by Kim Zetter
February 4, 2010
Google is teaming up with the National
Security Agency (NSA)
to investigate the recent hack attack against its network in a bid to
prevent another assault, according to The Washington Post.
The internet search giant is working on an agreement with the controversial
agency to determine the attacker’s methods and what Google can do to shore
up its network.
Sources assured the Post that the deal does not mean the NSA will have
access to users’ searches or e-mail communications and accounts. Nor will
Google share proprietary data with the agency.
But the move is raising concerns among privacy and civil rights advocates.
The Electronic Privacy Information Center filed a Freedom of
Information Act request on Thursday, shortly after the agreement was
seeking more information about the arrangement.
Executive Director Marc Rotenberg believes the agreement covers much
more than the Google hack and that the search giant and intelligence agency
were in talks prior to Google discovering that it had been hacked.
“What they’ve told you is that this is about
an investigation of a hack involving China,” he told Threat Level in a
phone interview. “I think and have good reason to believe that there’s a
lot more going on.”
Google declined to comment.
“At the time [of the hack announcement], we
said we are working with the relevant US authorities, but we don’t have
any comment beyond that,” wrote spokesman Jay Nancarrow in an e-mail.
The FOIA request also seeks NSA communications
with Google regarding Google’s failure to encrypt Gmail and cloud computing
services. Rotenberg says
EPIC wants to know what role the NSA has
played in shaping privacy and security standards for Google’s services.
EPIC also filed a lawsuit against the NSA and the National Security Council,
seeking a key document governing the government’s broader national
cybersecurity policy, which has been shrouded in secrecy.
“We can’t afford to have secret
cybersecurity policy that impacts the privacy rights of millions of
internet users,” he said.
Google announced earlier this month that it had
been the target of a “highly sophisticated” and coordinated hack attack,
dubbed Operation Aurora, against its
network and other companies in the defense, technology and finance
Google said the hackers had stolen intellectual
property - presumed to be its source code - and sought access to the Gmail
accounts of human rights activists. The attack originated from China, the
Computer security firm
iDefense has said that 34 companies were
targeted by the attackers, who were primarily after
A recent report has provided
details into the nature of the persistent
espionage attack that mirrored attacks on thousands of companies over the
last few years, which have largely gone unpublicized.
The agreement between Google and the NSA, still being finalized, would allow
Google to share critical information with the NSA about the attacks and its
network - such as the malicious code that was used and its network
configurations - without violating Google’s policies or laws that protect
the privacy of users’ communications, the sources say.
The NSA’s general counsel began drafting the cooperative research and
agreement the day that Google announced it
had been hacked, according to The Wall Street Journal.
The agreement was finalized within 24 hours, but
the information sharing at that time was limited, and only allowed the NSA
to examine some of the data related to the hack. Most of the data that was
shared concerned the nature of the data that was stolen, the paper said.
Both the FBI and NSA worked directly with Google on the investigation.
The agreement between Google and the NSA would reportedly be the first time
Google entered into such a formal information-sharing relationship - apart
from its general cooperation with subpoenas and national security letters.
Matthew Aid, NSA historian and author of
The Secret Sentry, said the move troubled
“I’m a little uncomfortable with Google
cooperating this closely with the nation’s largest intelligence agency,
even if it’s strictly for defensive purposes,” he told the Post.
The NSA has been embroiled since 2005 in
the agency violated federal laws in
conducting illegal surveillance of Americans’ phone and internet
Giving the agency authority over coordination of
the government’s cybersecurity plan - which would include working with
telecoms and other critical companies in the private sector - could put the
agency in the position of surreptitiously monitoring communications.
Last year Director of National Intelligence Admiral Dennis Blair
raised a ruckus when he told the House intelligence committee that the NSA,
rather than the Department of Homeland Security which currently oversees
cybersecurity for the government, should be in charge of securing cyberspace
for government and critical infrastructures.
“The National Security Agency has the
greatest repository of cybertalent,” Blair said. “[T]here are some
wizards out there at Fort Meade who can do stuff.”
NSA Director Lt. Gen. Keith Alexander later
balked at claims that his agency wanted to control the government’s
cybersecurity plan and said it wanted to partner with DHS and others in
Speaking at the RSA Security Conference in San
Francisco, he told the audience of security professionals that the NSA,
"does not want to run cybersecurity for the
United States government.”
This week Blair, commenting on the Google hack,
said cyberspace could not be secured without a,
“collaborative effort that incorporates both
the U.S. private sector and our international partners.”
“As part of its information-assurance
mission,” NSA spokeswoman Judi Emmel told the Post, “NSA works with a
broad range of commercial partners and research associates to ensure the
availability of secure tailored solutions for Department of Defense and
national security systems customers.”