THE KEY

U.S. states and cities are breaking with the federal government and signing onto an international pledge aimed at making cyberspace safer.

Virginia, Colorado and Washington state have all endorsed the Paris Call, which was first boosted last year by French President Emmanuel Macron and which commits members to combatting major cyberattacks, digital theft of intellectual property and foreign election interference. City governments in Louisville, San Jose and Huntington, W.Va., have also joined.

The Trump administration, meanwhile, is still refusing to endorse the pledge — even though it was approved by 74 other nations including our closest allies in Britain, Canada, Australia and New Zealand.

The move is another way that cities and states are breaking with the Trump administration. Others have done so on issues ranging from climate change, privacy to immigrant rights. It also underscores how states and localities, which have been pelted with costly ransomware attacks and struggled to protect their elections against highly sophisticated Russian hackers in recent years, are increasingly viewing cybersecurity as an existential threat. 

“It’s a problem that’s facing us and I really don’t give a flip whether a governor or a president is addressing it,” Huntington, W.Va., Mayor Stephen T. Williams told me. “I’m going to find people on common ground and we’re going to move forward and make our case. If the states and federal government want to come along, that’s fine, but, if not, we’ve got our own voice.”

The Paris Call, which Macron launched on the centennial of the armistice ending World War I, is basically a statement of broad principles that doesn’t specifically bind signatories to do anything except to “work together” to prevent major hacking operations and protect the integrity of the Internet. As of the call’s first anniversary Tuesday it had endorsements from 333 civil society organizations and 608 companies along with 74 national governments — making the United States an outlier for rejecting it.

Major U.S. adversaries have also declined to sign the pledge including Russia, China, Iran and North Korea. 

The U.S. government “largely supports the objectives of the Paris Call,” a State Department official told me, but has “significant reservations” about some elements of the text and the way it was drafted.

“Unfortunately, there was not sufficient opportunity in the drafting process to shape the text or clarify certain ambiguities. Therefore, we could not endorse the Paris Call,” the official said. The official didn’t describe the specific problems with the text.

The U.S. government has endorsed some rules of the road in cyberspace — such as that nations shouldn’t attack each other’s critical infrastructure such as hospitals and energy plants — but not for several years and typically after intense negotiations.

Some state and local officials are hoping their endorsements will pressure the federal government to take a firmer stand.

“State and local governments are all finding a certain value from the Paris Call and that could help the federal government see the value as well. I think that would be a step in the right direction,” Washington state Chief Information Security Officer Vinod Brahmapuram told me.

In other cases, they see signing the pledge as the only way to do right by their citizens.

“We want to be good stewards of our constituents,” Robby Demeria, Virginia deputy secretary of commerce and trade for technology, told me. “We want to make sure they’re protected and we want to make sure our elections are protected.”

Many other signatories hope the pledge will prompt local and national governments to take digital defense more seriously — especially as technological developments such as artificial intelligence and next-generation 5G wireless networks increase the possibility for cyberattacks to be far more damaging.

But without the U.S. government’s endorsement the call will lack international heft, they worry.

“I think the U.S. is losing the opportunity to demonstrate leadership in this area,” John Frank, vice president for European Union affairs at Microsoft, which was an early endorser of the call, told me.

“Governments can’t solve this problem by themselves. Companies can't solve this problem by themselves. Customers can’t solve this problem by themselves. We need to work together,” he said.

PINGED, PATCHED, PWNED

PINGED: Pope Francis expressed concern about warrant-proof encryption systems during a Vatican tech conference yesterday, echoing claims by U.S., U.K. and Australian leaders that the protection could allow child predators to commit crimes beyond law enforcement’s reach. 

The pope stopped short of endorsing law enforcement back doors but urged tech companies to find a “fitting balance” that protects free expression but also minors from criminal activity. His remarks come as the Justice Department is urging Facebook to halt its plans to fully encrypt its messaging service, citing fears it will increase the spread of child sexual imagery and solicitation.

“The protection of complete freedom of expression is linked to the protection of privacy through increasingly sophisticated forms of message encryption, which would make any control extremely difficult, if not impossible,” Francis said

He added that tech companies and their investors must “remain accountable, so that the good of minors and society is not sacrificed to profit.”

Apple, Google, Microsoft and Facebook attended the Vatican's “Promoting Digital Child Dignity” conference alongside law enforcement and judicial officials, Reuters's Phillip Pullella reports

PATCHED: The House Science Committee approved legislation that would authorize government researchers to test voting machine security and research new methods to certify voting technology, The Hill's Maggie Miller reports

The Election Technology Research Act would provide $110 million over five years to establish a Center of Excellence in Election Systems and authorize research by the National Institute of Standards and Technology and the National Science Foundation. It would also updatedefinitions of “voting systems” to match modern technology and direct the Election Assistance Commission to publish best-practice guidelines for auditing, voter registration and other elements of secure voting systems. If the bill passes the House, it will likely face long odds in the Senate where Republlicans have been wary of spending money on election security or expanding the federal government's role. 

Voting machines are certified at the state level, but that process often doesn’t include extensive cybersecurity testing. Since 2016, several top voting machine companies have voluntarily allowed the Idaho National Laboratory to audit their systems.

PWNED: Senate Majority Leader Mitch McConnell (R-Ky.) took a swipe at Democrats for “blocking a bipartisan appropriations process” that would grant $250 million to secure elections, injecting the election security conflict into an already fraught battle over a stopgap government funding bill. The government will run out of money to keep running next week unless Democrats and Republicans can agree on a temporary spending bill.

After blocking election security measure for months, McConnell agreed in September to endorse $250 million for new protections but without any mandates for paper ballots and other security fixes Democrats say are essential. Democrats, meanwhile, are pushing for $600 million and broad reforms. 

“Election security is too important to become a Trojan horse for ideological goals that Democrats have wanted for many years,” McConnell said in a statement. “We need to stay vigilant, because our adversaries will not stop.”

PUBLIC KEY

— Amazon will protest a Pentagon decision to award Microsoft a $10 billion cloud computing contract in federal court, citing “unmistakable bias” and “political influence,” my colleagues Jay Greene and Aaron Gregg report. (Amazon CEO Jeff Bezos owns The Washington Post.)

— Black Hills Information Security will host a one-day information security conference in Adel, Iowa next Wednesday following a state scandal in which two researchers who were hired to test courthouse cybersecurity ended up charged with burglary. Organizers of the event called Awareness Con hope it raises awareness about the benefits of ethical hacking, according to the announcement.

— More cybersecurity news from the public sector:

But the spies stop short of saying a SCOTUS opinion bars them from getting records without a high burden of evidence in the future—which matters for an upcoming congressional vote.
The Daily Beast
Travelers should use only AC charging ports, use USB no-data cables, or "USB condom" devices.
ZDNet
Global Opinions
I used to work closely with Jamal Khashoggi against the Saudi troll army on Twitter. That's why I've been targeted.
Omar Abdulaziz

PRIVATE KEY

— The federally funded research center MITRE's Engenuity foundation and several top companies launched a new Center for Threat-Informed Defense yesterday focused on sharing cybersecurity know-how more broadly and funding cybersecurity research projects. One main goal for the center is to make it easier to share information about hacker techniques. Founding members of the center include Bank of America, JPMorgan Chase, and the Cyber Threat Alliance.

— Cybersecurity news from the private sector:

New Android security warning: secure device storage cracked open, exposing passwords, biometrics, financial data.
Forbes
Gig workers warn that more than 40,000 transcribers could access private customer information, including job details
OneZero
Jerrold Haas was on the brink of blockchain riches. Then his body was found in the woods of southern Ohio.
Wired
A security firm has released a new app that promises to detect when your iPhone has been targeted by hackers, but there are caveats.
Vice

THE NEW WILD WEST

— Cybersecurity news from abroad:

The computer network of Australia’s parliament was hacked earlier this year and data was stolen from the computers of several elected officials, the Australian Broadcasting Corp reported.
Reuters
While Durazo sought to minimize the impact, several Pemex employees said, however, that operations were still not up and running as usual.
Reuters

ZERO DAYBOOK

— Coming up:

  • New York University’s Center for Cybersecurity, the Journal of National Security Law & Policy will host an event titled “Catching the Cybercriminal: Reforming Global Law Enforcement” on Monday at 9 a.m.
  • The House Financial Services Committee will host a hearing on the role of big data in financial services on Thursday at 9:30 a.m.
  • The 2019 International Conference on Cyber Conflict U.S. (CyCon U.S.) will take place 18-20 Nov 2019 in at the Crystal Gateway Marriott in Arlington, VA.
  • CYBERWARCON takes place on Thursday in Arlington, Va.