THE KEY

Venture capital investing in Washington-area digital security companies has grown nearly 50 percent since 2015 in a sign of the region’s booming cybersecurity market, according to figures provided by a local investing firm.

That's also a big opportunity for government agencies trying to overhaul their own cybersecurity, which will be able to recruit from a new crop of Washington area cyber start-ups, said Hank Thomas, CEO of Strategic Cyber Ventures, the Washington-based venture capital firm that provided the data. (Strategic Cyber Ventures will share details about the data in a blog post today.)

Thomas envisions a revolving door for cybersecurity professionals. “People will have the opportunity to leave the government workforce to work in the private sector, then take those skills back to the government," Thomas told me. 

That's good for both sides, Thomas predicts. And not just because the country is facing a serious shortage of skilled security talent.  Private companies face many of the same cyber adversaries as the U.S. government, including government-backed hackers from Russia and China, Thomas noted. The difference is that government typically fights back with an abundance of resources and a lot of classified intelligence, while industry faces cost pressure to be more nimble and innovative. 

The wave of VC cash also means Uncle Sam won't be the only game in town. Thomas compared the development to Amazon’s decision to locate a portion of its second headquarters in the Washington area, though on a smaller scale. Both will bring a new and diverse supply of workers with different skills that will contribute to the broader Washington ecosystem, he said. (Amazon founder Jeff Bezos owns the Washington Post).

“This is nothing but good for the government and the D.C. ecosystem,” he said.

The Washington region has long been a national leader in cybersecurity with top-notch hackers and cyber defenders moving back and forth between intelligence services and the Defense Department, and major contractors such as Raytheon, Lockheed Martin and Booz Allen Hamilton. 

The region has lagged, however, in the sort of start-up, venture capital-backed cybersecurity firms that dot Silicon Valley.

Investors injected $302 million into cybersecurity firms in the District, Virginia and Maryland in 2018 compared with $242 million in 2017 and just $208 million in 2015, according to the Strategic Cyber Ventures data.

That’s a lot of new money for Washington, but nothing compared to California, where just two big cybersecurity companies, CrowdStrike and Tanium, took in $575 million in new venture capital funding in 2018, according to the data.

Things look very different if you look at the broader cybersecurity industry, however.

There’s a supply of about 91,000 cyber workers in the Washington and Baltimore metro areas compared with just about 29,000 between the Silicon Valley and San Francisco metro areas, according to a heat map maintained by the Commerce Department’s National Institute of Cybersecurity Education and several partners.

The raw data for the Strategic Cyber Ventures post came from the research firm Pitchbook, which culls investment information from numerous sources, including self- reporting by companies.

Government has tried in the past to mirror industry’s fast-paced tech and cyber sectors, especially the Defense Department, which launched a Silicon Valley outpost in 2015 called the Defense Innovation Unit. It’s been tougher, however, to lure private-sector talent from across the country into government. 

Yet cyber workers from consumer-focused VC-backed firms could bring useful experience and expertise to government, Chris Ahern, a principal at Strategic Cyber Ventures, told me.

For example, a worker who’s used to designing cyber tools for the convenience-obsessed consumer market could be highly valuable to government, which is known for its often clunky and outdated computer systems, Ahern told me.

“As the federal government builds out different cyber dashboards and operational tools, they’ll be able to produce things that are much more user-friendly,” he said.

PINGED, PATCHED, PWNED

PINGED: The bad news continues to accumulate for Chinese telecommunications giant Huawei, a company that U.S. officials have said could be a platform for Chinese spying. Federal prosecutors are conducting a criminal investigation of the company over alleged theft of trade secrets  from American business partners, the Wall Street Journal's Dan Strumpf, Nicole Hong and Aruna Viswanatha reported. Part of the probe, which is in its advanced stages, includes allegations that Huawei stole technology from T-Mobile. Those allegations were initially part of a 2014 civil suit by T-Mobile against Huawei.

The 2014 lawsuit alleged that while both companies were collaborating, Huawei employees sought information about a T-Mobile testing robot nicknamed “Tappy” and other technology, according to the Journal. “In one alleged instance, two Huawei employees slipped a third one into a testing lab to take unauthorized photos of the robot,” the Journal reported. “One employee also tried to hide the fingerlike tip of ‘Tappy’ behind a computer monitor so that it would be out of view of a security camera, and then tried to sneak the tip out of the lab in his laptop-computer bag, according to the lawsuit.”

PATCHED: Meanwhile, lawmakers on Capitol Hill are also taking aim at Huawei. A bipartisan group of senators and congressmen introduced legislation to ban exports of U.S. equipment to Chinese telecommunications businesses that run afoul of U.S. sanctions or export controls, according to a news release from the office of Sen. Tom Cotton. Cotton (R-Ark.). Cotton introduced the bill alongside Sen. Chris Van Hollen (D-Md.), Rep. Mike Gallagher (R-Wis.) and Rep. Ruben Gallego (D-Ariz.). “If Chinese telecom companies like Huawei violate our sanctions or export control laws, they should receive nothing less than the death penalty-which this denial order would provide,” Cotton said in a statement

The Telecommunications Denial Order Enforcement Act would also direct the president to enact punitive measures — similar to those that ZTE originally faced — against Chinese telecommunications firms that do not abide by U.S. export controls and sanctions. The lawmakers introduced the legislation shortly before the Wall Street Journal reported that federal prosecutors are investigating Huawei, Reuters noted

A separate bill sponsored by Reps. C.A. Dutch Ruppersberger (D-Md.), Jim Himes (D-Ct.), Mike Conaway (R-Tex.) and Will Hurd (R-Tex.) would create a new White House office focused on combating state-sponsored technology and intellectual property theft from China and elsewhere. The Office of Critical Technologies and Security would also develop a strategic plan to address physical and cyber vulnerabilities in the U.S. technology supply chain.

PWNED: An Oklahoma Securities Commission server left massive amounts of unprotected data including files about FBI investigations exposed online, Forbes's Thomas Brewster reported. Greg Pollock, a researcher for the cybersecurity company UpGuard, discovered the leak, which amounted to 3 terabytes of data. “The documents included spreadsheets with agent-filled timelines of interviews related to investigations, emails from parties involved in myriad cases and bank transaction histories,” Forbes reported. “There were also copies of letters from subjects, witnesses and other parties involved in FBI investigations.”

The Oklahoma agency removed the server from the public Internet after it was informed of the leak.  “Though the agency thanked UpGuard for notifying it regarding the issue, it didn’t check to see what was done with the mass of data downloaded by the researchers,” Forbes reported.

PUBLIC KEY

— Sen. Dianne Feinstein (D-Calif.), the top Democrat on the Senate Judiciary Committee, said she will not vote for William P. Barr, President Trump's nominee for attorney general, unless he commits to releasing the report by special counsel Robert S. Mueller III about his probe, The Washington Post's Matt Zapotosky, Karoun Demirjian and Devlin Barrett reported. “This is a big report, and the public needs to see it, and with exception of very real national security concerns, I don’t even believe there should be very much redaction,” Feinstein said, according to my colleagues. “So, I am hopeful that that report will be made public, and my vote depends on that, Mr. Chairman, because an attorney general must understand the importance of this to the nation as a whole, to us as a Congress, as well as to every American.”

— Deputy Energy Secretary Dan Brouillette warned Israeli authorities about Chinese investments in Israel and cited worries about cybersecurity, Reuters reported. “We know that the threat of cyber attacks is growing each and every day,” Brouillette told Reuters in a statement. In separate remarks, he also suggested that Chinese investments in Israel could lead allies to reduce intelligence-sharing. “If done incorrectly, you inhibit the other allies from sharing intelligence with you,” Brouillette said in comments that aired on Israeli Army Radio, according to Reuters.

— Several Republicans on the House Energy and Commerce Committee want answers from telecommunications companies about the sale of cellphone users' location data. Rep. Greg Walden (R-Ore.), the top Republican on the committee, as well as Reps. Robert E. Latta (R-Ohio), Cathy McMorris Rodgers (R-Wash.) and Brett Guthrie (R-Ky.) sent letters questioning T-Mobile, AT&T, Sprint, and Verizon about the practice.

The letters follow a report by Motherboard that found that T-Mobile, Sprint and AT&T sold access to their customers' location information to third-party companies — Motherboard didn't report that Verizon engaged in the same practice. The Republican lawmakers also wrote to two other companies mentioned in the Motherboard story: Zumigo and Microbilt.

“This practice of selling and sharing of location information through multiple entities potentially impacts hundreds of millions of American customers,” the lawmakers wrote. “We are deeply troubled because it is not the first time we have received reports and information about the sharing of mobile users’ location information involving a number of parties who may have misused personally identifiable information.”

— More cybersecurity news from the public sector:

It’s also left some websites vulnerable to cyber threats.
Nextgov
The Senate Commerce Committee plans to examine digital-privacy issues as well as the development of fifth-generation wireless connectivity, or 5G, during two of its first hearings this year, Commerce Chairman Roger Wicker (R-MS) and ranking member Maria Cantwell (D-WA) confirmed during a meeting today.
Inside Cybersecurity
Senators have struck a last-minute deal to extend a program regulating how manufacturers must guard against potential terror attacks, calming fears from business groups about a lapse.
The Hill
Business
Eleven Republicans backed a Democratic measure that would stop the Treasury Department from relaxing sanctions against a Russian billionaire and ally of Vladimir Putin.
Jeanne Whalen
Psy Group delivered plans for ‘social media manipulation’ in 2016 and the special counsel is digging in as part of his probe into Mideast influence.
The Daily Beast
PRIVATE KEY

— Here's another consequence from the revelations about the sale of cellphone users' location information: Sprint said it will stop selling such data to third-party companies, Motherboard's Joseph Cox reported. “As a result of recent events, we have decided to end our arrangements with data aggregators,” a Sprint representative told Cox in an email. AT&T and T-Mobile have also said they will put an end to the practice.

— More cybersecurity news from the private sector:

Poor credential management could let bad actors enter secure buildings, lock doors and download or change federal employee and contractor data.
Nextgov
A researcher who responded to the attack on Saudi petrochemical plant says the initial incident was not thoroughly investigated.
CyberScoop
THE NEW WILD WEST

—  Threat intelligence firm Recorded Future said it has “moderate confidence that a small percentage” of users migrated elsewhere after Ashiyane Forum, Iran's primary hacker forum, was shut down in August 2018. The site was linked to Iran's Islamic Revolutionary Guard Corps, which U.S. officials say was responsible for digital attacks against U.S. financial institutions and a New York state dam. You can read the report here

— Cyber criminals have targeted financial institutions in several West African countries since at least mid-2017, according to the cybersecurity firm Symantec. “Who is behind these attacks remains unknown,” Symantec said. “They could be the work of a single group or, more likely, several different groups employing similar tactics.” You can read the research here.

— More cybersecurity news from abroad:

A new report articulates how China might use cyber capabilities during a conflict.
Fifth Domain
FOR THE N00BS
Internet Culture
The survey looks at how Americans feel about the data Facebook collects about them.
Abby Ohlheiser
ZERO DAYBOOK

Today

  •  S4x19 industrial control systems security conference in Miami Beach.
  • The Council on Foreign Relations holds a panel discussion titled “Hacking and the Internet of Things.”

Coming soon

  • ShmooCon hacker conference in Washington tomorrow through Sunday.
EASTER EGGS

Furloughed workers descend on McConnell's office:

A class of their own: The new women of Congress claim their space:

British lawmaker makes Eminem reference in discussing Jeremy Corbyn