Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.


Rep. Ro Khanna (D-Calif.) is defending Google’s controversial decision to end a Pentagon project amid employee backlash against building artificial intelligence intended for warfare.

Khanna's comments at a Technology 202 Live event on Thursday were a rare sign of support for the embattled search giant at a time when the company is saddled with scrutiny from Washington lawmakers. Google said earlier this year it would not renew the deal for the military’s AI endeavor — known as Project Maven — when it expires next year after a wave of employee resignations and public criticism of its contract with the Defense Department. 

Khanna said Google's decision is par for the course in a democracy — and stands in contrast to China where the state exerts greater control over companies. “I don’t think we want to be like China,” Khanna said. “We have a system where we have free enterprise, and companies have the autonomy to decide what they want to do.” 

Google's move to sever ties with Project Maven drew the ire of Republican lawmakers, who criticized the company for taking an ethical stance against working with the Pentagon while at the same time reportedly secretly began building a censored version of its search engine in China. Dropping the project, as my colleague Drew Harwell has explained,  was "a setback for the Pentagon's push to supercharge the military's capabilities with powerful AI that could help process battlefield data or pinpoint military targets." In one pilot, AI was used for complex tasks such as analyzing drone footage, identifying buildings and vehicles as well as processing video that is typically tagged by human analysts. 

Khanna, who represents Silicon Valley, said the government can’t force any company to do anything, but it should do more to address the Google employees’ concerns and collaborate with them on developing ethical principles and standards. “It’s not a reflexive position that they don’t want to cooperate with defense,” Khanna said. “It’s more that they want to see what are the ethical principles that are going to guide this.” 

Silicon Valley and the military are adapting to a shifting relationship. For decades, the Defense Advanced Research Projects Agency and other government agencies have been a hotbed for technical innovation. As Khanna pointed out during the panel, much of Silicon Valley's success has relied on government-funded research, and devices such as the computer mouse would not have been possible without DARPA's work.  

But in recent years, some of the most innovative technical research and development has shifted to the private sector, as technology companies such as Google and Amazon have grown to lead global industry spending on research and development. Much of Google's spending has focused on AI. Even for smaller companies, record-breaking amounts of private capital are pouring into the technology sector.  In some instances, the government is seeking to bring in innovative technologies from industry rather than spinning it up itself through initiatives like In-Q-Tel, the intelligence community's venture arm, and the Defense Innovation Unit, an organization that helps U.S. defense work with emerging commercial technologies. 

But the Google controversy has put a fine point on the challenges for government as it relies on the private sector for technology. And some lawmakers are very critical that the company cease a project the U.S. military prioritizes while making compromises with other foreign governments.  

“Google said it wouldn't bow to Beijing's censorship, and it should stick to its word, especially now that it's canceled its partnership with our military,” Senator Tom Cotton (R-Ark.) said when Google’s plans to create a censored version of its search engine for the Chinese market were exposed earlier this year. “Google claims to value freedom, and one hopes Google will put its corporate principles and America first, ahead of Chinese cash.”

Now that the company is being more public about its China plans, such criticism may only intensify. Pichai defended Google’s decision to push into China in a New York Times interview published Thurday, saying that the company operates in many countries with censorship. In the interview, he compared working in China to operating in Europe, where it sometimes removes search results under “right to be forgotten” laws -- in which Google must comply with some citizens' requests to remove search engine results about themselves.

Bloomberg News columnist Shira Ovide called out the comments on Twitter:

As competition with China puts pressure on the U.S. to maintain its leadership in AI, the government made it clear earlier this year it would play a bigger role in funding research. On the same Thursday panel, DARPA Director of the Defense Sciences Office Valerie Browning said Google's moves have not hampered the agency's efforts to invest in AI. The agency announced a $2 billion initiative to invest in AI earlier this year, and Browning said DARPA has had no issues engaging industry on that initiative. 

“DARPA laid some very fundamental groundwork,” Browning said of DARPA's work on AI over the past 60 years.  

As the industry and military adjust to this changing dynamic, technology companies are also adapting to a new reality in Washington, where their historic strategy of avoiding lawmakers is no longer working. With Democrats winning control of the House of Representatives this year, many expect oversight of the technology industry will only increase. 

Though a major lobbying force in Washington, Google has struggled to adjust to the increased scrutiny of policymakers on a laundry list of issues, including privacy, competition, allegations of bias against conservatives on the platform, and more. The tensions with lawmakers came to a head earlier this year when the company failed to send an executive lawmakers deemed senior enough to a hearing where Twitter Chief Executive Jack Dorsey and Facebook Chief Operating Officer Sheryl Sandberg also appeared. 

My colleague Tony Romm has reported that House Republicans hoped to hear from Sundar Pichai at a hearing before the end of the year. The hearing had not been scheduled as of Congress’s pre-election break. If does Pichai make his debut in Washington, the company should expect a tough reception from lawmakers. 


PINGED: Rob Joyce, senior adviser for cybersecurity strategy at the National Security Agency, said China transgressed a 2015 agreement under which Washington and Beijing agreed not to carry out hacking operations for economic gain, the Wall Street Journal's Dustin Volz reported. “It is clear they are well beyond the bounds of the agreement today that was forged between our two countries,” Joyce said of the deal struck by President Barack Obama and Chinese President Xi Jinping, as quoted by the Journal. Joyce spoke at the 2018 Aspen Cyber Summit in San Francisco.

As Volz noted, Beijing has denied engaging in cybertheft for commercial purposes. “Mr. Joyce praised the Obama-Xi accord, saying that it had a marked impact on China’s economic hacking for a time,” Volz wrote. “Some security experts have said they believe independent factors, including a reorganization of China’s People’s Liberation Army, may have had more to do with the temporary decline in cybertheft.”

Joyce also explained the rationale behind U.S. Cyber Command's recent decision to share some malware samples from hackers with the cybersecurity community, Bloomberg News's Alyza Sebenius and Nico Grant reported. “That is an engagement saying: we’re going to take your tools, we’re going to put them out there, we’re going to show your tradecraft, we’re going to make it harder for you to do these kind of operations,” Joyce said, as quoted by Sebenius and Grant. “And by doing that we are imposing friction.”

PATCHED: The Aspen Cybersecurity Group released a list of seven principles to improve the security of the Internet of Things. The group, which comprises lawmakers, former government officials, technology experts as well as scholars and other professionals, acknowledged the convenience of IoT devices but warned about security threats associated with such technology. “When left unsecured, however, these devices also carry increased risks to public health and safety, business operations, and individual privacy,” the group said in a memo. “As the attack surface continues to expand, there is an acute need to ensure the benefits of IoT—and technological innovation more broadly—are nurtured while simultaneously mitigating against the associated risks.”

The group said security features should be “baked-in” when manufacturers and developers design such devices. IoT companies should also be transparent about security and privacy features and be held accountable for keeping such objects secure. Additionally, the group recommends developing devices with “updateable” security. Finally, IoT security should be multi-layered and the features of IoT devices “should be limited by necessity,” according to the group of experts. “IoT components should be stripped down to the minimum viable feature set and devices should connect carefully and deliberately,” the memo said.

The group's co-chairs are Rep. Will Hurd (R-Tex.), Lisa Monaco, who served as homeland security and counterterrorism adviser to Obama, and Ginni Rometty, IBM's chairman, president and chief executive. The group also released recommendations for increasing the size of America's cybersecurity workforce and a framework to improve cybersecurity collaboration between the U.S. government and the private sector.

PWNED: “Hackers impersonating journalists tried to intercept the communications of a prominent Saudi opposition figure in Washington, The Associated Press has found,” Raphael Satter of the AP reported. “One attempt involved the fabrication of a fake BBC secretary and an elaborate television interview request; the other involved the impersonation of slain Washington Post columnist Jamal Khashoggi to deliver a malicious link. Media rights defenders denounced the hacking effort, which they said would make it harder for genuine reporters to do their jobs.” Hackers also used a photo of Washington Post reporter Souad Mekhennet as part of the fake BBC-related scheme, according to the AP. “To be clear, neither of these distinguished journalists had any involvement whatsoever in these despicable schemes,” Washington Post Executive Editor Martin Baron said in a statement, as quoted by Satter.

The fake BBC-related scheme was more elaborate than the other plot that impersonated Khashoggi, the AP reported. “The most involved masquerade took place in February of this year, when someone posing as a BBC journalist called ‘Tanya Stalin’ emailed Washington-based Saudi dissident Ali AlAhmed inviting him to a live broadcast about Saudi Arabia,” Satter wrote. “Stalin engaged with AlAhmed over several days, sending him a list of proposed topics and talking him through the logistics of his purported television appearance. AlAhmed said he knew from the beginning that something was up.”


— “With some elections still too close to call, the Department of Homeland Security has not stopped looking for potential interference, according to Bob Kolasky, the acting deputy under secretary for the agency's National Risk Management Center,” FCW's Matt Leonard reported. “NRMC be watching these elections closely until they are all finalized, he told FCW.” Moreover, Leonard wrote, after “the elections are finalized, the NRMC will continue to work with secretaries of state and others in the election space, especially on information sharing, Kolasky said, but it expects to do fewer risk assessments in 2019 and plans to turn its attention to other infrastructure areas.”

— “The chief technology officer for the Democratic National Committee (DNC) said Thursday that the group isn't aware of any successful hacks during Tuesday's midterm elections,” the Hill's Jacqueline Thomsen reported. “Raffi Krikorian told CNN Business that the DNC, which was hacked ahead of the 2016 elections, ‘didn't hear much’ about possible hacks on Election Day. Still, he noted that it could be weeks or months before a cyberattack emerges and that the DNC is currently undergoing a post-mortem study on the elections.”

— More cybersecurity news from the public sector:

Chief weapons buyer Ellen Lord discusses new initiative
Bloomberg News
The department wants to be able to provide cyber training webinars to 5,000 simultaneous users.
National Security
People close to him also doubt he would ever approve any potential subpoena of President Trump.
Devlin Barrett, Matt Zapotosky and Josh Dawsey
Republicans largely avoided any mention of the Mueller investigation and wished the former attorney general well.
Felicia Sonmez and Karoun Demirjian
Federal agencies now have more options for classifying employees that perform cybersecurity duties.
Fifth Domain

— “After years of being caught flat-footed by hackers, companies are turning to cybersecurity defenses called threat intelligence to fend off a new generation of criminals and spies trying to steal their secrets and money,” the Wall Street Journal's Robert McMillan reported. “Threat-intelligence services can include detailed reports on the makeup and motivations of illicit groups, descriptions of illegal data sold on the dark web, and information about hackers’ tools and tricks. Incubated in the military and in spy agencies, they are becoming more popular in an era when companies often find themselves pitted against nation-state hackers.”


— “Be they hobbyists or surveillance specialists, DJI drone owners could’ve had their live video feeds spied on by hackers, according to researchers who uncovered a weakness in the Chinese company's tech,” Forbes's Thomas Brewster reported. “The vulnerability, which has been patched and which DJI said was never actually exploited by malicious hackers, was resident not in the manufacturer’s drones, but on its website. If exploited, the weakness would’ve allowed a snoop to gain full access to a DJI users account, said researchers from Israeli cybersecurity firm Check Point.”

The Mueller-indicted troll farm solicited questions for a tell-all Q&A that never happened. Except that it did. And virtually no one ever saw it.
The Daily Beast
A senior Austrian military officer is believed to have spied for Moscow for decades, Vienna said on Friday, adding to a list of recent Russian espionage cases and souring relations with arguably the country’s closest ally in the EU.
Here’s what happened when two Times tech reporters installed Facebook’s new Portal video-calling gadgets in their bedrooms.
The New York Times


Coming soon


What Matthew Whitaker has said about the Russia investigation:

Roger Stone has a rule: “Deny everything.” And he does:

Dutch 69-year-old asks court to change his age to 49: