2013-05-29

Every system has a most vulnerable point, an Achilles heel. The overwhelming evidence below indicates that Google is America’s cybersecurity Achilles heel.

While America faces a plethora of serious cybersecurity vulnerabilities, Google’s unique scale, scope, tracking, and centralization puts Google alone at the pinnacle of America’s cybersecurity vulnerabilities, in a class all by itself.

Simply, hackers understand Google is by far the world’s single most-comprehensive source of intimate surveillance information on people and their behaviors, while also being the major entity that is least-committed culturally to protecting people’s security, privacy, and property.

People are well known to be the weakest link in any security scheme. Google effectively exacerbates that natural people-are-weakest-link in security by making people massively more vulnerable to bad actors given its exceptional surveillance of people’s behaviors combined with its cultural indifference for cybersecurity.

Think of a global “one-stop shop” for hackers seeking the info and behavioral weaknesses of most people, that also happens to be the least vigilant entity against “shoplifting” – and that’s Google.

I.     Summary of why Google is America’s cybersecurity Achilles heel.

Google’s ecosystem has already been near totally compromised by hackers.

Quantitatively, Google is the biggest hacker target by far because it controls the world’s largest Internet ecosystem of people and information.

Qualitatively, Google is the biggest hacker target by virtue of Google’s comprehensive and intimate profiles on well over a billion people.

By design Google is indirectly the biggest hacker target in the world by virtue of its unique mission to "organize the world's information and make it universally accessible and useful."

Security is not a high priority to Google; it is subordinate to speed, scale and first mover advantage.

Google does not believe security is Google’s responsibility, and as a result it is most prone to malware.

Google is culturally and philosophically averse to strong cybersecurity.

Thus it should be of no surprise that it was Google that led the successful lobbying for Google and other commercial and consumer information technologies to be exempt from the President’s 2013 Executive Order on cybersecurity.

II.   The evidence Google is America’s cybersecurity Achilles heel.

1.     Google’s ecosystem has already been near totally compromised by hackers.

Recently, per the front page article of the Washington Post we learned that the cyber intrusion of Google by Chinese hackers in 2010 was much more extensive and serious than previously reported. We learned the hackers compromised a “sensitive database with years’ worth of information about U.S. surveillance targets.” And shockingly, we learned that “the hackers had been rooting around inside Google’s servers for at least a year.”

This is on top of what the NYT reported previously that the Chinese hackers stole “one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s web services, including email and business applications.”

These huge security breaches are on top of Google’s admission that the Chinese hackers hacked Google’s search algorithm and reports that Chinese hackers hacked into senior U.S. Government and military personnel’s Gmail accounts, including the account of at least one U.S. Cabinet official.

If cyber-intruders had the run of Google’s data centers for over a year and we know they broke into three of their most sensitive computer programs, what else did they steal and how many backdoors did they discover, or create, so they could return at will in the future?

And even more ominously, what private information on U.S. government officials, military and intelligence personnel, and Government contractors (and the people in their circles of trust) did the Chinese hackers steal that then may have made it easier to spoof sensitive cyber-security personnel in other entities to get them to unwittingly download hacker malware, which in turn made it easier to gain entry into all the other companies and government agencies that have been hacked by Chinese hackers?

The incredible systematic success of the Chinese hackers’ cyber-theft against such a wide swath of the government and commercial interests which have very different cyber-security defenses, suggests at least the possibility, that they somehow found a near universal hacker method or source to gain intelligence on sensitive security personnel. Remember people are well known to be the weakest link in any security system. If that indeed is how the Chinese hackers were so systematically successful, Google is one of the most likely sources of that universal hacker-enabling sensitive information.

At core, there can be little confidence that Google’s universal system, and its exceptional trove of sensitive information on most people, is secure.

2.   Quantitatively, Google is the biggest hacker target by far because it controls the world’s largest Internet ecosystem of people and information.

Google uniquely can track over 90% of Internet users over 90% of the sites they visit given Google-DoubleClick’s ad serving and analytics capability. It has over a billion monthly search users and monthly YouTube viewers. It has three of the fastest growing user bases in the world: Android with 900m mobile OS users; 750m Chrome browser users, and ~600m Google+ Social users. It has 425m Gmail users which enable Google to scan emails of all Gmail exchanges with other email services. It has a world leading 400m bloggers. It owns the world’s most used map and location services with 70% mobile device share, the #1 map service that is offered on 1.2m websites. And it owns and tracks the world’s #1 news aggregation service -- Google News. And that is far from an exhaustive list of Google’s near ubiquitous tracking tentacles.

No other entity in the world has either the scale or scope of Internet users or user behavioral data that Google controls. Google is a category of one.

3.   Qualitatively, Google is the biggest hacker target by virtue of Google’s comprehensive and intimate profiles on well over a billion people.

Given Google’s newly unified privacy policy with no opt-out, Google is able to create arguably the most extensive and intimate digital dossiers ever, on most everyone online. More than any other entity by far, Google has the most ways: to know people’s most intimate intentions and interests via search; to identify and locate people wherever; to know people’s associations and how they are associated; and to know what kinds of information they are interested in.

Simply, Google has organized potentially the most comprehensively blackmail-able private profiles and digital dossiers on more people than has ever existed. The East German Stasi could never have imagined this level of surveillance efficiency on most everyone.

Big problems with this situation are that: users cannot opt-out of Google’s profile/dossier enabling privacy policy integration; and no one has any right or ability to see what Google’s uber-digital-dossier says about them or to ask for it to be corrected or eliminated.

This means Google has made everyone much more vulnerable to the potential harm of security breaches, while at the same time none of these uber-profiled people have any means to protect themselves from this heightened privacy/security risk that Google has created for them without their knowledge, input or permission.

In a nutshell, Google can be assumed to have intimate behavioral information on the lion’s share of Internet users. It does not matter if they actively use Google services or not, because Google can secretly track non-Google users through syndicated partnerships with most all of the world’s websites with significant traffic via outsourced Google Search, Maps, Android, Chrome, and/or Analytics.

4.   By design Google is indirectly the biggest hacker target in the world by virtue of its unique mission to "organize the world's information and make it universally accessible and useful."

Google’s unique mission and ambition has effectively created the world’s largest and only central bank of public and private information. When bank robber Willie Sutton was asked why he robbed banks, he infamously replied: "It’s where the money is." If one could ask why hackers hack Google, they would reply: “it’s where the most data is.”

5.   Security is not a high priority to Google; it is subordinate to speed, scale and first mover advantage.

Google's #3 corporate priority is "fast is better than slow;" thus speed is one of Google's key competitive differentiators. Google's #2 design principle is "every millisecond counts"... "Nothing is more important than people's time." Unfortunately, if Google actually bothered to ask users what their top priority was, most would say safety and security. Without a foundation of trust, what good is speed?

Google has a whole initiative "to make the web faster." Google ties its dominant search ranking to the load speed of websites in order to force others to make speed their websites’ top priority. Google Fiber is all about pushing everyone to offer Gigabit speeds even though there are no applications for that amount of speed. Google Glass is all about speeding up one’s interaction with the cloud. Google is even pushing compression standards to make the web faster with Web P to make picture image files 30% smaller and video files 50% smaller with its new VP9 WebM Video Codec.

Google’s Chief Technology Advocate explained the reason that Google has not required two-factor security authorization -- a key security adjustment to make hacking into a system much more difficult -- is that Google fears losing customers.

Is Google’s speed uber-alles compatible with security, safety and privacy protection? Almost every aspect of security involves some inefficiency or slowing down to create security checkpoints, verifications, authorizations, permissions, patrols, gates, locks, sweeps, spot-checks, etc. Do we consider the fastest of just about anything to be safe or the safest? Google believes nothing is more important than people's time. By definition, security is thus a subordinate or tertiary concern to Google's business, leadership and engineers.

How Google stores and accesses "the world's information" in and from its data centers is: "'Bigtable:' a Distributed Storage System for Structured Data." It is Google's innovation to maximize scalability, speed and cost efficiency -- not security, privacy, or accountability.

Simply, Bigtable is an "all eggs in one basket" approach to information storage and access. It is the single largest database of information the world has ever known. To enable maximum speed and scalability, BigTable has a “Titanic” security design flaw; it is not compartmented.

The "Titanic" security flaw in Bigtable's fundamental design is that it is not compartmented to minimize security losses in a data breach. Like the Titanic ship that sunk fast because it did not have compartments to partially contain the breach of rapidly incoming water, Google's Bigtable design, where Google stores the world's information in basically one virtual receptacle without compartments, means that when Google's system was breached by the Chinese hackers, the hackers could theoretically have gone most anywhere within Bigtable.

Combine security being a low organizational priority at Google, with Google’s all-eggs-in-one-basket approach to collecting and accessing all information most quickly and efficiently, and one gets a uniquely vulnerable cybersecurity target.

6.   Google does not believe security is Google’s responsibility, and as a result it is most prone to malware.

If one reads Google’s approach to security, it is clear that Google’s approach is not to prevent security problems, but to react to them when they are informed by others that there is a security problem, after the damage already may be done to a user’s data, device or identity.

Google’s crowd-sourcing approach to security, and Google not requiring any curation or security approval of apps uploaded to Google Play, has made Google, especially Android, the leading magnet in the world for viruses, malware and hackers.

For example, consider just some of the recent evidence of the rampant security weaknesses of Google’s dominant Android mobile operating system.

“A hacker used Android to remotely attack and hijack an airplane” reported ComputerWorld.

An Android security flaw allowed the bypass of a major Google security sign-in flaw for 7 months, reported Tech News Daily.

Google Play was found to share user names and emails with developers without users’ permission, reported The Los Angeles Times.

An F-Secure study found that Android accounted for 96% of mobile malware attacks in 4Q12, reported Mac Daily News.

Fragmentation leaves Android phones vulnerable to hackers and smishing consumer fraud, reported The Washington Post.

Android app verification service misses 85% of side-loaded malware per NCSU study, reported ZDNet.

7.   Google is culturally and philosophically averse to strong cybersecurity.

Google is the single biggest force pushing for openness on the Internet. Google has a corporate philosophy that information and content should be shared. Google's mission is to make all the world's information accessible -- showing that Google feels deeply about breaking down any barriers to bringing information to people (even if it means bending/breaking the law... see: Google indexing all Wikileaks information;  Google’s Non-Prosecution Agreement for proactively marketing Illegal prescription drug imports; Viacom vs Google; and the Google BookSettlement).

Google’s push for “openness” is in direct tension with the need for some cyber-security “closedness.” Security is one of the biggest weaknesses of openness. Open sharing, an open door, open window, an open interface, can invite and attract bad actors because it naturally facilitates cyber- intrusions.

Google’s business model of free content is driven by maximally collecting private information to enhance targeted advertising. Both sides of Google’s business model devalue the need or importance of security, because Google believes content should be freely shared and that people should freely share their private information. Google appreciates that cybersecurity is in profound tension with its “free” model and business interests.

Google’s leadership also fosters a unique Google culture of unaccountability; see it in their words – here.

“People don’t want to be managed” Google CEO Larry Page in Stephen Levy’s book In the Plex, 4-11.

"Google is melding a positive office culture with minimal accountability controls." The company's goal is "to think big and inspire a culture of yes" said Google Chairman Eric Schmidt before the Economic Club in Washington, per Washington Internet Daily 6-10-08.

"We try not to have too many controls." "People will do things that they think are in the interests of the company. We want them to understand the values of the firm, and interpret them for themselves." Nikesh Aurora, Head of Google European Operations, to the FT, 9-21-07.

8.   Thus it should be of no surprise that it was Google that led the successful lobbying for Google and other commercial and consumer information technologies to be exempt from the President’s 2013 Executive Order on cybersecurity.

Given that the President’s cybersecurity executive order is primarily a response to mass hacking from China, and that Google was so near totally hacked by Chinese hackers, it is exceptionally incongruous and disturbing for Google to have led the lobbying effort to get an exemption from cybersecurity requirements that applied to most all other critical infrastructures.

Google’s leadership to ensure that Google does not have the same cybersecurity responsibilities that other critical infrastructure owners have is powerful evidence of the low relative value Google puts on the importance of cybersecurity.

III.     Conclusion

The evidence shows Google is America’s cybersecurity Achilles heel, or at a minimum, among the top candidates for this dubious distinction.

Simply, Google tracks, collects, stores and makes vulnerable more sensitive information on more people that could jeopardize America’s cybersecurity than any other entity.

Too make matters worse, Google’s philosophy, infrastructure design, business model, and culture are all hostile to taking the types of actions, and adopting the necessary practices, to protect others, America and Americans from cybersecurity threats.

At bottom, Google’s near universality combined with its cavalier approach to cybersecurity makes most everyone else less secure and more vulnerable to bad actors and bad acts. That is why Google is America’s cybersecurity Achilles heel.

***

Previous parts of the "Security is Google's Achilles Heel" Research Series:

Part 1:   Why security is Google's Achilles heel"

Part 2:   Google values security much less than others do"

Part 3:   Google: "Security is part of our DNA" (Do Not Ask)

Part 4:   Why Security is Google's Achilles Heel"

Part 5:   Google Apps Security Chief is a magician/mentalist"

Part 6:   Google-China: Implications for Cybersecurity"

Part 7:    Did Google Over-React to China Cybersecurity Breach?"

Part 8:    Google's Titanic Security Flaws"

Part 9:    A Google Android Botnet Problem"

Part 10:  Google's Deep Aversion to Permission"

Part 11:  Top Ten Reasons Google Has Culpability in the Gmail Data Breach"

Part 12:  Google’s Culture of Unaccountability in its Own Words

Part 13:  Google’s Privacy Rap Sheet: Fact-Checking Google’s Claim it Works Hard to get Privacy Right

For even more information, see the Security section of PrecursorBlog's sister site: www.GoogleMonitor.com; or read the "Security is Google's Achilles Heel” chapter of my Book: Search & Destroy Why You Can't Trust Google Inc. at www.SearchAndDestroyBook.com.

DoubleClick

Google

YouTube

Antitrust

Cybersecurity

DOJ

FTC

Internet Security

Online Privacy

Online Safety

Open Internet

Open Source

Show more