Google’s security groups are well known and well respected. They have pushed back against governments such as North Korea, China and Russia. And recently they stopped an expert hacking group using 11 vulnerabilities.
Turns out that was also a Western government set of operatives doing counter terrorism. The zero day vulnerabilities, found over nine months, used infected websites to deliver malware. MIT Technology Review has the full story for more.
While we’re on the breach front, the Biden administration is planning an executive order to require many software vendors to notify their federal government customers when the companies have a breach, per Reuters. The order also includes rules such as a software bill of materials, and require multi-factor authentication and encryption of data inside federal agencies. This requirement would override NDAs.
Why do we care?
Here’s where ethics and tech collide. Is counter terrorism something to be outside public disclosure, or is this private industry entirely acting? If it’s under democratic oversight within a lawfully elected government, is it different?
The Biden administration has called for some established norms and practices, and we in industry should be enthusiastically supporting that. This tension between supporting government activities – in hacking – but also having to be independent global organizations needs rules of the road.
My bias is that transparency will win. To get there, we have to agree and disarm together, and that’s where government can help.