What does the Google antitrust case mean for cybersecurity?

This analysis is a response to the latest information and will be updated. To speak with the author, contact [email protected].

The Department of Justice (DOJ) antitrust case against Google has made headlines this year, but an under-reported topic is the cybersecurity implications if Google were forced to pursue the specific remedies sought by antitrust advocates. In fact, some potential countermeasures, such as asset divestment and forced data sharing, could threaten cybersecurity progress.

Large companies across the industry should take a close look at this issue. In the area of ​​antitrust law, courts and policymakers have focused on large companies, which also play a key role in the security ecosystem given the number of users and other companies that rely on their products. This could signal the future direction of courts and political bodies. For example, there is another antitrust case against Apple, and there is legislation before Congress that will target platforms that exceed established thresholds, such as the number of active users or annual sales. Security practitioners unfortunately have reason to worry.

This analysis does not seek to reflect on either side’s claims or consider the underlying merits of them USA v. Google or related activities. There are many analyzes that confirm this. Rather, the goal is to explore the security implications of divestment and forced sharing of data. This analysis also does not suggest that antitrust advocates intend to harm cybersecurity, but unintended consequences remain a concern.

Assessment of the impact of divestiture on safety

It will be helpful to read the information before examining potential remedies. USA v. Google concerns a lawsuit brought by the Department of Justice against Google over alleged anticompetitive conduct in its search business. In August, a district court judge found that Google is a “monopoly” because it uses exclusive distribution agreements to maintain a monopoly on general search services and general text advertising. The decision itself contains little discussion of safety.

One potential outcome would force Google products to separate from each other. For example, Chrome and Android may need to be spun off from their parent company. Divesting a business may seem trivial, but having multiple offerings under one umbrella provides security benefits such as monitoring, detecting, and analyzing threats across the company’s ecosystem. For example, instead of only looking at malicious activity in the Android ecosystem, Google can see how activity may occur elsewhere and take coordinated security actions. Google’s Threat Intelligence Group (TAG) routinely conducts these types of activities, which could be limited or discontinued if divested. Recent examples of TAG activity include coordinated takedowns of YouTube channels, AdSense accounts, and Blogger blogs associated with influence operations. The subject of these activities were accounts and operations linked to Russia, China and Iran.

Likewise, companies routinely centralize resources and expertise to provide solutions for the various products they support, including cybersecurity, as Apple does, by combining hardware, software, and services such as security updates, as Microsoft does with its Secure Future initiative . For Google, that means keeping Android, Chrome, and ads secure. One example is Google Safe Browsing, which warns users when they try to visit potentially dangerous sites. It also warns website owners about potential compromises. The feature is available across Chrome, Android, Search, Ads, and Gmail and covers approximately five billion devices, peaking at approximately 64 million browser warnings in one week. If divestment were the solution, these protections would likely be unavailable to these entities, forcing them to develop solutions on their own, duplicating efforts and/or having no security solution at all. Even if they were still available, they would likely be less effective because they work across different products and rely on insights from one to protect the other.

Assessing the security impact of forced data sharing

Divestment is not the only outcome of the remedies process. Some have called for forced data sharing with other companies. For example, there are criticisms about storing large amounts of data. One witness indicated that large amounts of search data could be used to train artificial intelligence models to be better than others. However, proposing mandatory data sharing is nothing new or disturbing. Previous failed antitrust proposals in Congress called for such requirements following previous reports of alleged anticompetitive behavior.

Depending on the type of data controlled or how it is used, this could have huge national security implications. For example, it is not always clear who receives the data, how well it is protected, and what its true intentions are. The data could end up at a reputable US company that inadvertently compromises it, or at a company that hides its alliances with an adversary.

Using data sharing to foster greater competition in the advertising and search ecosystems may seem attractive, but if it ends up in the hands of an adversary or a criminal group, or a company with poor data security and privacy protections, the consequences can be damaging. The data could be used to identify military and intelligence assets, turned into potential blackmail, or enable adversaries to conduct more effective cybersecurity incidents. Internet search histories have been marked specifically as a way to learn about personal activities or highly sensitive information.

For example, the CCP has a history of extensively collecting data on its citizens and individuals around the world. Even the White House has raised concerns about the use of potentially sensitive data, calling select countries’ access to it an “unusual and extraordinary threat,” leading to an executive order aimed at securing the data and limiting its transfer. This risk is one of many reasons why a more holistic approach to data collection and use is warranted, namely the adoption of a federal comprehensive data protection and security law.

Conflicting goals of security policy and antitrust policy

Improving our cybersecurity posture requires a coordinated approach from the public and private sectors, which recent administrations have made a priority. President Obama has tapped the private sector for cybersecurity efforts, and President Trump’s National Cyber ​​Strategy recognizes the shared responsibility of both sectors for cybersecurity. However, new antitrust actions may prevent this. Antitrust advocates may overlook the cybersecurity or national security implications, but the federal government must balance many policy goals.

Two examples of this mismatch stand out. First, the Biden administration has advocated for a National Cybersecurity Strategy that focuses on two big changes: “rebalancing responsibility for protecting cyberspace” and “realigning incentives to favor long-term investments.” This is based on the assumption that the private sector and large organizations are better equipped to defend against security threats than the typical consumer or small business user, and therefore the burden must shift to them, requiring short and long-term tools to drive action. The administration proposes a number of actions aimed at achieving these goals. Second, are the Cybersecurity and Infrastructure Security Agency’s (CISA) security-by-design and secure-by-default initiatives part of its efforts to “rebalance cybersecurity risks” that aim to ensure security during product development and is the default option . The industry is largely supportive of such efforts, as evidenced by the 220 signatories of the Secure by Default pledge.

On the one hand, the federal government asking the private sector to voluntarily take the lead on cybersecurity is critical because it cannot address all vulnerabilities on its own. The federal government is even suggesting that private industry should be legally liable for failing to meet certain security standards or failing to comply with cybersecurity regulations.

On the other hand, antitrust actions may make security more challenging and less effective for the industry. Limiting the ability to share threat intelligence and security offerings between products and limiting the ability to secure and protect sensitive data may have this effect. Secondary impacts are also likely, including the need to divert security funds and resources to replicate and reproduce security products. If we really want the private sector to lead the way in cybersecurity, it’s essential to make it easier.

As the Google antitrust case unfolds, it is critical not to ignore cybersecurity and data security opportunities. Businesses, cybersecurity leaders and even consumers need to prepare in the event that some of the countermeasures presented are implemented or their company finds itself in a similar situation.

Subscribe to our policy