You are here

Did Google Over-React to China Cybersecurity Breach? -- "Security is Google's Achilles Heel" Part VII

It appears Google impetuously over-reacted to the big cyber-security breach of Google and a reported ~30 other companies. Google alone publicly blamed China and only Google publicly pledged to stop censoring search results in China in retaliation.    

What is the evidence that Google impetuously over-reacted here?

First, Forbes reported: "Researchers Call Google Hackers 'Amateurs' -- A new report says the attack on the search giants network was far less sophisticated than it has claimed." Specifically:

  • "A great play is being made about how sophisticated these attacks were," says Damballa's vice president of research Gunter Ollman. "But tracing back the attacks shows that they were not sophisticated, and that the attackers behind them have a history of running multiple botnets with a variety of tools and techniques," many of which, he says, were far more rudimentary than Google or the cybersecurity industry has portrayed."

People incorrectly assume that because of Google's popularity, brand and reputation for innovation, that Google is  secure and cutting edge on cyber-security -- when in reality they are not.

  • The reason I started this "Security is Google's Achilles Heel" series last July, was because security is not a high corporate priority to Google and they are not industry leaders in security -- when they need to be.
  • This independent research from Damballa lends credence and evidence to this conclusion, as does the fact that the other ~30 companies reported to have been attacked did not panic or run to the NSA for help, because they understand it is their own fiduciary responsibility to fund their own cybersecurity and keep their systems secure from common cyber-security attacks -- not the U.S. taxpayers' responsibility.  
  • Just like Google burnishes the Google brand by claiming that privacy is important to Google while serially violating it in its practices and product releases, Google claims that security is also important to Google when it is little more than lip service and necessary PR. 

There is no question that Google has smart people and could be strong on security, if security was a true priority of Google, but unfortunately it is not. Institutionally, security runs counter to Google's engineering approach, mission and competitive goals.

  • Culturally among Google engineers, security is largely an anathema and seen as a drag on innovation, because security involves seeking permission, and Google's engineering motto is "innovation without permission" and its engineers believe that "it is easier to ask for forgiveness than permission."
  • Simply security is inefficient, particularly when a lot of people, information, applications, and features are involved.
    • In Google terms, security does not scale well.
    • Security also represents a more "closed" than open mindset and Google has long sided as an organization with openness and transparency over safety, security and privacy.
  • Google's corporate mission is basically about making the world's information public and free, which is the exact opposite of seeking a secure and protected Internet ecosystem.     
  • Competitively, Google has long made speed its competitive advantage in the marketplace.
    • It even has a grand scheme to "Make the Web Faster." 
    • Google sees security as inefficient in that it makes networks, applications and services slower than without it. 
    • A key reason for Google's competitive success is that they have been more willing than any major entity to arbitrage security and gamble that users want fast and free more than secure and private.
      • And by hardly ever asking if users want secure and private, Google can barrel ahead with its fast and loose approach, which rewards first movers and fast development.
      • Philosophically, Google also believes in open source which means that Google can at least partially shift/outsource the responsibility for security to others.

Second, Google likely over-reacted impetuously to the China security breach because the company is backpedaling from is ultimatum to the Chinese government and from its public pledge to stop censoring search results in China -- that Google announced with much PR fanfare in its January 12th blog post: "A new approach to China."

  • As the ticker that tracks Google's China Censorship shows, Google has continued to censor search results in China for 50 days and counting.  
  • Google just testified on Capitol Hill that "Google hasn't set a deadline for ending its censorship of search results for Internet users in China, a company official said today" -- per Bloomberg.

Third, Google may have impetuously over-reacted because it appears that their tactics with China have largely backfired. 

  • It is clear that the Founders and CEO listened to no one who understood China or the Chinese when they chose their tactics on this issue.
    • By choosing to shame China with public, humiliating, and accusatory tactics, Google has made a deep, permanent, and largely irretrievable enemy of the Chinese Government (and much of the Chinese masses who may not like their Government, but dislike more, anyone that publicy shames or disrespects anything Chinese.)
      • Google may not appreciate or admit it now, but the Chinese Government will find ways to make Google pay for its singular temper tantrum in which it publicly shamed China and made it lose public face the world over.  (Whether it was warranted or not is irrelevant to the Chinese Government.)

Very simply, Google's business in China is dead model walking long term. 

Finally, Google likely overreacted impetuously because in their haste, anger and indignance, they obviously did not think through how Google could self-torpedo itself with over half of their business long term. 

  • Obviously no one with any big picture, non-engineering perspective or common sense was involved in the Google decision to seek out the help of the super-secret American spy agency, the NSA, for cyber-security assistance in protecting Google's network, as reported in the front page Washington Post story by Ellen Nakashima.      
    • With 53% of Google's revenues coming from outside the U.S., did anyone at Google think for even a moment about the long-term implications of what every foreign government (and many of their people) would think about privacy-challenged Google, partnering with America's top spy agency? 
      • If Google were to try and think up what single Google misstep could cause more long term distrust and damage to the core Google brand, it would be signalling to the world that Google was proactively partnering with the NSA/CIA. 
      • Now when anyone has concerns about Google's serial invasions of privacy: reading gmails; taking pictures of homes via Google Earth and Streetview; tracking people's movements and location via Latitude; collecting voiceprint samples and offering translation services in Google Voice; sharing one's address book via Google Buzz; and sharing ones most intimate intentions via search... they have the added concern that it is not being collected for private gain but also potentially for national gain and advantage. 
    • Google just posted the equivalent of a "Don't trust me" sign on their back with their impetuous and seriously ill-advised efforts to proactively partner with the world's top spying entity.
    • And like publicly shaming the Chinese, the damage is now done.
      • Whatever Google says about this going forward, people will understandably wonder is it the truth? Or can Google even talk about the truth on this subject? Or is it just too secret?      

In closing, Google's impetuous over-reaction and naive self-defeating tactics in handling the China cyber-security breach episode, are characteristic of the behavior one would expect from the ten year old that Google is.

By over-reacting impetuously, Google's leadership has:

  • Exposed that security is not a high priority or core competency for Google;  
  • Made a permanent enemy out of the government of the world's largest market long term; and 
  • Done more damage in one fell swoop to the Google brand in partnering with the NSA than almost any other action imaginable.    


Previous parts of the "Why Security is Google's Achilles Heel" Series: 

  • Part I: "Why security is Google's Achilles heel"
  • Part II: "Google values security much less than others do"
  • Part III: "Google: "Security is part of our DNA" (Do Not Ask)
  • Part IV: "Why Security is Google's Achilles Heel"
  • Part V: "Google Apps Security Chief is a magician/mentalist"
  • Part VI: "Google-China: Implications for Cybersecurity"