Billions of people–not to mention a decent portion of the world’s economies–depend upon the Internet in a way that is both amazing and terrifying. We rely on the network in a way that perhaps we have never relied on anything in the course of human history. The Internet is a wonderful resource, but it’s also brittle and vulnerable, and, unlike many of our other vital resources, no one has been tasked with protecting it. Google, however, has decided to shoulder some of that burden on its own.
Google’s position in the Internet community is a complicated one. The company provides a huge number of valuable services, including Gmail, Google Earth, Google Maps, etc., most of them free of charge. But, of course, users pay for those services in other ways, by giving up their personal data and allowing the company to deliver ads to them based on their behavior online and other factors. That business model bothers plenty of people and the company certainly doesn’t have a perfect track record on privacy issues, as its problems with WiFi data retention and other incidents have shown.
On the other hand, Google has spent the last several years making a series of important security improvements to their products that, given the scale at which the company operates, can make a big difference in the security of millions of users’ data. Gmail, for example, now employs SSL as the only connection option for Web connections. The service also delivers warnings to users about potential advanced attacks against their accounts. And the company has now encrypted the links among its data centers worldwide, making life much more difficult for high-level attackers such as the NSA and other intelligence agencies. These are important steps that have made a tangible difference for large portions of the Internet’s population.
Google also has accumulated a major stockpile of in-house security research talent in the last few years, and the company is focusing some of the sharpest minds it has on a new security initiative known as Project Zero. Led by Chris Evans, a longtime Chrome security engineer, the new team is tasked with digging into the critical software that the Internet and its users depend upon and finding new vulnerabilities. They won’t just be banging on Google’s products or its Web properties, either; that’s already being done by others. The Project Zero researchers will also be looking at third-party vendors’ software, trying to find dangerous vulnerabilities that could be exploited by state-sponsored attackers, intelligence agencies and other major predators. The researchers will be reporting the bugs to the affected vendors and helping them get patches to their users, and all of this will be done in the open, with public updates.
Google’s security team has taken many of the NSA surveillance revelations quite personally, as well they might. The company’s users are a constant target for not just run-of-the-mill attackers, but also for those at the top of the food chain, and that makes life several times more difficult for the people trying to defend those users. The Project Zero initiative can be seen as a response to the events of not just the last 18 months, but also to the broader issue of Internet-wide bugs and attacks.
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem,” Evans wrote in a post announcing the new project.
“Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.”
Four years ago, I wrote that Google owns the Internet and that position carries with it an inherent responsibility to protect not just the company’s users, but the network itself. We now know that the NSA actually owns the Internet, but that only makes efforts such as Project Zero all the more important. Most major software and Internet companies focus their security resources on weeding out vulnerabilities in their own products, and that’s all to the good, especially for large companies such as Microsoft or Apple.
But the Internet is a shared global resource and it –and its users–need protection. Project Zero, with Google’s estimable financial and mental resources at its back, is an important step toward making that a reality.