Public Policy Blog
Updates on technology policy issues
The Impacts of Data Localization on Cybersecurity
Friday, February 13, 2015
Earlier this week,
Leviathan Security
released their latest piece of research, called the
Value of Cloud Security
. This research takes a close look at cloud infrastructure security and how it's impacted by forced data localization. Google commissioned the study and discussed the results with Leviathan, but Leviathan alone is responsible for the analysis and conclusions.
When companies take advantage of cloud services, they get more secure systems as a result. Many countries, however, have proposed laws requiring that companies keep the data of that country’s users within national borders. This idea, known as “data localization,” purports to keep citizen users safer and out of the hands of spying governments and hackers. The report found that forced data localization actually undermines many of the benefits that come from cloud services:
Cloud services provide much better resiliency and redundancy than local services in the face of disasters of all sizes, from small transformer explosions that affect 30,000 users up to superstorms the size of Thaiphoon Haiyan that can interrupt entire countries. If data has to stay in one place by law, that redundancy is lost.
Security expertise is in short supply and tends to congregate in large organizations and sharing what expertise there is is better for everyone as a whole. E.g. - There are currently over a million unfilled security positions open worldwide and all of the GCHQ-led cybersecurity programs together will graduate just 66 PhD's per year starting in 2017. Small companies that are forced to host their own data will find it hard to compete to hire qualified security engineers.
If policymakers are thinking about the perceived benefits of datalocalization, they should carefully examine this study and take into account the cybersecurity of their country’s enterprises.You can check out the full studies on
Leviathan’s blog
.
Iranian phishing on the rise as elections approach
Wednesday, June 12, 2013
Posted by Eric Grosse, VP Security Engineering
Cross-posted from the
Google Online Security Blog
For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.
Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that
targeted users within Iran
. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.
Protecting our users’ accounts is one of our top priorities, so we notify targets of
state-sponsored attacks
and other
suspicious activity
, and we take other appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to
take extra steps to protect your account
. Watching out for phishing, using a modern browser like Chrome and
enabling 2-step verification
can make you significantly more secure against these and many other types of attacks. Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with https://accounts.google.com/. If the website's address does not match this text, please don’t enter your Google password.
Safe Browsing—protecting web users for five years and counting
Tuesday, June 19, 2012
Posted by Niels Provos, Security Team
In this post, we've collected some highlights from the past five years of
our Safe Browsing efforts, aimed at keeping people safe online.
See the
Security Blog
for the full details and more visuals. -Ed.
Five years ago, we launched
Safe Browsing
, an initiative designed to keep people safe from malicious content online. Our primary goal was to safeguard Google's search results against malware (software capable of taking control of your computer) and phishing (fraudulent websites that entice users to give up their personal information). We also wanted to help
educate webmasters
on how to protect their own sites.
Malware and phishing are still big problems online, but our Safe Browsing team has labored continuously to adapt to the rising challenges of new threats. We've also developed an infrastructure that automatically detects harmful content around the globe.
Here’s a look at the highlights from our efforts over the past five years:
We protect 600 million users through built-in protection for Chrome, Firefox and Safari, where we show several million security warnings every day to Internet users.
When we detect malware or phishing, we trigger a red warning screen that discourages clicking through to the website. Our free and public
Safe Browsing API
allows other organizations to keep their users safe by using the data we’ve compiled.
We find about 9,500 new malicious websites every day
and show warnings to protect users. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing. Our detection techniques are highly accurate—we have had only a handful of false positives.
Approximately 12-14 million Google Search queries per day warn users about current malware threats,
and
we provide malware warnings for about 300 thousand downloads per day
through our
download protection service for Chrome
.
We send thousands of notifications daily to webmasters.
When webmasters sign up for
Webmaster Tools
we give them the option to receive warning notices if we find something malicious on their site.
Malware and phishing aren’t completely solvable problems because threats continue to evolve, but our technologies and processes do, too.
Phishing and malware trends
Online commerce sites are still favorite phishing targets because phishers are motivated by money. Some tried-and-true phishing methods are still used, but attacks are also getting more creative and sophisticated. Attacks are faster, with phishers sometimes remaining online for less than an hour to try to avoid detection. They’re also more geographically dispersed and are getting more targeted.
Malware authors often compromise legitimate sites to deliver content from a malicious attack site or to redirect to an attack site. These attack sites will often deliver "
drive-by downloads
" to visitors, which launch and run malware programs on their computers without their knowledge. To try to avoid detection, these attack sites adopt several techniques, such as rapidly changing their Internet location with free web hosting services and auto-generated domain names. Although less common than drive-by downloads, we’re also seeing more malware authors bypassing software vulnerabilities altogether and instead employing methods to try to trick users into installing malicious software—for example, fake anti-virus software.
How you can help prevent malware and phishing
Our system is designed to protect users at high volumes, but people still need to take steps to keep their computers safe. Ignoring a malware problem is never a good idea—if one of our warnings pop up, you should never click through to the suspicious site. Webmasters can help protect their visitors by signing up for malware warnings at Google Webmaster Tools. These warnings are free and will help us inform them if we find suspicious code on their sites. Finally, everyone can help make our system better. You can opt-in to send additional data to our team that helps us expand the coverage of Safe Browsing.
Looking forward
Some of our recent work to counter new forms of abuse includes:
Instantaneous
phishing detection and download protection
within the Chrome browser
Chrome extension malware scanning
Android application protection
It’s a good feeling to know that we’re making the web more secure and directly protecting people from harm—whether they’re our users or not. We continue to invest heavily in the Safe Browsing team so we can defend against current and future security threats.
(Cross-posted on the
Official Google Blog
)
National Cyber Security Awareness Month 2011: Our Shared Responsibility
Friday, October 7, 2011
Posted by Eric Davis, Public Policy Manager, Security
(Cross-posted from the
Official Google Blog
)
On the Internet, as with the offline world, the choices we make often have an impact on others. The links we share and the sites we visit can affect our security and sometimes introduce risk for people we know. Given how quickly our collective use of technology is evolving, it’s useful to periodically remind ourselves of practices that can help us achieve a more secure and enjoyable online experience.
This month, Google once again joins the
National Cyber Security Alliance (NCSA)
, government agencies, corporations, schools and non-profit organizations in recognizing
National Cyber Security Awareness Month
. It’s a time for us to offer education that increases online security for everyone.
It’s fitting that the theme of this year’s Cyber Security Awareness Month is “Our Shared Responsibility.” With ever-increasing ways to access the web and share information, we need to focus on keeping our activities secure. In that spirit, and to help kick off Cyber Security Awareness Month, we’re introducing a new
Google Security Center
. The Security Center is full of practical tips and information to help people stay safe online, from choosing a secure password to using 2-step verification and avoiding phishing sites and malware.
We also continue to develop products and services that help people protect their information online. Examples that have stood out so far this year include the
Chromebook
,
2-step verification in 40 languages
, and Chrome browser warnings for
malicious downloads
and
out-of-date plugins
, among others. We develop free products and tools such as
DOM Snitch
, a Chrome extension that helps developers identify insecure code.
We recognize the importance of security education and are committed to helping make your online experience both exciting and safe to use. We all have a responsibility to take steps to protect ourselves and together develop a culture of security. We encourage everyone to
Stop. Think. Connect.
Thoughts on the Commerce Department’s new cybersecurity paper
Wednesday, June 8, 2011
Posted by Harry Wingo, Senior Policy Counsel
The Internet has brought considerable social and economic benefit to world, but today faces a broad range of security challenges. It’s important that governments and industry continue to work together to meet those challenges.
That’s why we’re encouraged by the paper released today by the Department of Commerce, “
Cybersecurity, Innovation, and the Internet Economy
.” The report emphasizes the need for a new designation for businesses that are important to our lives and the economy, yet fall outside the realm of
critical infrastructure
(for example, providers of online services and content, cloud computing firms, and social networks). It also challenges those businesses to come up with best practices for sharing information about online threats. These proposals could help improve the security of the Internet while preserving the rapid innovation that has characterized its growth and success.
We’ve long supported the Department of Commerce’s efforts in this space, including
submitting comments
to the notice of inquiry that led to the drafting of this paper, and we hope all stakeholders continue to participate in this process.
Next steps in cyber security awareness
Monday, November 2, 2009
Posted by Eric Davis, Head of Anti-Malvertising
Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill organized by Congresswoman Yvette Clarke and sponsored by the Committee on Homeland Security. The conversation focused on things everyday Internet users can do to help protect their computers and stay safe online. Given that we just wrapped up our observation of
National Cyber Security Awareness Month
, I thought I'd share some of the key recommendations from the panel:
What are the most important things we all need to do to protect our computers and mobile devices?
You should have the same expectations when using the Internet as you would when exploring a city: you don't give your credit card to the person selling watches on the street just because you recognize the brand, you don't let your kids wander around by themselves and you don't give personal information unless you know who's getting it. If an offer is "urgent" or seems too good to be true, take a step back and research the offer. Add a password to your mobile phone, and browse cautiously on open WiFi networks as you would when using a computer.
What are the most common misconceptions about cyber security?
Many dangerous websites are not designed to be dangerous. In fact, most of the sites that serve malware (malicious software) are innocent sites that have been compromised in one way or another. Your computer isn't necessarily safe just because you're avoiding sites that contain adult content or pirated software. Use reputable anti-virus and anti-spyware programs, and keep your computer operating system and applications updated with the latest software versions.
How do I know if my computer or network has been compromised?
First, disconnect it from the Internet. Take note of any slowness, and if you're not sure how to proceed, get someone with technical expertise to check your network logs for high traffic appearing during times when you're not using the computer. When in doubt, contact a computer support expert.
As President Obama recently stated,
cyber security is a shared responsibility
. At Google, we recognize how important awareness and education are because many online security threats can only be avoided if we work together.
We spent the month of October exploring cyber security and talking about how to use Google products in a more secure manner. If you haven't seen them already, take a look at the posts we've released over the last month:
Kick-off and YouTube Cyber Security Awareness Channel
Choosing smart passwords
How the website malware review process works
Blogging security tips
New malware snippets feature for webmasters
Protecting users and ads from malware
Best practices for verifying and cleaning up a malware-infected site
Gmail account security tips
Online commerce security
Updating your web browser
Taking charge of document sharing with Google Docs
Web browser security and Google Chrome security messages
Be sure to share the tips you find most helpful with others, and remember to stay safe online.
Celebrating National Cyber Security Awareness Month 2009
Thursday, October 1, 2009
Posted by Eric Davis, Head of Anti-Malvertising
(Cross-posted from the
Official Google Blog
.)
Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to make the Internet a safer place, it can be difficult to know what to do as an Internet user beyond creating numerous passwords for your various online accounts and steering clear of that email from a "long lost relative" who wants you to immediately wire thousands of dollars to him. Here's the good news: even though security can become quite technical and complicated, there are simple steps you can take that can make a big difference in helping to keep your information safe.
This month, Google joins the National Cyber Security Alliance (NCSA), governmental agencies, corporations, schools and non-profit organizations in recognizing
National Cyber Security Awareness Month
. Throughout October, we'll be raising awareness of important Internet security and safety issues that will teach you how to be an informed web user. Keep an eye on our various
product blogs
, as we'll be sharing tips that are tailored to users of Google products and services. To kick off the series, visit our newly created
Google Cyber Security Awareness Channel
on YouTube to watch a variety of online safety videos created by individuals and groups with an interest in cyber security.
The web is a great platform for all kinds of things — finding information, interacting with others and even running your business. Practicing good cyber security habits can help keep it that way. Join us this month by brushing up on your cyber security awareness and sharing the tips you like with others.
Recapping last week's Google D.C. Talk on cybersecurity
Thursday, July 2, 2009
Posted by Harry Wingo, Policy Counsel
To help spark ideas and stimulate discussion following the release of the President's
cyberspace policy review
, last Friday we teamed up with the
Center for a New American Security
to bring together a panel of experts representing government, military, and industry for a Google D.C. Talk,
"Developing a National Cybersecurity Strategy."
Included in the President's action plan is the goal of developing a "strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government" -- a key point we discussed during Friday's event. Philip Reitinger of the Department of Homeland Security noted that we need to expand the talent pool, which will likely require getting young people excited about the possibilities of working in IT.
I'm convinced that there should be a long-term focus on educating and cultivating future computer scientists (including putting cybersecurity in the curriculum at every step). Students are introduced to foreign languages as early as grammar school -- why not also introduce them to the basics of code?
Beyond K-12, we should expand programs like the National Science Foundation's
Scholarship For Service
, which provides support to undergraduate and graduate students focusing on information assurance. Thoughtful investments in programs that support computer science education today will help us to build a strong pipeline for the next generation of cybersecurity professionals.
The panel also discussed the Cybersecurity Act of 2009, which some
had argued
would give the President the authority to shut down the Internet. Ellen Doneski, Chief of Staff for the Senate Commerce Committee,
addressed
these concerns head-on and explained that the language in the bill will be rewritten with input from stakeholders.
Check out video from the event to see what our panelists had to say:
White House completes cyberspace policy review
Friday, May 29, 2009
Posted by Harry Wingo, Policy Counsel
As the world becomes more and more connected, a cyberattack on any nation's critical infrastructure -- its telecommunications system, electrical grid, and banking network -- could pose as serious a threat to its security as an attack carried out by a bomber or conventional forces.
With that in mind, today the Obama Administration announced the creation of a cybersecurity director and released the findings of its
60-day cyberspace policy review
, offering recommendations on steps the United States government, working with the private sector, should take to guard critical networks from harmful attacks.
Strong partnerships and open lines of communication between government and the private sector will be the key to protecting critical networks. As the report explains, the "public and private sectors' interests are intertwined" when it comes to cybersecurity. Government agencies are in a unique position to help companies identify attackers' targets and methods of operation, while companies can share expertise and best practices for guarding private networks and protecting the privacy of user data.
We support the Administration's goal to make the Internet safer and more secure, and we look forward to continuing our work with policymakers, software developers, security experts, and our users to help do just that.
Labels
Accessibility
5
Ad
2
Advertising
11
AdWords
2
Anti-defamation league
1
Book Search
16
Broadband
11
Business Issues
26
Buzz
1
buzzemail
1
Canada
1
Child Safety
18
Chrome
1
Cloud Computing
2
Competition
19
Congress
10
Constitute
1
copyright
7
Cuba
1
Cybersecurity
9
D.C. Talks
16
Digital Due Process
1
Digital Playbook
1
Economic Impact
5
Economy
13
ECPA
4
Elections
24
email
1
Energy Efficiency
29
Europe
2
FCC
7
fellowship
2
Fighting Human Trafficking
1
Free Expression
54
Geo
1
Gmail
1
GNI
2
Good to Know
5
Google Fellow
2
Google for Entrepreneurs
1
Google Ideas
2
Google Maps
1
Google Policy Fellowship
1
Google Tools
78
Government Transparency
33
Hate Speech
1
Health
5
How Google Fights Piracy
1
Human trafficking
1
Identity theft
1
Immigration
1
Intellectual Property
19
International
46
Journalists
1
Malware
1
Maps
1
National Consumer Protection Week
1
Net Neutrality
24
Patents
5
piracy. ad networks
2
Politicians at Google
11
Politics
23
Privacy
93
Public Policy
1
Public Policy Blog
806
Safe Browsing
3
scams
1
search
3
Security
17
Small Businesses
3
spectrum
4
State Issues
5
Surveillance
6
Technology for Good
1
Telecom
71
Trade
3
Transparency Report
4
White Spaces
23
WiFi Network
1
Workforce
5
Yahoo-Google Deal
5
YouTube
4
YouTube for Government
1
Archive
2016
Sep
Aug
Jul
Jun
May
Apr
Mar
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2007
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Feed
Follow @googlepubpolicy
Give us feedback in our
Product Forums
.
