I assume they can but it would be a risky strategy. If google security found a breach where customer data was being leaked then they might disclose publicly before they can be informed that it is a national security issue.
I suppose though that whatever part of a NSL that authorizes the CEO to tell developers to make it would likely also authorize the CEO to tell the security guys not to sound alarms about it.. at least not without consulting senior management first.