Google Asks Spy Agency for Help With Inquiry Into Cyberattacks
SAN FRANCISCO — Google has turned to the National Security Agency for technical assistance to learn more about the computer network attackers who breached the company’s cybersecurity defenses last year, a person with direct knowledge of the agreement said Thursday.
The collaboration between Google, the world’s largest search engine company, and the federal agency in charge of global electronic surveillance raises both civil liberties issues and new questions about how much Google knew about the electronic thefts it experienced when it stated last month that it might end its business operations in China, where it said the attacks originated. The agreement was first reported on Wednesday evening by The Washington Post.
By turning to the N.S.A., which has no statutory authority to investigate domestic criminal acts, instead of the Department of Homeland Security, which does have such authority, Google is clearly seeking to avoid having its search engine, e-mail and other Web services regulated as part of the nation’s “critical infrastructure.”
The United States government has become increasingly concerned about the computer risks confronting energy and water distribution systems and financial and communications networks. Systems designated as critical infrastructure are increasingly being held to tighter regulatory standards.
On Jan. 12, Google announced a “new approach to China,” stating that the attacks were “highly sophisticated” and came from China. At the time, it gave few details about the attacks other than to say that a theft of its intellectual property had occurred and that a primary goal of the attackers had been to gain access to the Gmail accounts of Chinese human rights activists.
In reaching out to the N.S.A., which has extensive abilities to monitor global Internet traffic, the company may have been hoping to gain more certainty about the identity of the attackers. A number of computer security consultants who worked with other companies that experienced attacks similar to those of Google have stated that the surveillance system was controlled from a series of compromised server computers based in Taiwan. It is not clear how Google determined that the attacks originated in China.
A Google spokeswoman said the company was declining to comment on the case beyond what it published last month. An N.S.A. spokeswoman said, “N.S.A. is not able to comment on specific relationships we may or may not have with U.S. companies,” but added, the agency worked with “a broad range of commercial partners” to ensure security of information systems.
The agency’s responsibility to secure the government’s computer networks almost certainly was another reason Google turned to it, said a former federal computer security specialist.
“This is the other side of N.S.A. — this is the security service that does defensive measures,” said the specialist, James A. Lewis, a director at the Center for Strategic and International Studies. “It’s not unusual for people to go to N.S.A. and say ‘please take a look at my code.’ ”
The agreement will not permit the agency to have access to information belonging to Google users, but it still reopens long-standing questions about the role of the agency.
“Google and N.S.A. are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based policy group. On Thursday, the organization filed a lawsuit against the N.S.A., calling for the release of information about the agency’s role as it was set out in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 , a classified 2008 order issued by President George W. Bush dealing with cybersecurity and surveillance.
Concerns about the nation’s cybersecurity have greatly increased in the past two years. On Tuesday, Dennis C. Blair, the director of national intelligence, began his annual threat testimony before Congress by saying that the threat of a crippling attack on telecommunications and other computer networks was growing, as an increasingly sophisticated group of enemies had “severely threatened” the sometimes fragile systems behind the country’s information infrastructure.
“Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication,” he told the committee.
The relationship that the N.S.A. has struck with Google is known as a cooperative research and development agreement, according to a person briefed on the relationship. These were created as part of the Federal Technology Transfer Act of 1986 and are essentially a written agreement between a private company and a government agency to work together on a specific project. They are intended to help accelerate the commercialization of government-developed technology.
In addition to the N.S.A., Google has been working with the F.B.I. on the attack inquiry, but the bureau has so far declined to comment publicly or to share information about the intrusions with Congress.