Google and the Spooks

You already know that Google has been under repeated attack by Chinese interests that want to steal its source code and track the activities of human rights activists in China, the U.S. and elsewhere. You probably know that Google has told the Chinese government to knock it off, or it would pull out of China. You may even know that Google’s attempts to fight off Chinese hacking attempts have not been totally successful. While it’s not clear how much was stolen, the fact is that the hackers were able to get in to at least some of the areas they wanted on Google.

One primary focus of the Chinese attempts is Gmail. To break into a Gmail account you only need to guess the person’s login name and password. Since the login name is usually public, it’s no great feat for a cyber warrior to figure out the password, especially when dealing with people who are not used to the levels of security required to defeat national intelligence services. Because of Gmail’s global reach and the fact that it’s free, it’s a favorite of human rights groups, and thus a target for the attacks.

The reason the NSA is right to be involved is that the attack on Google is really an attack on an important U.S. interest. It’s easy to dismiss Google as just another Web provider, but over the last few years it has become ubiquitous. It provides vital search functions to anyone who asks, and it does this with some of the best search technology available to anyone. It performs a significant commercial activity in global e-commerce.

As was the case in World War II and throughout the nation’s history, the U.S. government has been called on to assist critical commercial interests when they try to navigate dangerous international waters, as was the case when the U.S. Navy was called on to protect commercial shipping against state-sponsored pirates (this stretches all the way back to the days of the Barbary Pirates when Jefferson was president). This time it’s the NSA that’s best equipped to help protect a U.S. company against state-sponsored cyber warfare.

Yes, privacy advocates are alarmed, but in reality they should focus their alarm against the depredations of the Chinese-sponsored hackers. Not only do they have a far worse privacy record, but they have the agenda of using anything they find on human rights interests to help defeat the cause of human rights, including privacy.

Meanwhile, as a company, you need to protect yourself against the fallout from the cyber war. As is the case in any war, there is sure to be collateral damage, and you don’t want to be there when it happens. Fortunately, there are steps you can take:

• Avoid using public webmail for critical business operations, especially those that include information such as what’s covered by HIPAA, Sarbanes-Oxley, PCI and the like.
• Encrypt your e-mail if it includes sensitive information (you should already be doing this).
• Realize that almost all business transactions and other communications are sensitive and need protection.
• Protect your own IT environment against attack. Just because the bad guys are attacking Google doesn’t mean they won’t also attack you if you have something they want.
• Remember that paranoia isn’t necessarily a bad thing when it comes to protecting yourself. Unless protecting your company isn’t part of your business strategy, then it’s important to assume that somebody, somewhere, can get into your network.

Yes, I know this sounds like stuff you heard back in the 1950s. But this time the bad guys really are on the attack, but instead of using weapons of mass destruction, they’re using weapons of economic destruction.

The goal is to silence human rights critics, steal our technology, and our businesses, and take over the global economy any way they can. To the Chinese this is war. We should be treating it as war as well, and like in any war, we need the government’s help.