[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FINAL version of CyberCrime Treaty statement - ready for signatures

Scott Blake
Security Program Manager
BindView Corporation

>-----Original Message-----
>From: owner-cve-editorial-board-list@lists.mitre.org
>[mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of
>Steven M. Christey
>Sent: Tuesday, May 16, 2000 4:44 PM
>To: cve-editorial-board-list@lists.mitre.org
>Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
>Subject: FINAL version of CyberCrime Treaty statement - ready for
>The final version of the CyberCrime treaty statement is ready for your
>Editorial Board members from 26 different organizations have voted to
>ACCEPT the statement, and expect to endorse it as individuals or as
>official representatives of their companies.  There are 28
>organizations on the Board at this time, so this clearly satisfies any
>"quorum" requirement.
>I made two small grammatical changes based on comments by Andre Frech
>and Jim Magdych, which means that I added three commas.  No other
>changes were made.  The final text is below.
>At MITRE, Gary Gagnon (a director in our Security and Information
>Operations division) is working on a strategy for conducting the
>outreach.  I expect that we will have a concrete approach, including a
>coordinator, in the next day or so.
>The next step is to gather the signatures from Editorial Board members
>so that we have a unified statement for the outreach.  I will gather
>the signatures for this initial effort.
>Some Board members have expressed concerns that even if they sign as
>an individual and we include a disclaimer, that listing their company
>affiliation may cause careless readers to believe that the member is
>representing an official position.  To address this, I propose the
>following convention:
>  - If you're representing an official position for your company,
>    include your title and the phrase "Representing XYZ Corporation"
>    as part of your signature
>  - If you're signing as an individual, you have the option to include
>    your organization or not; if not, your title and/or role in the
>    community is encouraged.  Consider that your title may further
>    reinforce the fact that you don't speak for your organization.
>The "Representing" tag will reinforce who's making an official
>organizational statement and who isn't.  The disclaimer has been
>adapted as follows:
>  This statement represents the professional opinion of each
>  individual signer.  Unless stated otherwise, it may not represent
>  the official position of the signer's parent organization.
>Finally, because Adam Shostack and Scott Blake introduced this issue
>to the Board, I suggest that their signatures should be listed first.
>Thanks to everyone for the incredible level of participation in this
>effort.  It's been a busy but rewarding experience.  I look forward to
>collecting your signatures as we move into the next phase.
>- Steve
>************** FINAL TEXT of CyberCrime Treaty Statement **************
>As leading security practitioners, educators, vendors, and users of
>information security, we wish to register our misgivings about the
>Council of Europe draft treaty on Crime in Cyberspace.
>We are concerned that portions of the proposed treaty may result in
>criminalizing techniques and software commonly used to make computer
>systems resistant to attack.  Signatory states passing legislation to
>implement the treaty may endanger the security of their computer
>systems, because computer users in those countries will not be able to
>adequately protect their computer systems and the education of
>information protection specialists will be hindered.
>Critical to the protection of computer systems and infrastructure is
>the ability to
>* Test software for weaknesses
>* Verify the presence of defects in computer systems
>* Exchange vulnerability information
>System administrators, researchers, consultants, and companies all
>routinely develop, use, and share software designed to exercise known
>and suspected vulnerabilities.  Academic institutions use these tools
>to educate students and in research to develop improved defenses.  Our
>combined experience suggests that it is impossible to reliably
>distinguish software used in computer crime from that used for these
>legitimate purposes.  In fact, they are often identical.
>Currently, article 6 of the draft treaty is vague regarding the use,
>distribution, and possession of software that could be used to violate
>the security of computer systems.  We agree that damaging or breaking
>into computer systems is wrong and we unequivocally support laws
>against such inappropriate behavior.  We affirm that a goal of the
>treaty and resulting legislation should be to permit the development
>and application of good security measures.  However, legislation that
>criminalizes security software development, distribution, and use is
>counter to that goal, as it would adversely impact security
>practitioners, researchers, and educators.
>Therefore, we respectfully request that the treaty drafters remove
>section a.1 from article 6, and modify section b accordingly; the
>articles on computer intrusion and damage (viz., articles 1-5) are
>already sufficient to proscribe any improper use of security-related
>software or information.
>Please do not hesitate to call on us for technical advice in your
>future deliberations.
>This statement represents the professional opinion of each individual
>signer.  Unless stated otherwise, it may not represent the official
>position of the signer's parent organization.
>[Scott Blake and Adam Shostack signatures here]
>-- corporate signers: examples --
>Jane Doe
>Representing Big_Corporation_ABC
>Ralph Kramden
>Community-Based Transportation Technician
>Representing Small_Business_DEF
>-- individual signers: examples --
>David LeBlanc, Ph.D.
>Microsoft Information Security
>Steve Christey
>Lead Information Systems Engineer
>The MITRE Corporation

Page Last Updated or Reviewed: May 22, 2007