Last week, Google's cybersecurity teams (Project Zero and Threat Analysis Group) announced in blogs that a single unidentified hacking group had used 11 unknown security vulnerabilities in a series of digital attacks over nine months in 2020. Google also revealed that the software that was attacked included the Safari browser on iPhones and many Google products, such as the Chrome browser on Android phones and Windows computers. What they did not reveal, however, was who the hackers might be.
On Friday, MIT Tech Review released an article claiming that the hackers were from a Western government and were conducting a counterterrorism operation. Google released a statement to the media outlet explaining why it did not disclose who the hackers were.
“Project Zero is dedicated to finding and patching 0-day vulnerabilities, and posting technical research designed to advance the understanding of novel security vulnerabilities and exploitation techniques across the research community,” a Google spokesperson said in a statement.
“We believe sharing this research leads to better defensive strategies and increases security for everyone. We don’t perform attribution as part of this research.”
Although it’s true that Project Zero does not attribute hacking to specific groups, the Threat Analysis Group does. In addition, Google omitted many more details about the attack including whether or not the firm gave advance notice to the hacker government officials that they would be shutting down their efforts.
Google argued that what was important in this case was to fix the security flaws, rather than focus on who directed the cyber attacks. This is because even if these attacks were made by a Western government they could one day be used by nefarious agencies, argued Google. The situation lends more weight to an already ongoing discussion about how covert activity conducted by a friendly government should be handled.
Security teams discovering vulnerabilities exploited by friendly figures is not a rarity. So what's interesting here is the fact that we get to write about it. Some Google employees argued that such counterterrorism operations should not be disclosed to the public while some other employees stood up for it, citing internet security and user protection concerns.