Panel: 'Cyberweapons' Control Needed
Kevin Poulsen, SecurityFocus 2000-09-12

Government officials say a global cybercrime treaty won't chill legitimate security work.

WASHINGTON--An international ban on malicious computer code could be fully implemented in as little as two years, and would provide law enforcement agencies with a powerful tool in the war on computer crime, according to officials from the U.S. and Europe speaking at the InfowarCon 2000 conference here Tuesday.

Brushing aside the concern, held by many computer security experts, that a ban would chill the development and dissemination of legitimate security tools, European Union representative Dietrick Neumann said the controversial Draft Convention on Cybercrime now under consideration would only make packet sniffers, back door programs and computer viruses illegal in the hands of a someone who intended to crack systems without authorization. "The creators could argue that the production of Back Orifice is designed to make the lives of system administrators easier... and it would be difficult to prove otherwise," said Neumann.

In July, a veritable who's who of computer security experts and academicians signed onto a "Statement of Concerns" addressed to the 41-nation Council of Europe as it considered the treaty. "Our combined experience suggests that it is impossible to reliably distinguish software used in computer crime from that used for... legitimate purposes," read the letter, which counted SecurityFocus CTO Elias Levy among its signers. "In fact, they are often identical."

Despite the plea, the treaty is headed for approval in December without any significant changes to the section covering "Illegal Devices," said Neumann, who sits on the Council of Europe as the non-voting representative of the general secretariat of the Council of the European Union. Once finalized, every signatory nation, a group expected to include the U.S. and Canada, will be obliged to pass enabling legislation to bring their own national laws into compliance, a process that Neumann says could be complete in as little as two years.

The discussion of the treaty came during a panel on "cyberweapons control" moderated by Georgetown University professor Dorothy Denning.

Richard Downing, an off-duty attorney with the Justice Department's computer crime and intellectual property section, pointed to several precedents in outlawing computer code, including a federal law that already makes it a crime to possess wiretap equipment, defined as a device that's "primarily useful" for the surreptitious interception of oral or electronic communications. "This law has been used successfully to prosecute a hacker who goes into a network and installs a packet sniffer," said Downing. "In that situation, this statute applies, and the sky hasn't fallen."

Lucent Technology security researcher Bill Cheswick, also on the panel, said he believed that making hacking tool illegal, when coupled with the intent to use them illegally, would help prosecutors win harsher sentences in computer crime cases. "A lot of the criminals out there in the U.S. have gotten off with ridiculously short sentences considering the damages they caused."

But while he thought the treaty would help arm law enforcement, Cheswick doubted it would affect the flow of malicious computer programs. "Not every country will sign, and there will be offshore data havens," said Cheswick. "And, of course, the bad guys can always store their programs on your machines."