[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Please Vote on Text of CyberCrime Treaty Statement v5.5


"Steven M. Christey" wrote:

> All,
> Please vote on the current text of the CyberCrime treaty statement,
> included below, which I've labeled v5.5 (just in case it doesn't turn
> out to be the "final").  This is *NOT* a vote on how we will present
> signatures and organizational affiliations, as that issue is still
> under discussion and can be separated from the actual text.
> Since the list has been quiet about edits in the last day and a half,
> this is the only concrete way to be certain that the Board is ready to
> bless this statement and agree to a "final copy" to use to draw
> support from outside the Board.
> Please send one of the following votes to me and Dave Mann
> (dmann@bindview.com), or to the Editorial Board list:
> ACCEPT - accept text as recorded
> MODIFY - make modifications.  Please send any MODIFY votes to the
>          list.  However, at this time you are strongly urged not to
>          suggest minor modifications that could be labeled "pedantic
>          wordsmithing" :-)
> NOOP - use this if you wish to abstain from voting.
> REJECT - use this vote at your own risk ;-)
> It is requested that you send your vote by Tuesday, May 16.  If a
> "final decision" can be made at that time, I'll announce it.
> I will gather and count the votes.  Of the 26 organizations
> represented on the Board, 21 have established that they are aware of
> this issue.
> It seems reasonable to require a minimum of 16 ACCEPT votes, which
> would be 75% of the "active" Board member organizations, and 60% of
> all Board member organizations.
> Note that I will be unavailable for all or most of Friday, so if
> you're voting then, please make sure that Dave Mann knows how you
> voted.
> - Steve
> ************** TEXT of CyberCrime Treaty Statement v5.5 **************
> Greetings:
> As leading security practitioners, educators, vendors, and users of
> information security, we wish to register our misgivings about the
> Council of Europe draft treaty on Crime in Cyberspace.
> We are concerned that portions of the proposed treaty may result in
> criminalizing techniques and software commonly used to make computer
> systems resistant to attack.  Signatory states passing legislation to
> implement the treaty may endanger the security of their computer
> systems because computer users in those countries will not be able to
> adequately protect their computer systems and the education of
> information protection specialists will be hindered.
> Critical to the protection of computer systems and infrastructure is
> the ability to
> * Test software for weaknesses
> * Verify the presence of defects in computer systems
> * Exchange vulnerability information
> System administrators, researchers, consultants and companies all
> routinely develop, use, and share software designed to exercise known
> and suspected vulnerabilities.  Academic institutions use these
> tools to educate students and in research to develop improved
> defenses.  Our combined experience suggests that it is impossible
> to reliably distinguish software used in computer crime from that
> used for these legitimate purposes.  In fact, they are often
> identical.
> Currently, article 6 of the draft treaty is vague regarding the use,
> distribution, and possession of software that could be used to
> violate the security of computer systems.  We agree that damaging or
> breaking into computer systems is wrong and we unequivocally support
> laws against such inappropriate behavior.  We affirm that a goal of the
> treaty and resulting legislation should  be to permit the development
> and application of good security measures.  However, legislation that
> criminalizes security software development, distribution and use
> is counter to that goal, as it would adversely impact security
> practitioners, researchers, and educators.
> Therefore, we respectfully request that the treaty drafters remove
> section a.1 from article 6, and modify section b accordingly; the
> articles on computer intrusion and damage (viz., articles 1-5) are
> already sufficient to proscribe any improper use of security-related
> software or information.
> Please do not hesitate to call on us for technical advice in your
> future deliberations.
> Signed,
> [** signatures, affiliations, and disclaimers deleted - still under
> discussion **]
org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
title:INFOSEC Engineer
fn:Bill Hill

S/MIME Cryptographic Signature

Page Last Updated or Reviewed: May 22, 2007