Skip to main content

How Congress’ anti-tech bill undermines security

We’re concerned that Congress is considering legislation that would compromise Google's ability to keep users secure by default, as well as break popular features in products like Search and Maps. We’ve previously outlined how this proposal could make our services less helpful and less secure, while not addressing the issues Americans care about most — like privacy, child safety and inflation. As experts gather for the RSA Conference this week, I wanted to share my perspective as a security professional on the real risks that this legislation poses for US security.

Our security teams work around the clock, around the world, to identify and stay ahead of threats to our users and platforms. On a typical day, Google blocks more than 100 million phishing attempts across our platforms and tracks over 270 government-backed threat actors from more than 50 countries. This work requires us to make judgment calls quickly, based on indicators and alerts from a huge variety of sources. We don’t always find fire where there’s smoke. But we do prevent millions of attacks from succeeding — and responding to the smoke without hesitation is critical to protecting millions of internet users.

A bill introduced in the Senate (S. 2992) could hurt our ability to make quick decisions to keep our products secure, requiring us to ask: would thwarting a potential bad actor violate the law and open us up to legal liability? Even pausing to ask the question would leave millions of users vulnerable for precious minutes while a potential security threat persists. And when it comes to cybersecurity, every second counts.

Here are just a few ways the legislation would undermine our ability to keep people safe:

Harming a security-by-default approach

First, because the bill bans basic product integration, we might not be able to secure our products by default. This is problematic because modern threat actors don’t just seek to exploit one user, service or system in isolation. They look for weak links, and their behavior is harder to detect when their activities are spread across multiple providers. That’s why we build systems with integrated security defenses. For example, to counter a phishing attack, we rely on built-in spam filtering, malware scanning, link analysis, two-step verification for accounts, password alerts … the list goes on. Under the legislation, these seamless integrations could be prohibited simply because competitors offer their own versions of spam filtering, malware scanning and other security services. The bill could even require us to open our systems to untrusted and potentially vulnerable rival services.

Opening our products to bad actors

Second, the bill would require us to allow outside parties to “access or interoperate” with our “platform, operating system, hardware and software features.” This broad mandate to open our systems may have been written with domestic rivals in mind – but it would inevitably be exploited by foreign companies looking to understand US technical infrastructure, and access data from American businesses and citizens. As national security leaders have warned:“Unfettered access to software and hardware could result in major cyber threats, misinformation, access to data of U.S. persons, and intellectual property theft.”

Rolling back efforts to fight disinformation

Third, by prohibiting us from “discriminating” against competitors, the bill would prevent us from taking action against purveyors of malicious content. Since Russia invaded Ukraine, we have been able to move quickly to limit Russian propaganda and disinformation, even as that content has migrated to new channels. The proposed legislation could undermine this work.

Failing to address valid security concerns

Finally, this bill would create a legal environment that encourages companies to err on the side of not protecting users – and recent changes to the bill exacerbate these underlying security concerns. For example, the revised bill says that we don’t have to interoperate with or provide access to data to entities who pose “clear” and “significant” security risks. But this assumes that we know in real time which risks are significant, and could prohibit us from blocking moderate or emerging security risks that don’t obviously meet the bar of a “significant” threat. Another recent change says that we don’t have to open our platforms up to businesses backed by the Chinese government. But this ignores the fact that modern threat actors use compromised third-parties or shell companies to conduct operations, where attribution can be slow and difficult.

We understand there’s an appetite for global regulation, and we support balanced, thoughtful legislation to solve important issues such as consumer privacy and child safety online. But this legislation would fundamentally harm our ability to stay ahead of threats and keep the billions of people who use our products secure. We strongly urge Congress to consider these unintended consequences before moving forward.


by Royal Hansen via The Keyword

Comments

Post a Comment

Popular posts from this blog

certain keys on my keyboard dont work when "cold"

Hi guys, i have a Lenovo Y520-15IKBN (80WK) and certain keys on the keyboard don't work (e,g,h,8,9,Fn...) but only when the weather is cold. for example in the winter it used to work after certain amount of time when i first boot the laptop and stops working when i stop using it for a while, but now that the weather is hot it works just fine except for the first couple of minutes or when its colder. of course i do realise that it has nothing to do with the outside weather but with the temperature of the computer itself. can someone explain to me why this is happening and how it should be fixed as i cannot take it to the tech service until july even though it's still under warranty because i need it for school. ps: an external keyboard works fine. Submitted April 29, 2018 at 03:35PM by AMmej https://ift.tt/2KiQg05
Post a Comment
Read more

Old PC with a Foxconn n15235 motherboard needs drivers! Help!!

So my Pc corrupted and I had to fresh install windows on it, but now its missing 3 drivers and one of them is for the Ethernet controller! I've tried searching everywhere for the windows 7 drivers but all I seem to find are some dodgey programs saying they will install it for me. Problem is without the ethernet driver I can't bloody connect to the internet. I've been using a USB to try get some drivers on there, but they just end up being useless programmes . I'm also a bit of a noob at these things, I don't understand where to find the names of things in my PC, I've opened it up but I don't understand whats significant and what isnt. If someone has the drivers and can teach me how to install them I'd be very appreciative! Submitted April 29, 2018 at 02:47PM by darrilsteady https://ift.tt/2r76xMZ
Post a Comment
Read more