Google’s lesson: innovation has to be accompanied by reliability

While we wait for next move in the standoff between Google and China, the most profound impact of the Google incident may have little to do with Internet censorship. Rather it is likely to change the shape and speed of technological development in the information technology sector. The announcement that the search engine giant was hacked in China highlights two emerging tensions between a globalised model of innovation and security of companies that should lead them to pause the pace of change to better accommodate security and reliability.

The first tension is geographic.

Over the last two decades, multinationals have globalised innovation by setting up research centres in many corners of the world and linking R&D, manufacturing, and supply chains in dispersed markets. Massive information and communication technology networks allow a project, whether developing new software or designing the next generation of microprocessor, to be worked on almost continuously as daylight moves from Oregon to India and then to Israel and Ireland and back to Oregon.

As the Internet remains the main vehicle of this global co-operation, each link in that chain introduces vulnerabilities that can be exploited by criminals as well as “patriotic hackers” - private individuals or groups who, with tacit or direct government support, steal valuable intellectual property on the behalf of that government. According to the security firm Netwitness, over the last 18 months hackers in China and Eastern Europe broke into more than 2,500 computers in companies and government agencies in order to steal personal and corporate data.

Moreover, actually moving production and R&D, not just connecting them virtually, can have a negative impact on security. Geography still matters since physical supply chains that involve sharing of components themselves are vulnerable as intelligence agencies insert spyware into chips and other hardware at the point of manufacture. The fact that counterfeit Cisco routers - a critical component in Internet transmission - have already showed up in the networks of major technology companies and defence contractors demonstrates how porous supply chains are.

Time is the other source of tension.

Technology is spreading at an ever faster pace and the time to market for new products has been radically shortened. To remain competitive, companies must innovate at breakneck speed, but the focus on speed has come at the expense of reliability, safety and security. Google may be the best example of this trend, with small teams of engineers racing to get Google Maps, Gmail, Picassa, and other products into beta-testing and out on the web.

Some products worked, some didn’t, but security was often an afterthought in developing new offerings - as the recent outcry over security and privacy concerns on the social networking service Buzz clearly demonstrates.

The fault was not Google’s alone. Most of the industry acted the same way and promoted speedy innovation over security. In the rush to get new products, with new features to market, the number of errors introduced has grown significantly. Many of these errors or bugs are security vulnerabilities that can be used to gain access to proprietary information or alter operations, and it is suspected that the hackers gained access to Google in part through a vulnerability in the Internet Explorer web browser.

This was less a problem when computers were not as critical as they are today, and when manual backups for operating hydro-electric projects, power plants, and military communications still existed, but now information technology must be as reliable as every other form of infrastructure.

This is especially true in the emerging area of smart grids, networks that use information technology to monitor and distribute power efficiently. Last April, the Wall Street Journal reported that the US electricity grid was penetrated by foreign intelligence agencies that left malware behind designed to take down the grid remotely.

A massive blackout in Brazil in 2007 has been blamed on hackers as well as faulty maintenance on high voltage insulators.

Despite the growing concern that the power grid is susceptible to cyber attacks, the Obama Administration is moving forward with a smart grid in the same haphazard manner that the information technology industry has embraced technology development. In October, the Energy Department announced plans to spend US$3.4 billion in stimulus dollars on 100 smart grid projects in 49 states. Utilities agreed to add another US$4.7 billion. Yet the National Institute of Standards has not completed the Smart Grid Security Strategy and Requirements. Once again, safety and security lag design and delivery.

Hopefully, the tide may be turning. For months Google resisted making industry standard encryption the default on Google Mail, Docs, and Calendar since it would impede the flow of information across the Internet as well as slow down users’ computers by making them decrypt extra data. After going public about the attempted hacking from China, Google reversed itself and enabled this protection by default.

The lesson for the IT industry is that security has to be a primary concern in the next generation of innovation. Safety must be baked in at the design level and not as an afterthought. Retrofitting systems once a vulnerability is exposed does not work and companies that do not realise this will pay a price.

As a corollary to safety first, critical systems must embrace greater simplicity. The more complex a system is the more vulnerable. Computer systems used to control the electric and water grids for example, should do only what they need to do, no more, no less. Information technology providers will need to move away from a one-size-fits all approach, and provide simple systems that address clearly stated and limited purposes.

Governments can play a role in helping make this market shift. Washington, for example, can flex its muscle as a major user and insist that all new products achieve increasingly high standards for security and reliability. In addition, liability standards could be adjusted so that technology companies are responsible for the failure of their products. As the security consultant Bruce Schneier has suggested shifting liability for security from the consumer to the producer is likely to produce a secondary market for liability insurance that will promote better security practices without burdensome regulatory action.

Companies may also have to rethink where they manufacture and conduct R&D. Placing the two together and keeping them in the home country could limit exposure to theft of intellectual property and contamination of the supply chain. When closeness to foreign markets is critical, multinationals should let governments know that they are basing their decisions on where to site a research centre not only on access to talent and infrastructure, but also on the security environment. As a result, companies would be more careful about selecting countries before setting up R&D abroad. Outsourcing of manufacturing will continue, but it must do so under much tighter monitoring of the transfer from intellectual property to production.

The lesson of Google v China for information technology companies is: stop and take a breadth. Where goods are designed and manufactured still matters and racing off to some foreign location can mean the loss of valuable intellectual property. Moreover, first out of the gate is going to be less important. We all may be better off if the pace of innovation slows just a bit so we can be safer.