Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Saturday, February 6, 2010

Does Google want NSA's expertise or its secrecy?

In a marked contrast from the perspective presented by Ellen Nakashima in the Washington Post on Thursday — which said that in turning to the NSA for help with information security, Google was not primarily concerned with trying to conclusively identify the sources behind the attacks it disclosed in January — a story in the New York Times suggests that identifying the attackers with more certainty is motivating factor for Google seeking NSA's assistance. The article also points out that because the NSA has no statutory authority to pursue such an investigation, it would have made more sense for Google to approach the Department of Homeland Security, except that doing so Google might lead to the government trying to regulate Google's services as critical infrastructure, over which DHS also has oversight authority. A different interpretation of Google's actions, consistent with previous comments here, might be that Google went to the NSA based on a perception (one we would believe to be accurate) that the intelligence agency has greater expertise in information assurance, particularly in computer forensic analysis, and perhaps, as the Post article posited, because Google's priority is better security going forward, rather than a more exhaustive study of the attacks that already occurred. This seems especially logical given how many of the attack vectors apparently exploited against Google in the most publicized China attacks involved non-Google application software. To be sure, Google and other companies have disclosed hacking attempts (both successful and just attempted) against their internal computing environments seeking source code and other intellectual property; because fewer details about these specific attacks have been reported, it's hard to know how much or how little the victimized companies know about all the vulnerabilities they may be exposing to attackers.

No comments:

Post a Comment