Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.


With its decision to open half of its HQ2 in Crystal City, Va., Amazon will be the Pentagon’s newest neighbor - putting the company in a strong position to expand its business opportunities with the federal government.

The company’s new address will be on the doorstep of some of the government’s largest contractors. Amazon already provides services for a wide range of government entities, including the Central Intelligence Agency. The prime real estate for the technology giant right across the bridge from the nation's capital means that contractors like the Defense Department, which is already considering a bid from Amazon for its cloud computing services, might be even more likely to count on their new neighbor's offerings. 

“It’s a potential game changer now that they have their headquarters in the shadows of the Pentagon,” said Daniel Ives, Wedbush Securities managing director and equity analyst. “This is really Bezos planting his flag and saying the federal government is going to be a big piece of our business.”

A spokeswoman for Amazon declined to comment. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

With HQ2 soon housed near both government agencies and prominent defense contractors, Amazon will also be able to recruit people with technical talent who are open to working on government projects. Amazon arrives inside the Beltway as tech workers largely living in Silicon Valley have protested their companies’ business ties to the military as well as Immigration and Customs Enforcement. Earlier this year, Google announced it would not renew its AI contract with the Pentagon, known as Project Maven, after widespread backlash and employee resignations.

Bezos has taken a harder line, saying company leadership can’t let employees call the shots. He said at a Wired conference last month that Amazon would continue to support the Defense Department.

“If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble,” Bezos said.

Amazon’s commitment to the public sector apparently has been lucrative. Wedbush estimated that federal business  has accounted for well over $2 billion in revenue for the technology company so far in 2018. It’s a major area of growth for Amazon, the Wedbush analysts said, up from between $200 and $300 million in 2015.

About $20 billion in federal cloud projects will be “up for grabs” in the next five years as the government transforms its systems, according to Wedbush. The firm predicted in a recent note that Amazon and Microsoft will be the front-runners vying against each other to win those deals.

Even before confirming its HQ2 plans, Amazon was widely seen as the favorite to land one of the largest government IT contracts in years: a $10 billion effort to build a department-wide cloud computing infrastructure for DoD, known as the "Joint Enterprise Defense Infrastructure" or JEDI. Ives said the decision to open HQ2 in Crystal City is “a potential ingredient” that could sweeten Amazon’s chances of winning the deal. He said JEDI is “just the tip of the iceberg” in the company’s ambitions as a federal IT provider.

But continuing to win government contracts could be a double-edged sword for Amazon, whose business practices could come under increasing scrutiny from President Trump and federal regulators.

Trump, in a November interview with Axios aired on HBO, said the administration is continuing to study Silicon Valley giants — including Amazon, Google and Facebook — for potential violations of antitrust laws.

John Weiler, the managing director of the IT Acquisition Advisory Council, said he is concerned about Amazon’s growing power and influence in Washington. He said the company’s decision to open part of HQ2 in the Washington metro area was “a cornerstone” to its broader political strategy.

“This is going to be a book called, ‘How to Take Over the Government,’ ” Weiler said. “They perfectly played the game.”

Weiler was among the critics of the Pentagon’s decision to go with a single cloud provider for the competitive $10 billion JEDI contract. On Wednesday, the Government Accountability Office ruled against a bid protest filed by Oracle, which criticized that decision, my colleagues Aaron Gregg and Christian Davenport reported.

IBM also protested the bid, which the GAO is reviewing. A decision on the bid protest is expected by January, Aaron and Christian reported.


PINGED: Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, told senators the Pentagon ought to switch the focus of its cybersecurity efforts from hygiene to “continuously hunting” hackers in its systems. “Implementing security controls is hygiene. Patching vulnerabilities is hygiene. Building an asset inventory is hygiene,” Alperovitch said in opening remarks at a hearing of the Senate Armed Services Cybersecurity subcommittee. “No matter how good the department gets at these tasks, they alone will not accomplish the most important mission: Stopping foreign intelligence and military services from countries such as Russia and China from breaking into our networks.”

Alperovitch said the DoD's emphasis on cyber hygiene “too often” gets in the way of rooting out hackers from the agency's networks. He also said the Pentagon should emulate private companies' approach to cybersecurity, which includes “rapidly detecting and ejecting adversaries.”

In his written statement to the committee, Alperovitch elaborated: “Hunting is assuming that adversaries are in your network and proactively searching for them by looking across your assets for indicators of malicious activity,” he said. “Simply investigating alerts generated by security tools is not hunting. Good hunters have an offensive mind-set and think like the adversary.”

PATCHED: FireEye said it expects increased activity from Chinese and Iranian hackers. In a report outlining several trends for 2019, the company predicted that Chinese espionage will accelerate over the next few years after Beijing reshuffled its cyber capabilities starting at least in 2016. “We assess that this reorganization will inform the growth and geographic expansion of Chinese cyber espionage activity through 2020 and beyond,” the report said.

FireEye also warned that Iranian threats could escalate following the Trump administration's decision to withdraw from the international nuclear deal. The firm said it expects Iran-linked hackers to “resume probing critical infrastructure networks in preparation for potential operations in the future.” However, “disruptive or destructive attacks on private companies” in the United States appear unlikely “in the immediate or near-term,” according to FireEye.

Additionally, Kevin Mandia, FireEye's chief executive, said he anticipates that more governments across the world will seek to acquire offensive cyber capabilities. “In my travels, I have the privilege of meeting with government officials from around the globe, and in nearly every conversation I inevitably get the same question within the first 10 minutes,” Mandia said in the report. “Whether it be in the Middle East, Europe, Asia or North America, they ask how they can develop an offensive capability for their own nation.”

PWNED: Facebook's leaders largely failed to grasp the extent of Russia's disinformation efforts on the social network during the 2016 presidential election and then sought to play down the issue, according to a wide-ranging investigation by the New York Times's Sheera Frenkel, Nicholas Confessore, Cecilia Kang, Matthew Rosenberg and Jack Nicas. The reporters described a September 2017 meeting of top Facebook executives, including chief executive Mark Zuckerberg and Sheryl Sandberg, during which Sandberg berated “the social network’s security chief, Alex Stamos, who had informed company board members the day before that Facebook had yet to contain the Russian infestation. Mr. Stamos’s briefing had prompted a humiliating boardroom interrogation of Ms. Sandberg, Facebook’s chief operating officer, and her billionaire boss. She appeared to regard the admission as a betrayal.”

Moreover, Sandberg lobbied Senate Intelligence Committee Chairman Richard Burr (R-N.C.), who leads the panel's investigation into Russian interference, according to the Times. “The two spoke by phone, according to a congressional staff member and a Facebook executive, and met in person this fall,” Frenkel, Confessore, Kang, Rosenberg and Nicas reported. “While critics cast Facebook as a serial offender that had ignored repeated warning signs about the dangers posed by its product, Ms. Sandberg argued that the company was grappling earnestly with the consequences of its extraordinary growth.” Facebook said in a blog post that the Times story contains “a number of inaccuracies.” You can read Facebook's response here.

From Confessore:

From Bloomberg News's Sarah Frier:

From the Wall Street Journal's Robert McMillan:


— “The departments of Defense and Homeland Security have agreed to a framework that more clearly articulates the agencies’ roles and responsibilities in defending U.S. networks from advanced cyberthreats, officials told lawmakers Wednesday,” CyberScoop's Sean Lyngaas reported. “A joint memo recently signed by Defense Secretary James Mattis and Homeland Security Secretary Kirstjen Nielsen ‘is a major step forward in fostering closer cooperation and marks a sea change in the level of collaboration between our departments,’ Kenneth Rapuano, an assistant secretary of Defense, said at House Armed Services subcommittee hearing.”

— “The former U.N. diplomat accused of helping steal and distribute Republican fundraiser Elliot Broidy's emails is entitled to diplomatic immunity, the U.S. government tells NBC News,” Josh Lederman of NBC News reported. “It's the latest blow to Broidy's legal campaign against Qatar and the individuals he says hacked him on its behalf. Several other defendants in lawsuits filed by Broidy including Qatar itself have already convinced the court to dismiss them from the case, which crisscrosses the murky worlds of cybercrime, the Persian Gulf diplomatic crisis and pay-to-play politics in Trump era.”

— More cybersecurity news from the public sector:

On tiny Plum Island, DARPA stages a real-life blackout to put its grid recovery tools to the test.
"Big news Wednesday ... Hillary's campaign will die this week," Randy Credico appears to have texted Stone six days before WikiLeaks email dump.
NBC News
National Security
The move could complicate Republicans’ hope of confirming dozens of conservative judges this year.
Karoun Demirjian
Trump reportedly wants to fire Kirstjen Nielsen over immigration. And now, in a new letter, 26 House Democrats want Nielsen out for doing Trump’s bidding too well.
The Daily Beast

— “A pair of hackers have earned themselves $50,000 for a hack of an iPhone X that allowed them to grab a photo that was supposed to have been deleted from the device,” Forbes's Thomas Brewster reported. “Benevolent hackers Richard Zhu and Amat Cama teamed up as Fluoroacetate to come up with an attack on an Apple device running the latest iOS (12.1) that exploited weaknesses in the Safari browser. Apple has now been informed, as per the rules of the Mobile Pwn2Own contest that’s wrapping up Wednesday in Tokyo.”

— A group of influential chief information security officers and other cybersecurity leaders are unveiling their plans to bring a new cybersecurity event to Maryland. The invite-only Global Cyber Innovation Summit will bring top chief executives, CISOs, researchers as well as policymakers together in Baltimore in May 2019. The event is  part of an effort to raise the city’s profile as an East Coast technology hub. 

Bob Ackerman, an investor in cybersecurity companies and one of the organizers, said the event will be focused on practitioners. “We want to bring that community together to tackle the issues they worry about,” he said. Large cybersecurity conference like RSA in San Francisco or Black Hat in Las Vegas already attract thousands of attendees and influential cybersecurity leaders. But Ackerman says the summit aims to improve the dialogue around cybersecurity issues at a time when many conferences have become focused on marketing new cybersecurity products. Ackerman say he has a rule: no selling. The event will instead focus on meaty topics such as the weaponization of artificial intelligence, he said. 

— More cybersecurity news from the private sector:

At the same time, criminal organizations continue to look for new ways to attack their victims.
Dark Reading
Carnegie Mellon’s CyLab is one of the largest institutions in the world focused on education and research for the next generation of cybersecurity experts.
The New York Times
Industrial cybersecurity company Dragos plans to open an office in Saudi Arabia next year, CEO Robert M. Lee tells CyberScoop.
The Switch
Bailey Richardson, one of Instagram's original 13 employees, says the company has lost its identity.
Elizabeth Dwoskin
Carrier facing inquiries on breach in several jurisdictions
Bloomberg News

— ​​​​​Yoshitaka Sakurada, a Japanese minister whose responsibilities include overseeing  the revision of cybersecurity laws before the 2020 Olympic Games in Tokyo, said he doesn't use computers, The Post's Adam Taylor reported. “When asked by independent lawmaker Masato Imai how a man who does not use computers could help implement online security measures, Sakurada said that the cybersecurity initiative is a government-wide project and that he had confidence in it,” Adam wrote.

— More cybersecurity news from abroad:

Chinese telecoms giant ZTE is helping Venezuela build a system that monitors citizen behavior through a new identification card. The "fatherland card," already used by the government to track voting, worries many in Venezuela and beyond.
Antivirus has been around for more than 20 years. Do you still need it to protect yourself today?


Coming soon

  • The U.S. Chamber of Commerce hosts a conference, titled “Critical Infrastructure Risk Management: A Path Forward,” in Washington tomorrow.
  • CyberwarCon in Arlington, Va., on Nov. 28.

Pence blasts Myanmar's treatment of Rohingya sitting next to Aung San Suu Kyi:

CMA Awards honors Thousand Oaks shooting victims:

Night Sight: How Google’s Pixel phone can take pictures in the dark.