, SecurityFocus 2000-07-13
The biggest names in computer security say an international agreement threatens to leave the criminals holding all the cards.
Less than three months after it was released to the public, a proposed international computer crime treaty is coming under fire from a veritable who's who of computer security experts and academicians who warn that it may inadvertently aid computer criminals.At issue is a provision in the
Tools like nmap, a network mapper used by both computer intruders and those who combat them, could be outlawed by the treaty. "Our combined experience suggests that it is impossible to reliably distinguish software used in computer crime from that used for... legitimate purposes," the letter reads. "In fact, they are often identical."
The 41-nation Council of Europe released the draft treaty for public comment in late April. The treaty would ensure that signatory nations have consistent prohibitions against a variety of online offenses, including computer intrusion and vandalism, distribution of child pornography and electronic copyright violations. It was crafted with guidance from the U.S. Justice Department, and input from the governments of Canada, Japan and South Africa. Once finalized in December, every signatory nation, a group expected to include the U.S., will be obliged to pass enabling legislation to bring their own national laws into compliance.
Provisions in the treaty designed to facilitate computerized wiretaps and tracing have already suffered fierce
"If the good guys are limited in their ability to use such tools that exist already, as well as tools that we may need to develop, that becomes a concern," says Ron Moritz, senior vice president and CTO of Symantec Corporation. Moritz, who signed of behalf of his company, believes that under the treaty security professionals might be at risk of criminal prosecution for carrying out a legitimate penetration analysis, in which a hacker attack is simulated, against their own network, or the network of paying clients. "It's not always apparent what the start and stop of the network is... If an auditing tool takes it outside the path of a clearly defined network, you may now be in violation because you haven't received authorization to test that network."
Moritz is "cautiously optimistic" that the Council of Europe will respond to the letter by seeking guidance from industry. "To the extent that it could become more precise with input from industry, I think it could emerge into a valid treaty."
Eugene Spafford, director of Purdue University's CERIAS security center, is spearheading the appeal. He doubts that the security community has the clout to change the course of an international treaty. "But the fact that there is this concern should cause people to stop and take a look," says Spafford. Otherwise "once the treaty is signed and different countries pass their enabling legislation, it'll be interpreted however the county wants to interpret it. And some of those interpretations can be very harmful."
Spafford will be collecting signature for the
While the signatures of Mudge and Space Rogue may not grace the dotted line, current signers include security experts who have been at odds over philosophies and tactics, such as conservative infosec bellwether Donn Parker, author of "Fighting Computer Crime," and Dan Farmer, the creator of the once-controversial security auditing program SATAN. A variety of corporations are represented, and a member of the U.S. Department of Defense's Computer Emergency Response Team signed on. Bugtraq moderator Elias Levy signed the statement for SecurityFocus.com.
Concern over the treaty is not universal, however. In