In his keynote speech “On Transparency in the Shadowy World of Cyberattacks” at Fordham’s 2022 International Conference on Cyber Security on July 19, Walker recalled a dangerous series of cyberattacks that targeted Google more than a decade ago and the company’s major takeaways from the incident.
In 2009, Google was the victim of a massive cyberattack called Operation Aurora. In a widespread phishing campaign, a group of hackers from China tried to steal trade secrets from more than two dozen high-profile companies, including Adobe, Morgan Stanley, and Google. The hackers breached company networks and succeeded in stealing intellectual property.
Many companies decided not to publicize the attack, but Google chose to do the opposite—and for good reason, said Walker, who previously served as an assistant U.S. attorney in San Francisco and Washington, D.C., in addition to starting one of the first “computer crime” units in the country.
“[When I was a federal prosecutor who specialized in technology crime], one of the big challenges we encountered was getting companies to go public or even go to the authorities … Because of that, we felt it was important to talk about the attack [at Google]—to tell the world about its impact, about the methods that the attackers were using,” Walker said. “That’s not always comfortable work. We’ve had some tough conversations with partners and our own teams about disclosing vulnerabilities. … But it’s necessary to move the industry forward and to make sure that bugs are being fixed quickly before they can be exploited.”
One of the biggest takeaways from the incident was the necessity of transparency about their work, he said. The cybersecurity community, law enforcement, and the public need to share vulnerabilities and cyberattacks with each other in order to raise security worldwide, he said.
The second and perhaps even more important lesson from the cyberattack was learning what worked and didn’t work in cybersecurity architecture, said Walker. It’s important to focus on the fundamentals of software security to raise general security and to not only rely on threat intelligence and security products to protect users, but to develop secure products with built-in security features, rather than “built-on.”
“Aurora showed us and everyone in the industry that we were doing cybersecurity wrong,” Walker said. “We were building high walls to keep the bad actors out. But if they got past those walls, they got wide internal access. The attack helped us recognize that we had to double down on security by design.”
After the cyberattack, the company launched BeyondCorp, an internal initiative that pioneered the concept of Zero Trust—a security framework that has taken off across the industry, he said.
“It lets every employee work from untrusted networks without the [need for a traditional VPN],” Walker said. “They can access the most sensitive internal services and data over the Internet without sacrificing security.”
Cyberthreats are growing stronger, but cybersecurity tools are also getting better, said Walker. He highlighted artificial intelligence, which allows experts to see threats faster and reduces human error, as well as other tools like advanced cryptography and quantum computing.
Google has shared many of its advances with other organizations and governments—now it’s time for the cybersecurity community as a whole to get better at sharing its knowledge across the national security community, academia, and Silicon Valley, he said.
“It’s not a time for holding successful techniques to ourselves,” Walker said. “Cybersecurity is a team sport.”
