|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FINAL version of CyberCrime Treaty statement - ready for signatures
Scott Blake Security Program Manager BindView Corporation >-----Original Message----- >From: owner-cve-editorial-board-list@lists.mitre.org >[mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of >Steven M. Christey >Sent: Tuesday, May 16, 2000 4:44 PM >To: cve-editorial-board-list@lists.mitre.org >Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG >Subject: FINAL version of CyberCrime Treaty statement - ready for >signatures > > >All, > >The final version of the CyberCrime treaty statement is ready for your >signature. > >Editorial Board members from 26 different organizations have voted to >ACCEPT the statement, and expect to endorse it as individuals or as >official representatives of their companies. There are 28 >organizations on the Board at this time, so this clearly satisfies any >"quorum" requirement. > >I made two small grammatical changes based on comments by Andre Frech >and Jim Magdych, which means that I added three commas. No other >changes were made. The final text is below. > >At MITRE, Gary Gagnon (a director in our Security and Information >Operations division) is working on a strategy for conducting the >outreach. I expect that we will have a concrete approach, including a >coordinator, in the next day or so. > >The next step is to gather the signatures from Editorial Board members >so that we have a unified statement for the outreach. I will gather >the signatures for this initial effort. > >Some Board members have expressed concerns that even if they sign as >an individual and we include a disclaimer, that listing their company >affiliation may cause careless readers to believe that the member is >representing an official position. To address this, I propose the >following convention: > > - If you're representing an official position for your company, > include your title and the phrase "Representing XYZ Corporation" > as part of your signature > > - If you're signing as an individual, you have the option to include > your organization or not; if not, your title and/or role in the > community is encouraged. Consider that your title may further > reinforce the fact that you don't speak for your organization. > >The "Representing" tag will reinforce who's making an official >organizational statement and who isn't. The disclaimer has been >adapted as follows: > > This statement represents the professional opinion of each > individual signer. Unless stated otherwise, it may not represent > the official position of the signer's parent organization. > >Finally, because Adam Shostack and Scott Blake introduced this issue >to the Board, I suggest that their signatures should be listed first. > >Thanks to everyone for the incredible level of participation in this >effort. It's been a busy but rewarding experience. I look forward to >collecting your signatures as we move into the next phase. > >- Steve > > >************** FINAL TEXT of CyberCrime Treaty Statement ************** > >Greetings: > >As leading security practitioners, educators, vendors, and users of >information security, we wish to register our misgivings about the >Council of Europe draft treaty on Crime in Cyberspace. > >We are concerned that portions of the proposed treaty may result in >criminalizing techniques and software commonly used to make computer >systems resistant to attack. Signatory states passing legislation to >implement the treaty may endanger the security of their computer >systems, because computer users in those countries will not be able to >adequately protect their computer systems and the education of >information protection specialists will be hindered. > >Critical to the protection of computer systems and infrastructure is >the ability to >* Test software for weaknesses >* Verify the presence of defects in computer systems >* Exchange vulnerability information > >System administrators, researchers, consultants, and companies all >routinely develop, use, and share software designed to exercise known >and suspected vulnerabilities. Academic institutions use these tools >to educate students and in research to develop improved defenses. Our >combined experience suggests that it is impossible to reliably >distinguish software used in computer crime from that used for these >legitimate purposes. In fact, they are often identical. > >Currently, article 6 of the draft treaty is vague regarding the use, >distribution, and possession of software that could be used to violate >the security of computer systems. We agree that damaging or breaking >into computer systems is wrong and we unequivocally support laws >against such inappropriate behavior. We affirm that a goal of the >treaty and resulting legislation should be to permit the development >and application of good security measures. However, legislation that >criminalizes security software development, distribution, and use is >counter to that goal, as it would adversely impact security >practitioners, researchers, and educators. > >Therefore, we respectfully request that the treaty drafters remove >section a.1 from article 6, and modify section b accordingly; the >articles on computer intrusion and damage (viz., articles 1-5) are >already sufficient to proscribe any improper use of security-related >software or information. > >Please do not hesitate to call on us for technical advice in your >future deliberations. > >---------------------------------------------------------------------- > >This statement represents the professional opinion of each individual >signer. Unless stated otherwise, it may not represent the official >position of the signer's parent organization. > > >[Scott Blake and Adam Shostack signatures here] > >-- corporate signers: examples -- > >Jane Doe >CTO >Representing Big_Corporation_ABC > >Ralph Kramden >Community-Based Transportation Technician >Representing Small_Business_DEF > >-- individual signers: examples -- > >David LeBlanc, Ph.D. >Microsoft Information Security > >Steve Christey >Lead Information Systems Engineer >The MITRE Corporation >
|
||||
