Risk
9/10/2013
11:52 AM
Connect Directly
RSS
E-Mail
50%
50%

NSA Fallout: Google Speeds Data Encryption Plans

Google's initiative to encrypt data in its internal data centers will slow -- but not prevent -- sophisticated government hackers from surreptitiously monitoring traffic.

In the wake of leaked documents offering new details about the National Security Agency's surveillance capabilities, Google has accelerated plans to encrypt all traffic flowing between its data centers.

The move isn't aimed at resisting government-ordered requests for information about Google's users, or data that Google stores, with which the company must legally comply. Rather, the initiative is aimed at making it more difficult for government intelligence agencies -- or anyone else -- to surreptitiously eavesdrop on data handled by Google.

"It's an arms race," Eric Grosse, VP for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

[ How much do you know about Bullrun, the NSA's decryption program? Read NSA Crypto Revelations: 7 Issues To Watch. ]

According to information security experts, Britain, China, Israel and Russia run highly sophisticated government hacking programs, the Post reported. But theoretically, anyone from foreign governments to criminal syndicates might take an interest in the data being handled by a company such as Google.

Sean Sullivan, security advisor at F-Secure Labs, said via email that Google's encryption plan makes good security sense, given all the different types of information that the company stores. "I think it's a very good idea, considering its Google Docs business," he said.

A Google spokesman, reached by email, declined to comment on the press reports, or on whether the encryption initiative had an internal working name.

Google reportedly began planning to encrypt all traffic between its data centers last year. But the company decided to accelerate the plan in June, after NSA whistle-blower Edward Snowden released details on the NSA's Prism program, which appeared to use APIs installed on servers at Google, Facebook and Microsoft, among other technology giants, that allowed the intelligence agency to intercept and store metadata relating to communications and phone calls.

In the wake of the latest NSA revelations -- specifically, that the agency had worked to build back doors into unnamed commercial products and weaken unnamed encryption systems -- that surfaced Friday, Google has gone public with its end-to-end data center encryption plan. No doubt, that's an attempt by the company to improve its image, after leaked Prism documents detailed a secret U.S. surveillance program that targeted large quantities of data stored by Google. Cloud businesses have said that they stand to lose up to $40 billion as a result of the NSA's monitoring.

Google's Grosse also emphasized that the company has never purposefully weakened its encryption to allow for easier snooping. "This is a just a point of personal honor," Grosse said. "It will not happen here."

To be clear, Google's data center encryption effort wouldn't stop foreign governments or anyone else with the requisite hacking power to intercept and decrypt the traffic flowing between Google's data centers. But as the latest leaked NSA documents have shown, cracking -- or routing around -- strong encryption is a resource-intensive endeavor. Accordingly, Google will be making it difficult for anyone to surreptitiously intercept and retrieve vast quantities of data in one go.

Google's unveiling of its data center traffic encryption initiative comes as Google and Facebook have continued to petition the U.S. Foreign Intelligence Surveillance Court. The latest salvo fired by the technology companies, which want to be allowed to release more details about how they must comply with government-ordered requests for sharing data or accessing systems, came Monday in the form of an amended petition.

"This petition mirrors the requests made to Congress and the President by our industry and civil liberties groups in a letter earlier this year," wrote Richard Salgado, Google's director of law enforcement and information security, and Pablo Chavez, Google's director of public policy and government affairs, Monday in a related blog post. "Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act, including Section 702. Given the important public policy issues at stake, we have also asked the court to hold its hearing in open rather than behind closed doors. It's time for more transparency."

Facebook's general counsel, Colin Stretch, said in a blog post Monday that after details of Prism became public, the White House allowed businesses such as Facebook to detail the number of government requests for user data with which they'd been legally required to comply. "It allowed us to make clear that a vanishingly small number of people who use Facebook -- a tiny fraction of 1% -- were the subject of any kind of U.S. government request in the past year," Stretch said.

But since then, any moves toward greater transparency have stalled. "As a result, today we are joining others in the industry in petitioning the Foreign Intelligence Surveillance Court to require the government to permit companies to disclose more information about the volume and types of national security-related orders they receive," Stretch said.

On that front, Google's Salgado and Chavez said they also planned to meet with the President's Group on Intelligence and Communications Technologies on Tuesday. "We'll reiterate the same message there: that the levels of secrecy that have built up around national security requests undermine the basic freedoms that are at the heart of a democratic society."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/11/2013 | 6:15:19 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Looks like it's back to building Private Data Centers and Private Clouds with strong encryption for data that is both on the move and at rest.
FrankS309
50%
50%
FrankS309,
User Rank: Apprentice
9/11/2013 | 4:46:36 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
I think any self respecting company will be searching for new way to transmit valuable info that isn't subject to NSA access which can be available to any smart NSA employee who could be coerced or bribed for access to anyone's info. Any company proving it is not involved can make mucho pesos
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
9/11/2013 | 1:31:36 AM
re: NSA Fallout: Google Speeds Data Encryption Plans
It's vital for the business community to come across as trustworthy or cloud computing will lose clients with anything serious to protect.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
9/10/2013 | 9:21:18 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Interesting development: NIST today defended its process for creating encryption standards -- "NIST would not deliberately weaken a cryptographic standard" -- but said it's reopening the public comment period for publications involving specific cryptographic standards.
NomanS662
50%
50%
NomanS662,
User Rank: Apprentice
9/10/2013 | 5:12:20 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
What's the point of encryption if they're just going to give the keys to the NSA. Most of the NSA snooping was not as a result of mathematical cracking but rather they simply asked for the keys and collaborated with companies to put in backdoors.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.