\n<\/p>\n
For years, security experts have warned of the risks of government overreliance on a single technology vendor. The recent U.S. Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks. The report also comes during an ongoing breach by a state-sponsored threat actor against the same vendor. It\u2019s clear these problems are not going away. We applaud the work of the CSRB, which provides a vital public service by illuminating the causes of incidents and providing important recommendations for how to address them. This report underscores a long overdue, urgent need to adopt a new approach to security.<\/p>\n
Today, we\u2019re sharing three recommendations for how governments can address the vulnerabilities outlined by the CSRB.<\/p>\n
At its core, the CSRB report showed that lack of a strong commitment to security creates preventable errors and serious breaches. Major platform providers \u2014 particularly those serving public sector and critical infrastructure organizations \u2014 have a responsibility to advance the best security practices. As the U.S. National Cybersecurity Strategy states, \u201cresponsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes.\u201d<\/p>\n
The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report. We shared previously undisclosed details with the Board about our own experience responding to an intrusion from the same threat actor over 14 years ago during Operation Aurora. That incident led us to re-architect our internal infrastructure and pioneer new approaches, including zero trust and threat analysis, thereby advancing security for our enterprise customers, users and the industry at large.<\/p>\n
Lawmakers and security professionals have been calling for new approaches in response to recent breaches, and today we\u2019re sharing three immediate steps governments can take to address the failures outlined in the CSRB\u2019s report.<\/p>\n
Digital security cannot be an afterthought add-on to existing products. Google believes that every software product should first go through a rigorous security review from the beginning of the design phase and throughout the product life cycle. We\u2019ve shared our approach and were pleased to join CISA and others in the industry to sign on to a new set of secure-by-design principles during this month\u2019s RSA Conference.<\/p>\n
Security assessments of technology products shouldn\u2019t end when a product meets public sector accreditation standards. The technology management lifecycle should include the ability to trigger security recertifications for products suffering major security incidents, and take into account past performance when making buying decisions. Procurement officials are already required to consider past performance on the basis of on-time delivery, workmanship, and controlling costs. Security needs the same treatment during the acquisition process, informed by existing data, like product flaws leading to prior breaches of government systems, information on top routinely exploited vulnerabilities, and cybersecurity directives issued by government agencies like CISA.<\/p>\n
Google and others see a long-standing risk to public-sector organizations using the same vendor for operating systems, email, office software, and security tooling. This approach raises the risk of a single breach undermining an entire ecosystem. Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those that are more resilient to attack. Finally, regulators should investigate restrictive licensing practices which impede a diverse supplier ecosystem and disincentivize innovation.<\/p>\n
We look forward to working with governments to implement the CSRB’s recommendations to modernize security; however we understand changes will take time. We\u2019re pleased to announce a new Google Workspace offering to give U.S. public sector organizations more choice \u2013 and we\u2019re making the switch easier, as qualifying public sector customers can get favorable pricing for Workspace Enterprise Plus, Assured Controls Plus, Chrome Enterprise Premium, and training and migration assistance.<\/p>\n
In today\u2019s landscape of constantly evolving threats, the status quo is not sufficient, so we are committed to helping move the industry in a new, more secure direction.<\/p>\n<\/div>\n