Legal Practice Technology Blog

HoudiniEsq Legal Practice Management
HoudiniEsq Blog - Solarwinds Hack and Google. The Crash That Impacted Billions

Does the reliance on Google put your Law Firm at risk?

We all assume that Google Services will always be available. Search, Gmail, and YouTube. The online storage of images, websites, and documents. But those services are just the tip of this iceberg. Google provides a staggering number of services that make our lives easier. The most popular are services such as drive, docs, maps, analytics, surveys, workspaces, calendar, chat, charts, classroom, fiber, and voice. In addition, millions of organizations large and small rely on Google for single-sign-on and two-factor authentication using Google Authenticator.

To put things into perspective Google controls over a third of the services on the Internet. Google processes, manages, and stores over 306 billion emails daily. Over 300 hours of video is uploaded to Google every minute. There are 5.6 billion searches performed every day and the total number of people who use Google to sign-in to products and services daily is estimated to be nearly 1.3 billion. Take into account the many 3rd party service providers that rely on Google and it is billions of users that depend on Google each day.

The Crash
On December 14th, 2020 Google and all of its services became unavailable for nearly an hour. It doesn’t seem like much but at the time the world seemingly came to a standstill. Many were unable to work and many were left in the dark and in the cold literally as Google home products such a Nest no longer worked. The Wall Street Journal being dependent on Google services had to resort to telephones to collaborate causing productivity to drop ten fold. Many schools that rely on Google Meet had to close for the day. Hospitals couldn’t access physician schedules. Law Firms couldn’t access calendars or email and in many cases access to critical systems was impossible.

In a statement, Google told an India Today Technologist that its services experienced an “authentication system outage” for about 45 minutes due to an internal storage quota issue. The interesting thing about this outage was that it occurred very shortly after the recent Solarwinds hack was reported.

Solarwinds is a Network Performance Monitor that was found to have been compromised by Russian hackers in March 2020 but only detected in mid-December 2020. The Solarwinds hack affected the Pentagon, many intelligence agencies, DOJ, IRS, NASA, several nuclear labs, nearly every telecom company, and many Fortune 500 companies that use the Solarwinds software. Approximately 1,800 clients.

Was the recent outage which coincided with the Solarwinds hack the real cause? More on that in a minute.

As is the case with each outage once the system is back up and running everyone goes on about their business and the outage is soon forgotten. No worries right? Well yes. This isn’t the first time and it certainly won’t be the last.

On November 11th, 2020, another outage occurred affecting streaming services. The outage started at roughly 12:20 UTC and was restored at 04:13 UTC. Nearly four hours. Prior to this outage on August 20th, 2020, over a period of approximately six hours, a global outage abruptly disrupted Google’s services, including Gmail, Drive, Docs, Meet, and Voice.

That is three major outages in a single year. So much for the five-nines of high availability. Five-nines refers to 99.999% of high-availability of services. To achieve five-nines the service must be down no less than 5.26 minutes per year. Four nines 99.99% is considered excellent but means only 52.32 minutes of downtime per year. In one year Google has been down approximately 11 hours. That is roughly 99.8% or so of availability or two-nines in 2020.

Google’s global outages demonstrate the risk Big Tech poses with consolidated online infrastructure. It’s not just the little guys that are at risk. Some of the biggest companies use Google services. Uber, Netflix, Pinterest. Spotify, Airbnb, and Twitter just to name a few. Millions rely on Google to authenticate to other services for example Salesforce and Dropbox. Are we too dependent on Google?

What happens if instead of hours Google is down for an entire day or days? No surprise, Google has planned for this. Google implements SRE which is Site Reliability Engineering. SREs are comprised of software that monitors and responds to critical infrastructure and operations problems. It literally removes the human component from these sorts of tasks. It is more reliable and efficient and can respond to issues within milliseconds. In theory. The problem is that software engineers make mistakes. Case and point, SREs didn’t prevent any of these recent Google outages.

So is Google secure? Somewhat and better than most. No computer system is 100% secure. The only safe computer is one that is unplugged. Any software that requires login credentials is vulnerable because the weakest link in any computer system is always the user.

Is Google safe from hackers? No. Google has stated that it has paid hackers 6.5 million dollars in 2020 to help keep the Internet safe. These weren’t attacks but competitions run by Google to help identify security deficiencies on their platforms. Google has been running these competitions since 2010. Makes one wonder.

The most recent Google outage was just hours after the US government and many of its agencies reported the Solarwinds cyber attack. This hack was so sophisticated and serious that Congress had a national security meeting on the subject.

Was Google being cautious and in their attempt to patch Solarwinds brought down the entire system? It is only speculation but experts did take note of the recent outage’s timeframe. Even if Google doesn’t use Solarwinds directly, some developers and integrators on Google’s platforms do.

What is concerning about all this is that Google has become a single choke point for many businesses across the globe. If its services become unavailable for long periods of time billions of users are impacted.

So what is one to do? Well, it is prudent to set up alternative services for email and for access to critical systems. Having a Yahoo account in addition to a Gmail account ensures that you will be able to communicate in case Google was to go down for a long spell. If you use two-factor-authentication it is important to create and save two-factor-authentication keys so if Google Authenticator becomes unavailable you can still authenticate and login to critical services outside Google’s platforms.

These outages and the two-nines, 99.8% of availability actually make a strong argument for Google to be broken up if not for Antitrust reasons but for security reasons. Currently, the U.S. Dept. of Justice filed a lawsuit against Google along with forty states alleging that Google has a search monopoly. Reminiscent of Microsft’s Antitrust troubles with its Web Browser two decades ago. But Search is just one sliver of the services it provides. Some believe that Google has a monopoly on internet-based services as well. One thing is for sure, Google will continue to create and consolidate internet-based services and if you’re in their ecosystem then you are at risk if you don’t set up alternatives just in case because it isn’t a matter of if but when.

Some say that Google is too big, it controls too much and poses a threat to every business that uses its services, and should be broken up. One thing is for sure the latest cyber-attack is a moment of reckoning for every business large and small.

Frank A. Rivera, CEO HoudiniEsq

Best Legal Cloud Software HoudiniEsq

Frank A. Rivera
Software architect and Sun Microsystems Alumni. Frank is responsible for the development of key technologies across several sectors such as banking, intelligence, national security, and practice management. Frank architected and developed the Multi-Level-Gateway of the Trusted Solaris operating system after 9/11 allowing our intelligence agencies to securely share information without exposing credentials to the other agency. Frank also developed a streaming asymmetric block cipher that uses varying block sizes and a 768bit key providing for very strong encryption. Frank architected and developed the first cloud-based legal practice management product for the legal industry. Four years before the term Cloud Computing entered our lexicon. The product was acquired by LexisNexis in 2004.

Frank never received a degree in computer science but instead started his career with tech in the U.S. Military 18th Airborne Corp., Special Operations, 525th Expeditionary Intelligence Brigade, Fort Bragg North Carolina.