The Right to Vote Securely

American elections currently run on outdated and vulnerable technology. Computer science researchers have shown that voting machines and other election equipment used in many jurisdictions are plagued by serious security flaws, or even shipped with basic safeguards disabled. Making matters worse, it is unclear whether current law requires election authorities or companies to fix even the most egregious vulnerabilities in their systems, and whether voters have any recourse if they do not. This Article argues that election law can, does, and should ensure that the right to vote is a right to vote securely. First, it argues that constitutional voting rights doctrines already prohibit election practices that fail to meet a bare minimum threshold of security. But the bare minimum is not enough to protect modern election infrastructure against sophisticated threats. This Article thus proposes new statutory measures to bolster election security beyond the constitutional baseline, with technical provisions designed to change the course of insecure election practices that have become regrettably commonplace, and to standardize best practices drawn from state-of-the-art research on election security

The Law Commission presumption concerning the dependability of computer evidence

We consider the condition set out in section 69(1)(b) of the Police and Criminal Evidence Act 1984 (PACE 1984) that reliance on computer evidence should be subject to proof of its correctness, and compare it to the 1997 Law Commission recommendation that acommon law presumption be used that a computer operated correctly unless there is explicit evidence to the contrary (LC Presumption). We understand the LC Presumption prevails in current legal proceedings. We demonstrate that neither section 69(1)(b) of PACE 1984 nor the LC presumption reflects the reality of general software-based system behaviour

Characterizing Cyber Attacks against Space Systems with Missing Data: Framework and Case Study

Cybersecurity of space systems is an emerging topic, but there is no single dataset that documents cyber attacks against space systems that have occurred in the past. These incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even "low-quality" datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space systems which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space systems? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missing-data problem, by "extrapolating" the missing data in a principled fashion. To show the usefulness of the framework, we extract data for 72 cyber attacks against space systems and show how to extrapolate this "low-quality" dataset to derive 4,076 attack technique kill chains. Our findings include: cyber attacks against space systems are getting increasingly sophisticated; and, successful protection against on-path and social engineering attacks could have prevented 80% of the attacks.Comment: Accepted for publication: IEEE International Conference on Communications and Network Security 2023 (IEEE CNS

Beyond the Network: A Holistic Perspective on State Cybersecurity Governance

I. Introduction II. Governance: The New Frontier of Information Assurance III. State Cybersecurity Governance Extends Beyond the Network IV. Centralizing Security Governance to Defend State Networks V. Governance Beyond Network Defense ... A. Disruption Response ... B. Law Enforcement ... C. Cybersecurity Centers VI. Conclusion Appendix: States and Indicator

Cyber-security for embedded systems: methodologies, techniques and tools

L'abstract è presente nell'allegato / the abstract is in the attachmen

Formal Template-Based Generation of Attack–Defence Trees for Automated Security Analysis

Systems that integrate cyber and physical aspects to create cyber-physical systems (CPS) are becoming increasingly complex, but demonstrating the security of CPS is hard and security is frequently compromised. These compromises can lead to safety failures, putting lives at risk. Attack Defense Trees with sequential conjunction (ADS) are an approach to identifying attacks on a system and identifying the interaction between attacks and the defenses that are present within the CPS. We present a semantic model for ADS and propose a methodology for generating ADS automatically. The methodology takes as input a CPS system model and a library of templates of attacks and defenses. We demonstrate and validate the effectiveness of the ADS generation methodology using an example from the automotive domain