Risk
9/10/2013
11:52 AM
50%
50%

NSA Fallout: Google Speeds Data Encryption Plans

Google's initiative to encrypt data in its internal data centers will slow -- but not prevent -- sophisticated government hackers from surreptitiously monitoring traffic.

In the wake of leaked documents offering new details about the National Security Agency's surveillance capabilities, Google has accelerated plans to encrypt all traffic flowing between its data centers.

The move isn't aimed at resisting government-ordered requests for information about Google's users, or data that Google stores, with which the company must legally comply. Rather, the initiative is aimed at making it more difficult for government intelligence agencies -- or anyone else -- to surreptitiously eavesdrop on data handled by Google.

"It's an arms race," Eric Grosse, VP for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

[ How much do you know about Bullrun, the NSA's decryption program? Read NSA Crypto Revelations: 7 Issues To Watch. ]

According to information security experts, Britain, China, Israel and Russia run highly sophisticated government hacking programs, the Post reported. But theoretically, anyone from foreign governments to criminal syndicates might take an interest in the data being handled by a company such as Google.

Sean Sullivan, security advisor at F-Secure Labs, said via email that Google's encryption plan makes good security sense, given all the different types of information that the company stores. "I think it's a very good idea, considering its Google Docs business," he said.

A Google spokesman, reached by email, declined to comment on the press reports, or on whether the encryption initiative had an internal working name.

Google reportedly began planning to encrypt all traffic between its data centers last year. But the company decided to accelerate the plan in June, after NSA whistle-blower Edward Snowden released details on the NSA's Prism program, which appeared to use APIs installed on servers at Google, Facebook and Microsoft, among other technology giants, that allowed the intelligence agency to intercept and store metadata relating to communications and phone calls.

In the wake of the latest NSA revelations -- specifically, that the agency had worked to build back doors into unnamed commercial products and weaken unnamed encryption systems -- that surfaced Friday, Google has gone public with its end-to-end data center encryption plan. No doubt, that's an attempt by the company to improve its image, after leaked Prism documents detailed a secret U.S. surveillance program that targeted large quantities of data stored by Google. Cloud businesses have said that they stand to lose up to $40 billion as a result of the NSA's monitoring.

Google's Grosse also emphasized that the company has never purposefully weakened its encryption to allow for easier snooping. "This is a just a point of personal honor," Grosse said. "It will not happen here."

To be clear, Google's data center encryption effort wouldn't stop foreign governments or anyone else with the requisite hacking power to intercept and decrypt the traffic flowing between Google's data centers. But as the latest leaked NSA documents have shown, cracking -- or routing around -- strong encryption is a resource-intensive endeavor. Accordingly, Google will be making it difficult for anyone to surreptitiously intercept and retrieve vast quantities of data in one go.

Google's unveiling of its data center traffic encryption initiative comes as Google and Facebook have continued to petition the U.S. Foreign Intelligence Surveillance Court. The latest salvo fired by the technology companies, which want to be allowed to release more details about how they must comply with government-ordered requests for sharing data or accessing systems, came Monday in the form of an amended petition.

"This petition mirrors the requests made to Congress and the President by our industry and civil liberties groups in a letter earlier this year," wrote Richard Salgado, Google's director of law enforcement and information security, and Pablo Chavez, Google's director of public policy and government affairs, Monday in a related blog post. "Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act, including Section 702. Given the important public policy issues at stake, we have also asked the court to hold its hearing in open rather than behind closed doors. It's time for more transparency."

Facebook's general counsel, Colin Stretch, said in a blog post Monday that after details of Prism became public, the White House allowed businesses such as Facebook to detail the number of government requests for user data with which they'd been legally required to comply. "It allowed us to make clear that a vanishingly small number of people who use Facebook -- a tiny fraction of 1% -- were the subject of any kind of U.S. government request in the past year," Stretch said.

But since then, any moves toward greater transparency have stalled. "As a result, today we are joining others in the industry in petitioning the Foreign Intelligence Surveillance Court to require the government to permit companies to disclose more information about the volume and types of national security-related orders they receive," Stretch said.

On that front, Google's Salgado and Chavez said they also planned to meet with the President's Group on Intelligence and Communications Technologies on Tuesday. "We'll reiterate the same message there: that the levels of secrecy that have built up around national security requests undermine the basic freedoms that are at the heart of a democratic society."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/11/2013 | 6:15:19 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Looks like it's back to building Private Data Centers and Private Clouds with strong encryption for data that is both on the move and at rest.
FrankS309
50%
50%
FrankS309,
User Rank: Apprentice
9/11/2013 | 4:46:36 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
I think any self respecting company will be searching for new way to transmit valuable info that isn't subject to NSA access which can be available to any smart NSA employee who could be coerced or bribed for access to anyone's info. Any company proving it is not involved can make mucho pesos
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
9/11/2013 | 1:31:36 AM
re: NSA Fallout: Google Speeds Data Encryption Plans
It's vital for the business community to come across as trustworthy or cloud computing will lose clients with anything serious to protect.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/10/2013 | 9:21:18 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Interesting development: NIST today defended its process for creating encryption standards -- "NIST would not deliberately weaken a cryptographic standard" -- but said it's reopening the public comment period for publications involving specific cryptographic standards.
NomanS662
50%
50%
NomanS662,
User Rank: Apprentice
9/10/2013 | 5:12:20 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
What's the point of encryption if they're just going to give the keys to the NSA. Most of the NSA snooping was not as a result of mathematical cracking but rather they simply asked for the keys and collaborated with companies to put in backdoors.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?