RE: FINAL version of CyberCrime Treaty statement - ready for signatures
Security Program Manager
>[mailto:email@example.com]On Behalf Of
>Steven M. Christey
>Sent: Tuesday, May 16, 2000 4:44 PM
>Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
>Subject: FINAL version of CyberCrime Treaty statement - ready for
>The final version of the CyberCrime treaty statement is ready for your
>Editorial Board members from 26 different organizations have voted to
>ACCEPT the statement, and expect to endorse it as individuals or as
>official representatives of their companies. There are 28
>organizations on the Board at this time, so this clearly satisfies any
>I made two small grammatical changes based on comments by Andre Frech
>and Jim Magdych, which means that I added three commas. No other
>changes were made. The final text is below.
>At MITRE, Gary Gagnon (a director in our Security and Information
>Operations division) is working on a strategy for conducting the
>outreach. I expect that we will have a concrete approach, including a
>coordinator, in the next day or so.
>The next step is to gather the signatures from Editorial Board members
>so that we have a unified statement for the outreach. I will gather
>the signatures for this initial effort.
>Some Board members have expressed concerns that even if they sign as
>an individual and we include a disclaimer, that listing their company
>affiliation may cause careless readers to believe that the member is
>representing an official position. To address this, I propose the
> - If you're representing an official position for your company,
> include your title and the phrase "Representing XYZ Corporation"
> as part of your signature
> - If you're signing as an individual, you have the option to include
> your organization or not; if not, your title and/or role in the
> community is encouraged. Consider that your title may further
> reinforce the fact that you don't speak for your organization.
>The "Representing" tag will reinforce who's making an official
>organizational statement and who isn't. The disclaimer has been
>adapted as follows:
> This statement represents the professional opinion of each
> individual signer. Unless stated otherwise, it may not represent
> the official position of the signer's parent organization.
>Finally, because Adam Shostack and Scott Blake introduced this issue
>to the Board, I suggest that their signatures should be listed first.
>Thanks to everyone for the incredible level of participation in this
>effort. It's been a busy but rewarding experience. I look forward to
>collecting your signatures as we move into the next phase.
>************** FINAL TEXT of CyberCrime Treaty Statement **************
>As leading security practitioners, educators, vendors, and users of
>information security, we wish to register our misgivings about the
>Council of Europe draft treaty on Crime in Cyberspace.
>We are concerned that portions of the proposed treaty may result in
>criminalizing techniques and software commonly used to make computer
>systems resistant to attack. Signatory states passing legislation to
>implement the treaty may endanger the security of their computer
>systems, because computer users in those countries will not be able to
>adequately protect their computer systems and the education of
>information protection specialists will be hindered.
>Critical to the protection of computer systems and infrastructure is
>the ability to
>* Test software for weaknesses
>* Verify the presence of defects in computer systems
>* Exchange vulnerability information
>System administrators, researchers, consultants, and companies all
>routinely develop, use, and share software designed to exercise known
>and suspected vulnerabilities. Academic institutions use these tools
>to educate students and in research to develop improved defenses. Our
>combined experience suggests that it is impossible to reliably
>distinguish software used in computer crime from that used for these
>legitimate purposes. In fact, they are often identical.
>Currently, article 6 of the draft treaty is vague regarding the use,
>distribution, and possession of software that could be used to violate
>the security of computer systems. We agree that damaging or breaking
>into computer systems is wrong and we unequivocally support laws
>against such inappropriate behavior. We affirm that a goal of the
>treaty and resulting legislation should be to permit the development
>and application of good security measures. However, legislation that
>criminalizes security software development, distribution, and use is
>counter to that goal, as it would adversely impact security
>practitioners, researchers, and educators.
>Therefore, we respectfully request that the treaty drafters remove
>section a.1 from article 6, and modify section b accordingly; the
>articles on computer intrusion and damage (viz., articles 1-5) are
>already sufficient to proscribe any improper use of security-related
>software or information.
>Please do not hesitate to call on us for technical advice in your
>This statement represents the professional opinion of each individual
>signer. Unless stated otherwise, it may not represent the official
>position of the signer's parent organization.
>[Scott Blake and Adam Shostack signatures here]
>-- corporate signers: examples --
>Community-Based Transportation Technician
>-- individual signers: examples --
>David LeBlanc, Ph.D.
>Microsoft Information Security
>Lead Information Systems Engineer
>The MITRE Corporation