies have statutory authority to share information with the government to protect their rights and property.

© Copyright 1996- 2010 The Washington Post Company

No comments: