Last week, Google’s cybersecurity teams (Project zero and Threat Assessment Group) announced in blogs that a single unidentified hacking group exploited 11 unknown vulnerabilities in a series of digital attacks over nine months in 2020. Google also announced that the attacked software turned on the Safari browser on iPhones and many Google products such as the Chrome browser on Android phones and Windows computers. What they didn’t reveal, however, was who the hackers might be.
On Friday, MIT Tech Review has published an article claim the hackers were from a western government and were fighting terrorism. Google released a statement to the media company explaining why it was not disclosed who the hackers were.
“Project Zero is dedicated to finding and patching 0-day vulnerabilities and publishing technical research to improve understanding of novel vulnerabilities and exploitation techniques across the research community,” a Google spokesman said in a statement.
“We believe that sharing this research will lead to better defense strategies and security for all. We are not performing any attribution as part of this research. “
While it’s true that Project Zero doesn’t assign hacking to specific groups, the Threat Analysis Group does. Additionally, Google left out many other details about the attack, including whether the company had given hacking government officials advance notice that they would cease their efforts.
Google argued that in this case, the important thing was to fix the security loopholes instead of focusing on who directed the cyber attacks. This is because even if these attacks were carried out by a western government, they could one day be used by nefarious authorities, argued Google. The situation gives an already ongoing discussion about how Covert activities carried out by a friendly government should be addressed.
Security teams who discover vulnerabilities that are being exploited by friends are not uncommon. So what is interesting here is the fact that we can write about it. Some Google employees argued that counter-terrorism measures should not be made available to the public while others advocated them, citing concerns about cyber security and user protection.