There was a phenomenon that emerged (or maybe it didn't, maybe this speaks more about my age) in the Blair years in the UK, where there would be loud, repeated announcements of massive amounts of cash for various projects. How did they afford such investments? Oh they didn't. They simply repeatedly announced the same spending. 0 money, lots of good headlines. I think this peaked a few years back, where it turned out the promised number of "new" nurses in the NHS actually included the number of nurses who they had expected to quit but thought would no longer quit.
Often, especially common in politics, these sums are also "up to" caps on programs that folks can apply to with proposals. Often the bars are so high that nobody can pass them, or applying is extremely complicated, so only a fraction is actually paid out in the end. But it makes good headlines.
E.g. the German federal government subsidizing last mile internet infrastructure construction. The program runs since 2015 and contains 11 billion EUR. Of which only 570 million have been paid out.
This is exactly what my prime minister (New Zealand) has been doing, and she previously worked for the Tony Blair campaign. Seems to be working quite well for her.
Some ideas for that $10B, that I won't charge for:
- Fewer lines of code in production, to reduce attack surface (subtractive problem solving[1])
- Free and open source by default, to help defenders to inspect components before they use them and get outside expert assistance more easily when required
- Free and open source by default, to aid vulnerability researchers find and report problems in code at all layers
- Free and open source by default, so that vendors and developers can learn to work with an awareness that their output may receive (and in many cases may deserve) scrutiny
- Free and open source by default, so that the next generation of software developers and security professionals can learn from and contribute to a variety of widely-used codebases, rather than certifications that apply largely within the preferred and understood contexts of their corporate sponsors
Allowing end-users (for example, app store users) to see code would also be a nice side-benefit of some of that. I'm certain that 98%+ of consumers won't want to view or inspect app code, but for the small number that do, it could be important. Viewing HTML and JS source is no doubt how a large number of web developers begin their career journey.
I think everyone knows that all legacy IT systems throughout much of government and business will be declared "unsecurable" in the next 5-10 years, and the proffered solution will be to migrate everything to the clouds of the few big players. So these $10B or $20B are going to result in $100B+ in future business.
The pessimist in me reads this as "we are continuing investment in a promising line of business" couched as "we are doing good for the world".
Am I too biased against Google's intentions now?
They say
> We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.
So really this is just, we are spending another 10B on this line of business and we'll throw out a token 100 mil to the community.
I think you're bang-on with "investment in a promising line of business"
> First, organizations continue to depend on vulnerable legacy infrastructure and software, rather than adopting modern IT and security practices. Too many governments still rely on legacy vendor contracts that limit competition and choice, inflate costs, and create privacy and security risks.
> Second, nation-state actors, cybercriminals and other malicious actors continue to target weaknesses in software supply chains and many vendors don’t have the tools or expertise to stop them.
Pretty much it's "we're better at security than most other vendors, and we want to get in on those sweet government and corporate contracts".
They're probably not wrong, I would bet Google is better at security than most companies are. One way of reading "legacy vendor contracts" is "legacy-vendor contracts" :)
> We are also pledging, through the Google Career Certificate program, to train 100,000 Americans in fields like IT Support and Data Analytics, learning in-demand skills including data privacy and security.
Let's take a guess at whose systems they'll be getting trained on :)
The author of the blog post is a senior PR (titled government relations, but basically same thing) guy, so I think your assessment is fair.
IMO - Every word of that blog post should be taken as code for "this should keep the US government off our back for a while and probably help us win contracts."
Didn’t they pay $150M to one guy who still stole their proprietary self-driving data and sold it to Uber? So maybe not peanuts, but not much more than almonds, either.
It's only 1% of the total spend here, so I'd say it clearly is peanuts to Google. Spending 1% of a project's budget on a marketing initiative is not particularly exceptional.
It's probably a mix of both. I think it'd probably either be too cynical or too naive to think it's entirely one or the other.
(I realize my post is a wishy-washy nothing-statement that could mean anything, so to make it a little more concrete: I'd roughly guess like 70/30 self-interest/PR:altruism/"herd security".)
Simply they cant make any good with giving that much money to third parties. There arent enough third party to make good use of that much money and it is very hard to spend that money strategically.
the simplest interpretation of Occhams Razor is often the accurate assumption, pessimism or no. the fact that Google hasnt abandoned SMS 2FA alone should suffice as evidence enough they are pursuing this as a purely financial strategy.
> Implemented properly, zero-trust computing provides the highest level of security for organizations. We support the White House effort to deploy this model across the federal government.
And there we have the explanation for this substantial donation of resources. This will hopefully unlock some $10B-a-pop contracts to convert government systems to Zero Trust, which Google conveniently has a solution they can sell the feds.
Not to mention if they win the security angle this might be a wedge for them to get generic compute onto GCP for government projects.
Google is one of only a handful of companies in this world that can fundamentally change the state of security in the tech industry. I love google and have many friends who work there, I truly believe in their mission. They have the talent and the financial resources, but sometimes they do not use those in ways that are strategically scalable IMHO.
Here's some examples of ways they could use $100MM to completely flip the script on app security:
1) Google project zero - Some of the absolute best hackers in the entire world work on this team, they identify and exploit vulnerabilities at the same skill level of the best nation states. None of this significantly moves the needle. If they took this team, expanded it's skill-set, and redirected their efforts towards building protections for compilers, runtimes and framework then that would be much more impactful then showing off the next <ubiquitous software> 0day.
2) Google's partner program - Google has a program that forces all integrators of their OAuth APIs from Gmail to Gdrive to have 3rd party security assessments conducted. The 3rd parties they use put their most junior/scanner focused pentesters on those projects. The approved 3rd party vendors turn this into a cash cow because they hire kids straight out of school and bill them out at senior rates because the API integration partners are forced to use these junior teams. Instead they could create a register of ALL pentest companies and stop the SF/SV practice of secret lists and publish all data about security assessment/pentest firms and to prioritize the effective firms, not the junior firms.
3) Google could create zero trust FOSS software for all corporations. Zero trust is a hot topic, every COTS vendor now caters to the key buzz word. Often the COTS solutions are low quality trying to make bank off a trend. Google is in the unique position of advancing the state of Zero trust world-wide by FOSS releasing zero trust and allowing all corporations in the world to jump a light year in corp-sec.
4) Advancing the state of systems programing - I love C it was my second programming language and the one I first fell in love with, I won DEFCON CTF writing exploits for C code. All of that being said, there is almost no need at all for C in 2021. For almost all cases I can use Go, Rust, or something else memory safe instead of C. Google should move from using C for most programs and advance the state of Go and Rust via SAST tooling and security rules. Yes this includes Android, Android should support non-C code such as Rust in the kernel just like Linux is currently doing.
5) Align with security best practices on all OSes and desktop apps - MS is doing some amazing experiments with high-security to make their browser extremely secure, google should have been doing the same with Chrome for the past 10yrs https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec... I know the usability/memory trade offs being made here to keep the browser performant, I still think there is more that can be done here with genius tech/sec innovators that google has.
6) OpenSSF should create an alliance to fundamentally eliminate XSS and CSRF - Google is a huge sponsor (primary I think?) of OpenSSF. That org can create an alliance with all of the top web app frameworks (Django, Rails, Flask, Gorilla, Spring, ASPMVC, etc.) for an operating mode which fundamentally uses all of the new web app security hotness (CORS, CORP, CORB, COOP, COEP, CSP, site security, etc.) to absolutely eliminate all XSS and CSRF possibilities at the webapp framework level and SQLi at the ORM level for all notable webapp frameworks. This would set a precedence across the industry.
7) ...I'm gonna stop there, I can go on forever. These are things I think about a lot being in the hacking industry 20yrs+ I'm often dreaming of "If I just had $5MM in funding I could solve so many security problems!!", but the only currently feasible way to get that funding is to use it to create a commercially viable product. Google's pledge to fund cyber security in an altruistic manner changes the game.
Google, we love you! Help us secure the Internet, you've got the power to totally change the game...we hope you do! :)
This is Google promising to spend $10 Billion to curry favor with President Biden's administration while simultaneously facing serious antitrust monopoly litigation with that Biden DOJ.
That's some pretty expensive lobbying right there.
1. It's still right there [0], it never went anywhere
2. When companies say things, people say that words are meaningless, we want to see action. But then when they actual put money where their mouth is, now we're back to complaining about what they advocate for? What does repeatedly saying "do no evil" actually achieve?
This headline sounds very much like that.