Image: Sundry Photography/Adobe Stock

Google and The Center for Internet Security, Inc., launched the Google Cloud Alliance this week with the goal of advancing digital security in the public sector.

The Center for Internet Security, founded in 2000 to address growing cyber threats and establish a set of cybersecurity protocols and standards like CIS Critical Security Controls and CIS Benchmarks, assists state and local governments in cyber threats.

Google Cloud said it will bring members and services from its Google Cybersecurity Action Team, including insights from its Threat Horizons reports and Mandiant web intelligence division to weigh in on on “securing the  broader technology ecosystem – especially as it relates to cloud posture and overall cybersecurity practices,” according to a joint statement.

As reported in TechRepublic, Google also released this month its Assured Open Source Software (Assured OSS) service for Java and Python ecosystems at no cost. The move came after an increasing trend in politically motivated denial-of-service attacks.

The search engine giant responded by releasing its Project Shield distributed DDoS defense to government sites, news and independent journalists, as well as sites related to voting and human rights.

Jump to:

Securing state, local, tribal, territorial government organizations

Google Cloud, which recently created Google Public Sector to support federal, state, and local governments and educational institutions, had announced in Aug. 2021 a $10 billion commitment to public sector security over five years.

The Center for Internet Security operates the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers, which support the rapidly changing cybersecurity needs of state, local, tribal, and territorial government organizations, including critical infrastructure sub-sectors like K-12 schools and elections offices.

“This partnership between CIS and Google is particularly exciting because it is bringing together two powerhouse perspectives on cybersecurity and applying them to the highly-targeted and historically cyber underserved community of U.S. State, Local, Tribal, and Territorial government organizations,” said Gina Chapman, executive vice president, sales and business services at CIS, in a statement. “The cybersecurity needs of the public sector demand best-in-class, cost-effective solutions that include implementation and operational support, and we look forward to how we can work together to support this community.”

Protecting ethical hackers, keeping vulnerabilities out of the wild

Google is also a founding member of a separate set of initiatives launched early this month under the aegis of the Center for Cybersecurity Policy and Law:

  • The Hacking Policy Council, a division of the Center for Cybersecurity Policy and Law (CCPL) that will confront legislation aiming to restrict ethical hacking activities such as pen testing, and requires premature disclosure of vulnerabilities to government agencies or the public.
  • The Security Research Legal Defense Fund, will help fund legal representation for persons that face legal problems due to good faith security research and vulnerability disclosure in cases that would advance cybersecurity for the public interest.

Harley Geiger, counsel at Venable LLP, said the two organizations will address section 1201 of the Digital Millennium Copyright Act.

“To keep it high level, Section 1201 has a restriction on making available tools that can circumvent tech protection measures to software,” he explained. “Basically, if you are making available tools to get around software security measures there is a legacy restriction on that, and it applies quite broadly but isn’t often enforced.”

Geiger said that reform is needed because the very tools pen testers use to find vulnerabilities in software are, by necessity, designed to circumvent software protection measures.

“That is just one aspect of policy that should be reformed that affects pen testing,” he said.

Addressing proposals to mandate the release of vulnerabilities

The others include requirements around the identification of vulnerabilities, which he said constitutes a high risk to companies because, in an age of zero trust, sharing vulnerabilities to government entities is functionally the same as sharing it to the wild.

SEE: Vulnerabilities in APIs a growing concern (TechRepublic)

“Vulnerabilities are being discovered on a continuous basis so, of course you want to minimize the attack surface,” he said, “But it is difficult to conceive stopping the production process every time a new vulnerability has been discovered.”

Which, he explained, would be necessary if vulnerabilities were disclosed early. The specific example is the European Union’s proposed Cyber Resilience Act.

“If or when it passes, the EU will be as impactful to cybersecurity as the GDPR was to privacy,” he said. “The way it is currently drafted it would require any manufacturer of software to disclose a vulnerability to an EU government agency within 24 hours of determining that vulnerability has been exploited without authorization. The concern with this is that within 24 hours the vulnerability is not likely to be patched or mitigated at that point. What you may have then is a rolling list of software packages with unmitigated vulnerabilities being shared with potentially dozens of EU government agencies,” Geiger added.

In other words, he explained, NISA would share it with the computer security readiness teams of the member states involved as well as the surveillance authorities.

“If it’s EU wide software, you are looking at more than 50 government agencies that could potentially be involved. The number of reports coming in could be voluminous. This is dangerous and presents risks of that information being exposed to adversaries or used for intelligence purposes,” he said.

According to the CCPL, the Hacking Policy Council will:

  • Create a more favorable legal environment for vulnerability disclosure and management, bug bounties, independent repair for security, good faith security research  and pen testing.
  • Grow collaboration between the security, business and policymaking communities.
  • Prevent new legal restrictions on security research, pen testing or vulnerability disclosure and management.
  • Strengthen organizations’ resilience through effective adoption of vulnerability disclosure policies and security researcher engagement.

Other founding members of the council include Bugcrowd, HackerOne, Intel, Intigriti, and LutaSecurity.