by Ellen Nakashima
February 4, 2010
from
WashingtonPost Website
The world's largest Internet search company and
the world's most powerful electronic surveillance organization are teaming
up in the name of cybersecurity.
Under an agreement that is still being finalized, the National Security
Agency would help Google analyze a major corporate espionage attack that the
firm said originated in China and targeted its computer networks, according
to cybersecurity experts familiar with the matter. The objective is to
better defend Google - and its users - from future attack.
Google and the NSA declined to comment on the partnership.
But sources with
knowledge of the arrangement, speaking on the condition of anonymity, said
the alliance is being designed to allow the two organizations to share
critical information without violating Google's policies or laws that
protect the privacy of Americans' online communications.
The sources said
the deal does not mean the NSA will be viewing users' searches or e-mail
accounts or that Google will be sharing proprietary data.
The partnership strikes at the core of one of the most sensitive issues for
the government and private industry in the evolving world of cybersecurity:
how to balance privacy and national security interests.
On Tuesday, Director
of National Intelligence
Dennis C. Blair called the Google attacks, which
the company acknowledged in January, a "wake-up call."
Cyberspace cannot be
protected, he said, without a,
"collaborative effort that incorporates both
the U.S. private sector and our international partners."
But achieving collaboration is not easy, in part because private companies
do not trust the government to keep their secrets and in part because of
concerns that collaboration can lead to continuous government monitoring of
private communications.
Privacy advocates, concerned about a repeat of the NSA's warrantless interception of Americans' phone calls and e-mails after
the Sept. 11, 2001, terrorist attacks, say information-sharing must be
limited and closely overseen.
"The critical question is: At what level will the American public be
comfortable with Google sharing information with NSA?" said Ellen McCarthy,
president of the Intelligence and National Security Alliance, an
organization of current and former intelligence and national security
officials that seeks ways to foster greater sharing of information between
government and industry.
On Jan. 12, Google took the rare step of announcing publicly that its
systems had been hacked in a series of intrusions beginning in December.
The intrusions, industry experts said, targeted Google source code - the
programming language underlying Google applications - and extended to more
than 30 other large tech, defense, energy, financial and media companies.
The Gmail accounts of human rights activists in Europe, China and the United
States were also compromised.
So significant was the attack that Google threatened to shutter its business
operation in China if the government did not agree to let the firm operate
an uncensored search engine there. That issue is still unresolved.
Google approached the NSA shortly after the attacks, sources said, but the
deal is taking weeks to hammer out, reflecting the sensitivity of the
partnership. Any agreement would mark the first time that Google has entered
a formal information-sharing relationship with the NSA, sources said. In
2008, the firm stated that it had not cooperated with the NSA in its
Terrorist Surveillance Program.
Sources familiar with the new initiative said the focus is not figuring out
who was behind the recent cyberattacks - doing so is a nearly impossible
task after the fact - but building a better defense of Google's networks,
or what its technicians call "information assurance."
One senior defense official, while not confirming or denying any agreement
the NSA might have with any firm, said:
"If a company came to the table and
asked for help, I would ask them... 'What do you know about what
transpired in your system? What deficiencies do you think they took
advantage of? Tell me a little bit about what it was they did.'"
Sources
said the NSA is reaching out to other government agencies that play key
roles in the U.S. effort to defend cyberspace and might be able to help in
the Google investigation.
These agencies include the FBI and the Department of Homeland Security.
Over the past decade, other Silicon Valley companies have quietly turned to
the NSA for guidance in protecting their networks.
"As a general matter," NSA spokeswoman Judi Emmel said, "as part of its
information-assurance mission, NSA works with a broad range of commercial
partners and research associates to ensure the availability of secure
tailored solutions for Department of Defense and national security systems
customers."
Despite such precedent, Matthew Aid, an expert on the NSA, said Google's
global reach makes it unique.
"When you rise to the level of Google... you're looking at a company that
has taken great pride in its independence," said Aid, author of "The Secret
Sentry," a history of the NSA.
"I'm a little uncomfortable with Google
cooperating this closely with the nation's largest intelligence agency, even
if it's strictly for defensive purposes."
The pact would be aimed at allowing the NSA help Google understand whether
it is putting in place the right defenses by evaluating vulnerabilities in
hardware and software and to calibrate how sophisticated the adversary is.
The agency's expertise is based in part on its analysis of
cyber-"signatures" that have been documented in previous attacks and can be
used to block future intrusions.
The NSA would also be able to help the firm understand what methods are
being used to penetrate its system, the sources said. Google, for its part,
may share information on the types of malicious code seen in the attacks - without disclosing proprietary data about what was taken, which would
concern shareholders, sources said.
Greg Nojeim, senior counsel for the Center for Democracy & Technology, a
privacy advocacy group, said,
'companies have statutory authority to share
information with the government to protect their rights and property.'