19. The UN shall declare cyberspace a peaceful commons and create a binding treaty for international cyber norms.

Read Article | Comments



Rapporteur: Allison Pytlak

Introduction

Since the first instances of malicious cyber operations between states, there has been a growing acceptance of cyber space as a militarized domain. This is a dangerous path to continue down, given the civilian and dual-use nature of cyberspace and digital networks. Such militarization is evidenced in the increasingly formalized role of digital operations in military doctrine and strategy, as well as in the language used to depict activity in this arena, such as through terminologies like “cyber weapon,” “cyber war,” or “cyber bomb”. By treating this primarily as a military and security issue, states and other actors risk institutionalizing and taking for granted the broad idea of cyber conflict. In the on-going discussions at the United Nations (UN), and elsewhere, about norms of responsible behaviour in cyberspace, it’s essential that such norms are viewed as obligatory commitments and that space is also given to articulating a vision of cyber peace.

A) Existing multilateral fora

UN Groups of Governmental Experts

The United Nations has been considering “developments in the field of information and telecommunications in the context of international security” since 1998. The centre of discussion has largely been within Groups of Governmental Experts (GGEs) on information and communications technologies (ICTs) established by the UN General Assembly (UNGA) as of 2004. GGEs are entities created within the UN system to enable thematic and expert discussion and exploration of a given topic, sometimes as a precursor to a political process. Their rules of participation and access will vary depending on the fora in which a GGE is created.

Russia introduced the first draft resolution on the subject of in the context of international security in 1998 at the UNGA First Committee.(1) It had four operative paragraphs, including a call to member states to inform the United Nations Secretary-General (UNSG) of their views and assessments on four key questions relating to information security. These formed the basis of the annual reports that UN Secretary-Generals have published since 1999.

The 2002 resolution called for the establishment of the first GGE on ICTs, prompted in part by reluctance from some countries to fully engage in this subject in First Committee.(2) Five GGEs have since been convened, each meeting either in Geneva or New York four times over a two-year cycle.(3) Their sizes have ranged from 15-25 states.(4)

Each Group sought to agree by consensus a report of its proceedings, that may include conclusions and recommendations, and which are returned to the wider UN membership for adoption. This has had varying levels of success as since their inception, the GGEs have suffered from an inherent sense of mistrust among their memberships and divergent views on definitions and basic approaches to information security.

Over time, the outputs of the GGE have generally improved and expanded, in line with their mandates and progress in discussions.

The report of the 2012-2013 Group was welcomed for its breakthrough statement that international law is applicable to cyberspace, although it was simultaneously tempered by a reaffirmation of state sovereignty in the conduct of ICT-related activities, and protection of infrastructure.(5)

The 2015 report was lauded for setting out eleven recommendations for voluntary and non-binding norms, rules, or principles for state behaviour, confidence-building measures, international cooperation and capacity building, and positive recommendations.(6)

Progress broke down in the 2016-2017 Group, reportedly over the issue of the applicability of international law, including international humanitarian law (IHL) and international human rights law (IHRL).

In 2017, it was not possible for states to agree to establishing a new GGE. Instead, debate at the UNGA First Committee explored other possible entities and forums that could better take forward the subject, as well as providing views on the validity of past outputs from the Groups.

In 2018, Russia—traditional sponsor of the UNGA First Committee resolution on ICTs— introduced new and controversial elements into the annual resolution. The first draft included various points from the Shanghai Cooperation Organization’s International Code of Conduct on Information Security as among a list of norms for discussion in a new GGE. The Code is seen by other states as a way to undermine human rights protections to online activity and so was immediately problematic for many countries. The Russian Federation recanted and redrafted its resolution without that language but with variously selected references from former GGE reports, and a new proposal to create an open-ended working group (OEWG), in place of a GGE, using the argument that such a forum would be more conducive for democratic participation and inclusivity.(7) The United States, frustrated with Russian actions, tabled for the first time its own competing resolution, written in the style of traditional First Committee ICT resolutions and calling for a new GGE but with a limited possibility of input from non-GGE members, through regional consultations. The United States and its allies heavily criticized the Russian proposal, arguing that it mischaracterized and cherry-picked language from previous GGE reports without consistency or logic, and accused Russia of being divisive.

In connection with wider politicization that complicated multiple disarmament topics at the UNGA First Committee in 2018, it was not possible for a compromise to be reached and the end result is that there will be both a GGE and an OEWG meeting throughout 2019 and 2020.(8)

The two entities have similar, yet not identical, mandates and varying modalities to receive inputs from either non-governmental stakeholders or, in the case of the GGE, non-Group members. For example, the GGE is likely to have a series of regional consultations throughout 2019 and 2020, and the OEWG will have a session in December for input from non-governmental actors. The chairpersonship of either entity and the composition of the GGE have not been made publicly available as of late May 2019.
Cityscape

UN Secretary-General reports and Agenda

The UN Secretary-General has issued multiple annual reports on the subject of ICTs since 1998. These consist of a compilation of national reports submitted voluntarily by member states.

The current UNSG António Guterres has made the promotion of a peaceful ICT-environment a key priority. In his Agenda for Disarmament, launched in May 2018, Guterres has included two action points on cyber security as part of the Agenda’s implementation plan. The UNSG notes in his report that “global interconnectivity means that the frequency and impact of cyberattacks could be increasingly widespread, affecting an exponential number of systems or networks at the same time.” He further states that “in this context, malicious acts in cyberspace are contributing to diminishing trust among States.”

Beyond the UN

The work within the UN is supplemented by an external patchwork of global and regional meetings for various stakeholders. Some of these fora have come to play an increasingly important role given stalemate and politicization within the UN system.(9)

France initiated its ‘Paris Call for Trust and Security in Cyberspace’ in November 2018.(10) (France Diplomatie, 2018) Also in 2018 the Global Commission on the Stability of Cyberspace (GCSC) outlined six new global norms to help promote the peaceful use of cyberspace.(11) (Global Commission on the Stability of Cyberspace, 2018)Proposals have also come from the private sector, notably Microsoft’s suggestion for a digital Geneva Convention (Microsoft, 2017)and leadership in the development of the Tech Accords, now supported by dozens of technology firms.(12)

Regional and other cooperation

Regional agreements have enabled information-sharing and support between states on a practical and tactical level, including between Computer Emergency Response (or Readiness) Teams, also known as CERTS. Some agreements, like NATO’s Enhanced Cyber Defence, also incorporates legal considerations. The NATO Cooperative Cyber Defence Centre of Excellence (technically not a NATO organization) commissioned the development of what is known as the Tallinn Manual. The Manual outlines how international law applies to cyber conflicts and cyber warfare and was developed by an international group of approximately twenty experts.

Other regional cooperation agreements have a focus on other aspects of cybersecurity such as cybercrime (the Budapest Convention), data protection and cyber security (African Union Convention on Cyber Security and Personal Data Protection) or information security (Shanghai Cooperation Organization’s agreement on “Cooperation in the Field of Information Security”).

B) Existing norms and confidence building measures

The 2015 UN GGE set out eleven recommendations for consideration by states for voluntary, non-binding norms, rules, or principles of responsible state behaviour with the aim of “promoting an open, secure, stable, accessible and peaceful ICT environment”. They include:

  1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
  2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
  3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
  4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
  5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
  6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
  7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
  8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
  9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
  10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
  11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

In addition, the 2015 Group recommended several voluntary confidence-building measures:

  1. The identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts;
  2. The development of and support for mechanisms and processes for bilateral, regional, subregional and multilateral consultations, as appropriate, to enhance inter-State confidence-building and to reduce the risk of misperception, escalation and conflict that may stem from ICT incidents;
  3. Encouraging, on a voluntary basis, transparency at the bilateral, subregional, regional and multilateral levels, as appropriate, to increase confidence and inform future work. This could include the voluntary sharing of national views and information on various aspects of national and transnational threats to and in the use of ICTs; vulnerabilities and identified harmful hidden functions in ICT products; best practices for ICT security; confidence-building measures developed in regional and multilateral forums; and national organizations, strategies, policies and programmes relevant to ICT security;
  4. The voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them, including information on national laws and policies for the protection of data and ICT-enabled infrastructure. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders. These measures could include:
    1. A repository of national laws and policies for the protection of data and ICT-enabled infrastructure and the publication of materials deemed appropriate for distribution on these national laws and policies;
    2. The development of mechanisms and processes for bilateral, subregional, regional and multilateral consultations on the protection of ICT-enabled critical infrastructure;
    3. The development on a bilateral, subregional, regional and multilateral basis of technical, legal and diplomatic mechanisms to address ICT-related requests;
    4. The adoption of voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident, for the purpose of facilitating the exchange of information on incidents.

As these norms were adopted by the UN General Assembly, they are considered by many member states as reflecting the current standard for behaviour in cyberspace, albeit non-binding and voluntary. These states are now advocating for their implementation, while some countries are calling for further elaboration and discussion about the content of the norms and measures themselves.

C) Major areas of disagreement

Since their establishment, the UN GGEs have suffered mistrust among some of their key members and divergent views about definitions and basic approaches to “information security”. Other areas of contention have included GGE mandates as well as the broader role of the UN and the First Committee with respect to international information security challenges.(13) These different approaches and perspectives have had a ripple effect in other multilateral fora, and colour the scope and objectives of several regional agreements. Outlined below are three of the most visible areas of disagreement.

Existing international law

The applicability of international law to cyberspace has been a primary point of disagreement among states in recent years, particularly with respect to articulating how it applies. The third and fourth GGEs declared that “international law, and in particular the Charter of the United Nations,” were applicable to cyberspace. At the time, it did not appear to be the position of any state that the right to self-defense would not apply in response to cyber operations that meet the threshold of an armed attack under Article 51 of the UN Charter.

Yet, the fifth GGE (2015-2016) failed because of disagreement on this point. Some states (including Russia, China, and Cuba, among others) maintained that to affirm the application of UN Charter principles of use of force and international humanitarian law would result in the “militarization” of cyberspace whereas others (including the United States and western European states) insisted on acknowledging the right to apply “countermeasures” in scenarios that fell below the threshold of the ‘use of force’ in cyberspace. There was debate around linking the malicious use of ICTs with an “armed attack” and what the legal implications of that would be, which largely reflected the asymmetry the Group with respect to the cyber and conventional weapons capabilities of the different countries comprising the Group; as well as if a cyber operation could ever cross the high legal threshold of an “armed attack”.

The applicability of international humanitarian law (IHL) to cyber operations has been similarly contentious as some states have argued that applying IHL to cyberspace would legitimize taking military activities in it—which they claim to oppose, while other affirm its applicability. The International Committee of the Red Cross (ICRC), has highlighted the prohibition of weapons which are indiscriminate by nature as particularly relevant but reminds that the key principles of distinction, proportionality and precautions must also be observed. Adherence to IHL means that attacks cannot be directed at civilians or civilian objects, and as the ICRC points out, critical civilian infrastructure—including the cyber infrastructure on which they operate or rely, such as networks or equipment—are civilian objects and therefore protected against attack, unless they have become military objectives.(14)

Information security

While term “information security” has been used widely and for two decades within the UN system, it has always suffered from a fundamental difference of approach and understanding among states, which has ramifications for efforts to reach agreement on norms. Countries that are more technologically developed often prioritize the importance of the free flow of information, while those less developed make equal access to information and information technologies a priority in discussions on cyber security and cyberspace. At the same time, certain others view information technology and the free flow of information as a threat to be contained.

For example, China views the problem of information security as including not only the risks relating to vulnerabilities of structures and systems, but also the political, economic, military, social, cultural problems that arise from technology use within its own borders. China and Russia have preferred to focus on international information security in the context of multilateral discussion fora as a safer formula than addressing it in a way that would draw attention to domestic actions. The United States have regularly reaffirmed that implementing information security measures cannot infringe on basic individual freedoms. The United Kingdom avoids using the term “information security” because it can be misused or misinterpreted as a way to justify limitations on personal freedoms.(15)

The need for new international law

Since introducing its first resolution on the subject of ICTs, Russia been advocating to codify applicable norms and principles to govern uses of ICTs through a binding a universal agreement on international information security. It has made multiple proposals in this regard, both in the UN context and unilaterally within Central Asia, and with China.

Other states, largely Western ones, have not been supportive of the call for a cyber space treaty. Some have argued that to do so would be premature, or that existing international law is sufficient. Some states have also highlighted that given the divergent views on key aspects of the international cyber security issue, as well as around basic definitions and terminology, it would not be feasible to come to an agreement that would have enough substance to be effective.(16)

D) Human rights considerations

The human rights impact of digital technologies is being addressed in separate UN fora than where national security impact is discussed, and usually by different actors within the international community. There has been very little intersection between security-based and human rights-based approaches or discourses.

Some human rights-based approaches have necessarily focused on unique human rights such as the right to freedom of expression, as protected by Article 19 of the Universal Declaration of Human Rights and of the International Covenant on Civil and Political Rights (1966). The human rights to privacy and assembly are also frequently at risk in a digital context. The right to privacy is guaranteed by Article 17 of the International Covenant on Civil and Political Rights (1966). Article 15 of the International Covenant on Economic, Social and Cultural Rights (1966) protects the right of everyone to “enjoy the benefits of scientific progress and its applications” which can be interpreted to include the right to use the Internet. There has also been reaffirmation of women’s human rights that are threatened by targeted online activities like revenge porn and cyberstalking.(17)

The UN Human Rights Council (HRC), a UN body comprising 47 UN member states with foremost authority over human rights issues, has now passed multiple resolutions relevant to the Internet or digital contexts more broadly. The first, adopted in 2012, was considered landmark for not only being the first on the subject but also for its affirmation that “the human rights people enjoy offline, also apply online”.(18) The resolution built on a 2011 report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression.(19)

The right to privacy in the digital age has also been taken up by the UNGA Third Committee. In December 2013, the UNGA adopted resolution 68/167 “The Right to Privacy in the Digital Age” which called on all states to review their procedures, practices, and legislation related to communications surveillance, interception, and collection of personal data. It further emphasized the need for states to ensure the full and effective implementation of their obligations under international human rights law. The resolution was the foundation for a 2014 report of the Office of the United Nations High Commissioner for Human Rights on the same subject, for which the views of multiple stakeholders were solicited(20) and for a follow-up resolution in 2015.

The UN Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression recently issued a report focused on the obligations of states and companies, by aiming to find user-centric and human rights law-aligned approaches to content policy-making, transparency, due process, and governance.(21)

Beyond the United Nations are the day-to-day advocacy and other initiatives of non-governmental organisations and individual human rights defenders. Technologists have added to this work by developing applications and software to prevent intrusions, detect censorship, or enable anonymity online.(22) It is also worth noting that ICTs are increasingly being used in the pursuit and defense of human rights, to capture violations and facilitate sharing.(23)

References for this article can be seen at the Footnotes 3 page on this website (link will open in a new page).

Subscribe
Notify of
10 Comments
Inline Feedbacks
View all comments

Digital privacy act is alive and well in Canada…
https://laws-lois.justice.gc.ca/eng/annualstatutes/2015_32/page-1.html It is good to know the law….\

Wearable technology covers a broad area of devices. With its use becoming more common in the healthcare sector the issue concerning privacy becomes more crucial. New devices can help physicians monitor patients’ vital signs; sleep patterns and heart rhythms remotely transforming the face of medicine as we know it. These developments in technology will help detect early signs of diseases and aid in diagnosing medical conditions. Essentially these devices are mini computers that send and receive data which can be used for further analysis.
http://www.wearabledevices.com/2016/01/06/privacy-security-age-wearable-devices/

Maybe the NSA is good for something. At least now they are intending to share more information. (With whom?) Here’s another piece in the Washington Post by Joseph Marks, who certainly is following these affairs closely. ]
“New NSA cyber lead syss agency must share more info about digital threats,” Sept. 5.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/09/05/the-cybersecurity-202-new-nsa-cyber-lead-says-agency-must-share-more-info-about-digital-threats/5d7002fb88e0fa7bb93a8938/

We have to pay attention, not only to the military application of Internet skulduggery, but to the inadvertent consequences of the normal use of it. Here is a remarkable piece of research showing that Bolsonaro’s victory in Brazil may be significantly attributed to the spread of misinformation from YouTube through WhatsApp among Brazil’s poor. So what kind of action can be taken against this?

https://www.nytimes.com/column/the-interpreter/

The Cybersecurity 202: Hackers just found serious vulnerabilities in a U.S. military fighter jet

By Joseph Marks (From Washington Post‘s The Cybersecurity 202) Aug 14.

And they did it with the Air Force’s blessing.

https://www.washingtonpost.com/news/powerpost/wp/category/the-cybersecurity-202/?wpisrc=nl_cybersecurity202&wpmm=1

The Cybersecurity 202

Here’s the political bind Democrats face when talking about election security

BY JOSEPH MARKS with Tonya Riley

LAS VEGAS — Rep. Eric Swalwell (D-Calif.) applauded the crowd of cybersecurity researchers uncovering dangerous bugs in voting machines and other election systems at a security conference here — but he’s in a bind about how to talk about election security with constituents.

Swalwell, who recently ended a long-shot presidential bid, believes chances are almost nil that Republicans will join Democrats to pass legislation mandating fixes to improve election security before the 2020 contest. By continuing to bang the drum about potential security weaknesses, he worries Democrats risk inadvertently convincing citizens that the election is bound to be hacked — and that there’s no point in voting.

“If we tell voters the ballot box is not secure and that we have all these vulnerabilities … if we say that over and over and over, is the result of that suppressing [the vote]?” Swalwell asked a room of researchers this weekend at the Def Con cybersecurity conference’s Voting Village, which focuses exclusively on the security of election systems.

This is a predicament that will only get harder for many Democrats who are coming to grips with the idea that they may have run out of time to require states to shift to paper ballots, post-election audits and other cybersecurity best practices before the 2020 contest. Swalwell believes these fixes will happen only if there’s a Democratic president and Congress in 2021 or later — even as intelligence officials warn the 2020 election is a major target for Russia and other adversaries looking to undermine the American political system.

“I’d welcome your feedback,” Swalwell told the room of hackers. “How do you talk about this as an issue, without scaring …. everybody and then they just say, ‘You know what, I’m not going to vote.’ ”

The issue also hasn’t played a major role on the campaign trail. Yet Swalwell, speaking to me after his speech, defended Democratic presidential candidates who’ve generally relegated the security of the 2020 election to a second- or third- tier issue behind health care, immigration and climate change and mostly ignored the issue in presidential debates.

“I trust that whoever emerges [as the nominee] is going to make this a top issue,” he told me. “I think we should know where they stand, but I think the risk of saying election security is the number one issue is that you don’t want someone to say, ‘Wait, is my vote not going to count?’ ” And if voters don’t turn out to elect Democrats then election security fixes won’t happen at all, he said.

Swalwell’s unusually blunt assessment comes as Senate Democrats are waging a battle in Congress and the media to put pressure on Senate Majority Leader Mitch McConnell (R-Ky.) who has been blocking votes on numerous election security bills.

Those efforts are useful for showing Democrats are committed to election security — and possibly to give a boost to McConnell’s top Democratic challenger in his reelection bid, Marine veteran Amy McGrath — but they have little chance of getting any bills passed, Swalwell told me.

“We’re not going to see Republican senators wake up and say, you know what, I want to secure our elections and I’m going to ask Mitch McConnell to force a vote. It’s just not going to work under this president,” he said.

States have voluntarily made myriad election security improvements since 2016, using their own funding and $380 million Congress delivered in 2018. The Department of Homeland Security has also increased its assistance to state and local election officials, including installing a nationwide sensor network that can detect unusual activity on election officials’ networks. Many localities have not made important upgrades, however, such as having a paper record of all ballots.

Other lawmakers who visited Def Con, however, were more eager to keep up the fight on election security.

Rep. Ted Lieu (D-Calif.) told me it’s “ridiculous” that state officials and voting machine vendors haven’t yet fixed known digital bugs in their systems. He also accused Republican lawmakers and the White House of not wanting to improve election security because they believe Russian President Vladimir Putin — who intelligence officials say aided Trump in 2016 — plans to help Republicans in 2020.

“It is a known fact that the Russians did a massive cyberattack and influence campaign in 2016 and it helped Donald Trump. I don’t really know why Republicans aren’t as freaked out, but if I were to speculate, it would be because they saw that election hacking helped their presidential candidate,” Lieu said.

Rep. Jim Langevin (D-R.I.), who co-founded the Congressional Cybersecurity Caucus, warned that “Russia interfered with our 2016 elections, and they remain a threat to the security of our elections in 2020.”

Sen. Ron Wyden (D-Ore.) at the conference on Friday called for “a sustained outcry from the public to force [McConnell] to move legislation on election security.” He also called on ethical hackers at the conference to become “a Paul Revere brigade to come out of Def Con and fan out across the country and make the case for the [Securing America’s Federal Elections Act],” a House-passed bill that would deliver $600 million in election cybersecurity money to states along with security mandates.

Wyden told me after the speech that he remains hopeful Democrats can rally enough public pressure to force McConnell to pass a bill in the next couple of months — while there’s still time for state and local election officials to responsibly spend additional election security money on upgraded voting machines and new digital protections.

“This country’s got a long tradition of when we think there really is a threat to our well-being, we can move,” Wyden told me. “And I think this is a threat to our 200-year experiment in self-government.”

Wyden said he’d push back, however, if Senate Republicans offered to approve new election security money with no cybersecurity mandates attached to it — as Democrats and Republicans compromised to do when they approved the $380 million boost in 2018.

“Money is definitely important … but you can’t spend money on machines that are outdated before you open the damn box,” he told me. “That’s the worst of both worlds.”

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

PINGED, PATCHED, PWNED

PINGED: Swalwell also caused a stir at the Voting Village when he challenged cybersecurity researchers there to try to develop a way to vote on a mobile app with all the security protections of the best in-person voting systems.

That’s an idea security experts have long scoffed at, saying it’s hard enough to secure in-person voting without adding all the concerns about hacked phones delivering phony votes or people casting fraudulent votes with stolen phones.

Those concerns shouldn’t prevent researchers from setting a long-term goal of making mobile voting happen, Swalwell said. “If it’s not possible, tell us it’s not possible, but at least let’s put the whole of government’s resources behind trying,” he said.

Swalwell argued that paper-based voting — while it’s the most secure option now — will ultimately be less convenient for older voters and could turn off younger voters who are used to doing other activities on mobile devices. “I don’t want to lose a whole generation of voters because they’re like, ‘Wait, you’re just doing this by paper?” he said.

PATCHED: At a live hacking venue in the Voting Village, meanwhile, ethical hackers found “a litany of new vulnerabilities” in voting equipment that will be used in 2020 “ranging from gallingly obvious passwords to hardware issues and exposure to remote attacks,” my colleague Taylor Telford reports.

The bottom line, Voting Village organizer Harri Hursti told Taylor: “Everyone claiming we can fix this by 2020 is giving a false sense of security. The aim should be, can we do something by 2022 or 2024?”

Joel Miller, an election auditor from Linn County, Iowa, told Taylor he’s concerned about the security of his county’s systems and can’t get his questions answered — even after formally demanding information from Iowa’s secretary of state’s office.

“We don’t know what’s going on with the system,” Miller said. “I’m a former IT director, and I know more about what I don’t know, but that’s almost worse than if I didn’t have a tech background. I’m aware there’s more threats out there than we can handle.”

Iowa was among 21 states where Russian hackers probed election infrastructure in 2016, but there’s no evidence the hackers penetrated any of Iowa’s systems. Iowa’s secretary of state’s office told Taylor that “Iowa’s [election] system is secure and we work every day to ensure it remains secure.”

PWNED: As many as 16 million voters will cast ballots on paperless machines in 2020, a reduction from nearly 28 million who did so in 2016, according to a new report released by the Brennan Center today. But that still leaves millions of votes unsecured, and money from Congress could help, the report states.

“Congress provided $380 million to states to help with upgrades, but it wasn’t enough,” researchers Andrea Córdova, Liz Howard and Lawrence Norden wrote. The House approved a bill granting states $600 million in election security funding in June, but the legislation has been blocked in the Senate.

Nearly half the states that still used paperless voting machines for at least some voters in 2016 probably will replace those machines by the 2020 election, the report states.

A growing number of states are also adopting more efficient audit procedures to spot altered votes, researchers found. Colorado, which first implemented new audit procedures in 2017, is joined by 12 other states including Alabama, Ohio, and California. Of the 42 states that plan to use only paper records in 2020, 17 still do not require post-election audits.

Building Ethics not Bombs: The Role of Scientists and Engineers in Humanitarian Disarmament

By E. Golding

https://humanitariandisarmament.org/2019/02/25/building-ethics-not-bombs-the-role-of-scientists-and-engineers-in-humanitarian-disarmament/

Last week there was a news story reporting that Trump had used a cyberattack against Iran. It did not seem to get much press coverage and no outrage at all. Whether you like Iran’s government or not, it will pay to think carefully about this kind of quasi-warfare. It if gets to be considered normal, we will have a much harder time putting a stop to it.