RE: FINAL version of CyberCrime Treaty statement - ready for signatures
-----BEGIN PGP SIGNED MESSAGE-----
Senior Network Security Engineer
EWA-Canada / CanCERT
| -----Original Message-----
| From: firstname.lastname@example.org
| [mailto:email@example.com]On Behalf Of
| Steven M. Christey
| Sent: Tuesday, May 16, 2000 4:44 PM
| To: firstname.lastname@example.org
| Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
| Subject: FINAL version of CyberCrime Treaty statement - ready for
| The final version of the CyberCrime treaty statement is ready for your
| Editorial Board members from 26 different organizations have voted to
| ACCEPT the statement, and expect to endorse it as individuals or as
| official representatives of their companies. There are 28
| organizations on the Board at this time, so this clearly satisfies any
| "quorum" requirement.
| I made two small grammatical changes based on comments by Andre Frech
| and Jim Magdych, which means that I added three commas. No other
| changes were made. The final text is below.
| At MITRE, Gary Gagnon (a director in our Security and Information
| Operations division) is working on a strategy for conducting the
| outreach. I expect that we will have a concrete approach, including a
| coordinator, in the next day or so.
| The next step is to gather the signatures from Editorial Board members
| so that we have a unified statement for the outreach. I will gather
| the signatures for this initial effort.
| Some Board members have expressed concerns that even if they sign as
| an individual and we include a disclaimer, that listing their company
| affiliation may cause careless readers to believe that the member is
| representing an official position. To address this, I propose the
| following convention:
| - If you're representing an official position for your company,
| include your title and the phrase "Representing XYZ Corporation"
| as part of your signature
| - If you're signing as an individual, you have the option to include
| your organization or not; if not, your title and/or role in the
| community is encouraged. Consider that your title may further
| reinforce the fact that you don't speak for your organization.
| The "Representing" tag will reinforce who's making an official
| organizational statement and who isn't. The disclaimer has been
| adapted as follows:
| This statement represents the professional opinion of each
| individual signer. Unless stated otherwise, it may not represent
| the official position of the signer's parent organization.
| Finally, because Adam Shostack and Scott Blake introduced this issue
| to the Board, I suggest that their signatures should be listed first.
| Thanks to everyone for the incredible level of participation in this
| effort. It's been a busy but rewarding experience. I look forward to
| collecting your signatures as we move into the next phase.
| - Steve
| ************** FINAL TEXT of CyberCrime Treaty Statement
| As leading security practitioners, educators, vendors, and users of
| information security, we wish to register our misgivings about the
| Council of Europe draft treaty on Crime in Cyberspace.
| We are concerned that portions of the proposed treaty may result in
| criminalizing techniques and software commonly used to make computer
| systems resistant to attack. Signatory states passing legislation to
| implement the treaty may endanger the security of their computer
| systems, because computer users in those countries will not be able to
| adequately protect their computer systems and the education of
| information protection specialists will be hindered.
| Critical to the protection of computer systems and infrastructure is
| the ability to
| * Test software for weaknesses
| * Verify the presence of defects in computer systems
| * Exchange vulnerability information
| System administrators, researchers, consultants, and companies all
| routinely develop, use, and share software designed to exercise known
| and suspected vulnerabilities. Academic institutions use these tools
| to educate students and in research to develop improved defenses. Our
| combined experience suggests that it is impossible to reliably
| distinguish software used in computer crime from that used for these
| legitimate purposes. In fact, they are often identical.
| Currently, article 6 of the draft treaty is vague regarding the use,
| distribution, and possession of software that could be used to violate
| the security of computer systems. We agree that damaging or breaking
| into computer systems is wrong and we unequivocally support laws
| against such inappropriate behavior. We affirm that a goal of the
| treaty and resulting legislation should be to permit the development
| and application of good security measures. However, legislation that
| criminalizes security software development, distribution, and use is
| counter to that goal, as it would adversely impact security
| practitioners, researchers, and educators.
| Therefore, we respectfully request that the treaty drafters remove
| section a.1 from article 6, and modify section b accordingly; the
| articles on computer intrusion and damage (viz., articles 1-5) are
| already sufficient to proscribe any improper use of security-related
| software or information.
| Please do not hesitate to call on us for technical advice in your
| future deliberations.
| This statement represents the professional opinion of each individual
| signer. Unless stated otherwise, it may not represent the official
| position of the signer's parent organization.
| [Scott Blake and Adam Shostack signatures here]
| -- corporate signers: examples --
| Jane Doe
| Representing Big_Corporation_ABC
| Ralph Kramden
| Community-Based Transportation Technician
| Representing Small_Business_DEF
| -- individual signers: examples --
| David LeBlanc, Ph.D.
| Microsoft Information Security
| Steve Christey
| Lead Information Systems Engineer
The MITRE Corporation
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----