For years, security experts have warned of the risks of government overreliance on a single technology vendor. The recent U.S. Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks. The report also comes during an ongoing breach by a state-sponsored threat actor against the same vendor. It’s clear these problems are not going away. We applaud the work of the CSRB, which provides a vital public service by illuminating the causes of incidents and providing important recommendations for how to address them. This report underscores a long overdue, urgent need to adopt a new approach to security.
Today, we’re sharing three recommendations for how governments can address the vulnerabilities outlined by the CSRB.
A new approach
At its core, the CSRB report showed that lack of a strong commitment to security creates preventable errors and serious breaches. Major platform providers — particularly those serving public sector and critical infrastructure organizations — have a responsibility to advance the best security practices. As the U.S. National Cybersecurity Strategy states, “responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes.”
The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report. We shared previously undisclosed details with the Board about our own experience responding to an intrusion from the same threat actor over 14 years ago during Operation Aurora. That incident led us to re-architect our internal infrastructure and pioneer new approaches, including zero trust and threat analysis, thereby advancing security for our enterprise customers, users and the industry at large.
Three immediate security steps governments can take
Lawmakers and security professionals have been calling for new approaches in response to recent breaches, and today we’re sharing three immediate steps governments can take to address the failures outlined in the CSRB’s report.
1. Procure systems and products that are secure-by-design
Digital security cannot be an afterthought add-on to existing products. Google believes that every software product should first go through a rigorous security review from the beginning of the design phase and throughout the product life cycle. We’ve shared our approach and were pleased to join CISA and others in the industry to sign on to a new set of secure-by-design principles during this month’s RSA Conference.
2. Give security a seat at the procurement table
Security assessments of technology products shouldn’t end when a product meets public sector accreditation standards. The technology management lifecycle should include the ability to trigger security recertifications for products suffering major security incidents, and take into account past performance when making buying decisions. Procurement officials are already required to consider past performance on the basis of on-time delivery, workmanship, and controlling costs. Security needs the same treatment during the acquisition process, informed by existing data, like product flaws leading to prior breaches of government systems, information on top routinely exploited vulnerabilities, and cybersecurity directives issued by government agencies like CISA.
3. Mitigate monoculture
Google and others see a long-standing risk to public-sector organizations using the same vendor for operating systems, email, office software, and security tooling. This approach raises the risk of a single breach undermining an entire ecosystem. Governments should adopt a multi-vendor strategy and develop and promote open standards to ensure interoperability, making it easier for organizations to replace insecure products with those that are more resilient to attack. Finally, regulators should investigate restrictive licensing practices which impede a diverse supplier ecosystem and disincentivize innovation.
A safer alternative
We look forward to working with governments to implement the CSRB’s recommendations to modernize security; however we understand changes will take time. We’re pleased to announce a new Google Workspace offering to give U.S. public sector organizations more choice – and we’re making the switch easier, as qualifying public sector customers can get favorable pricing for Workspace Enterprise Plus, Assured Controls Plus, Chrome Enterprise Premium, and training and migration assistance.
In today’s landscape of constantly evolving threats, the status quo is not sufficient, so we are committed to helping move the industry in a new, more secure direction.