How Google ensures security for its billions of users

By Ming En Liew

Google is one of the most-used site in the world. But how does the tech giant keep its tens of billions of users safe from cyber threats? Michaela Browning, Vice President of Government Affairs and Public Policy in Google Asia Pacific, sheds light on the matter.

Earlier this year, Google managed to defend against the largest DDoS attack on a platform in recorded history. The tech giant’s VP, Michaela Browning, shares how they developed a cybersecurity strategy that allowed them to do so. Image: Canva

Used by over 4 billion people worldwide, Google is one of the most used site in the world, with a whopping 92.5 billion monthly views recorded in 2020. With various services like email, cloud platforms and conferencing services, the tech giant holds in its hands bytes upon bytes of sensitive data that if leaked, could have dire repercussions.

Cognisant of their value as a target of cyber attacks, Google is doing its part to ensure a strong and resilient cybersecurity posture. In 2021, they pledged US$10 billion to advance cybersecurity over five years. This sum will be used to expand zero-trust programmes, secure software supply chains, enhance open-source security, and train future talents, according to a blog post by Kent Walker, President of Global Affairs at Google and Alphabet.

Most recently, their cybersecurity efforts saw them successfully blocking the largest-ever web distributed denial-of-service (DDoS) cyber attack. DDoS attacks attempt to disrupt the traffic of a server, service or network by overwhelming the target with a flood of traffic. In Google’s case, the attack peaked at 46 million requests per second, more than 70 per cent larger than previously recorded attacks, reported The Economic Times.

And this attack is just one of many. “In recent times, we have seen some of the most widespread cyber attacks against digital infrastructure,” says Michaela Browning, Vice President of Government Affairs and Public Policy in Google Asia Pacific.

A Ransomware Activity Report published by Google’s VirusTotal team last year found approximately 100 ransomware “families” that are constantly active. Countries in the Asia-Pacific in particular seem to be affected, with nations like South Korea, Vietnam, Singapore, India, and the Philippines being among the 10 most affected territories.

In the face of these threats, how can organisations and nations around the world keep up? Browning gives an insight into how Google collaborates, innovates, and adopts cyber best practices to stay ahead of the threats.

A team sport


“Cybersecurity is a team sport, and we all need to work together,” Browning says. Nations, for example, can work together to jointly raise the cyber resilience of the world.

For instance, the Association for Southeast Asian Nations (ASEAN) launched a training centre for ASEAN national teams to respond to cybersecurity incidents last year. This was part of the ASEAN-Singapore Cybersecurity Centre of Excellence, which seeks to strengthen cybersecurity strategy development, legislation and research capabilities of all ASEAN nations, GovInsider previously reported.

Globally, the island nation of Singapore also chairs an Open Ended Working Group, a team within the United Nations seeking to implement international norms on responsible cyber behaviour, wrote another GovInsider article.

Public-private partnerships can also pave the way forward for stronger cybersecurity.

Google is actively working with global cybersecurity and law enforcement agencies to combat the world’s most sophisticated cyber threats, Browning says. “We’re involved in policy discussions with governments around the world and we are committed to doing our part to keep users, customers, and the internet infrastructure secure,” she explains.

This involves jointly building a more integrated ecosystem to keep enterprises secure, developing a comprehensive defence security posture to protect against ransomware and other cyber-enabled crime, and coordinating how they identify and invest in next-generation security tools.

On its own, Google also does its part to advocate for stronger cybersecurity, with programmes like Safer with Google ensuring that all Google products follow industry best practices. This includes having in-built phishing protection software and two-factor authentication processes, among other measures.

Additionally, Google helps governments and businesses stay ahead of cyber threats by helping to replace old systems with better foundations as organisations embrace secure digital transformation.

Innovating in cybersecurity


Cyber threats evolve quickly, Browning says. “As soon as a new technology is introduced or adopted, there are threat actors and cyber criminals looking for ways to exploit it.”

This is why there is a need to invest in cutting-edge technologies that can help organisations stay ahead of such threats. “The good news is that cybersecurity tools are evolving quickly,” she notes. Today, cybersecurity professionals can rely on artificial intelligence, advanced cryptography, and even quantum computing to augment their work.

AI-powered cybersecurity tools, for example, can help cybersecurity teams to detect malware threats more effectively than humans and even take action against malicious software. Such tools can help organisations detect threats more quickly, while reducing human error, Browning explains.

Meanwhile, quantum computing can also be a huge enabler for cybersecurity, according to William Dixon, Head of Future Networks and Technology, Centre for Cybersecurity at the World Economic Forum. In an interview with GovInsider in 2020, Dixon explained how quantum key distribution, for instance, can allow two parties to have a shared random secret key that they can use to encrypt and decrypt messages. They will be able to easily detect the presence of any unauthorised personnel trying to access the system.

Key cyber strategies the tech giant employs


On its own, Google incorporates a range of security features to ensure its services are secure. The tech giant also offers various solutions to help their customers modernise security both in the cloud or on-premise, wherever their applications or data live, Browning says.

The tech giant has among its ranks six features that ensures their services are secure:
  1. Google Cybersecurity Action Team, a collective of security experts who advise organisations on deploying effective cyber defence solutions to guide industry-wide security transformation.
  2. Google’s Threat Analysis Group, a team dedicated to detecting and defeating cyber threats across the full suite of Google products.
  3. Project Shield, a security technology to protect news, human rights organisations, election sites, political organisations, and campaigns and candidates from DDoS attacks.
  4. The Advanced Protection Program, an account security service designed to safeguard the Google accounts belonging to high risk targets
  5. Open source and accessible Android systems built with layers of security to keep devices and the data within secure.
  6. Collaboration between Google Cloud and American cybersecurity firm Mandiant, which is also a subsidiary of Google. The two services are committed to delivering industry-leading cybersecurity, with a common goal to reinvent how organisations protect, detect, and respond to threats.
Besides these features, Google also relies on three pillars to build trust in their security. First, they ensure that the platform is secure, with transparent security practices. Next, they have a zero-trust architecture that protects data against the myriad of cyber threats. Finally, they rely on a ‘shared-fate model’ of risk management, where they work alongside their partners to identify risk factors and strengthen overall cyber posture.

Learn more about the work of Google’s security teams in the six-part docuseries HACKING GOOGLE, which provides a behind-the-scenes look at how these professionals keep users, enterprises and governments’ data safe.  

Hear more from Browning at her keynote speech at GovWare 2022 titled ‘Driving Cybersecurity Awareness in the Digital Age’, happening from 12.50pm to 1.15pm on 19 October. 

Register for the event here, if you haven’t already!

This article is published in partnership with GovWare 2022.