RE: FINAL version of CyberCrime Treaty statement - ready for signatures

["Ken Armstrong" <karmstrong@ewa-canada.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken Armstrong,
Senior Network Security Engineer
EWA-Canada / CanCERT

| -----Original Message-----
| From: owner-cve-editorial-board-list@lists.mitre.org
| [mailto:owner-cve-editorial-board-list@lists.mitre.org]On Behalf Of
| Steven M. Christey
| Sent: Tuesday, May 16, 2000 4:44 PM
| To: cve-editorial-board-list@lists.mitre.org
| Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
| Subject: FINAL version of CyberCrime Treaty statement - ready for
| signatures
| 
| 
| All,
| 
| The final version of the CyberCrime treaty statement is ready for your
| signature.
| 
| Editorial Board members from 26 different organizations have voted to
| ACCEPT the statement, and expect to endorse it as individuals or as
| official representatives of their companies.  There are 28
| organizations on the Board at this time, so this clearly satisfies any
| "quorum" requirement.
| 
| I made two small grammatical changes based on comments by Andre Frech
| and Jim Magdych, which means that I added three commas.  No other
| changes were made.  The final text is below.
| 
| At MITRE, Gary Gagnon (a director in our Security and Information
| Operations division) is working on a strategy for conducting the
| outreach.  I expect that we will have a concrete approach, including a
| coordinator, in the next day or so.
| 
| The next step is to gather the signatures from Editorial Board members
| so that we have a unified statement for the outreach.  I will gather
| the signatures for this initial effort.
| 
| Some Board members have expressed concerns that even if they sign as
| an individual and we include a disclaimer, that listing their company
| affiliation may cause careless readers to believe that the member is
| representing an official position.  To address this, I propose the
| following convention:
| 
|   - If you're representing an official position for your company,
|     include your title and the phrase "Representing XYZ Corporation"
|     as part of your signature
| 
|   - If you're signing as an individual, you have the option to include
|     your organization or not; if not, your title and/or role in the
|     community is encouraged.  Consider that your title may further
|     reinforce the fact that you don't speak for your organization.
| 
| The "Representing" tag will reinforce who's making an official
| organizational statement and who isn't.  The disclaimer has been
| adapted as follows:
| 
|   This statement represents the professional opinion of each
|   individual signer.  Unless stated otherwise, it may not represent
|   the official position of the signer's parent organization.
| 
| Finally, because Adam Shostack and Scott Blake introduced this issue
| to the Board, I suggest that their signatures should be listed first.
| 
| Thanks to everyone for the incredible level of participation in this
| effort.  It's been a busy but rewarding experience.  I look forward to
| collecting your signatures as we move into the next phase.
| 
| - Steve
| 
| 
| ************** FINAL TEXT of CyberCrime Treaty Statement 
| **************
| 
| Greetings:
| 
| As leading security practitioners, educators, vendors, and users of
| information security, we wish to register our misgivings about the
| Council of Europe draft treaty on Crime in Cyberspace.
| 
| We are concerned that portions of the proposed treaty may result in
| criminalizing techniques and software commonly used to make computer
| systems resistant to attack.  Signatory states passing legislation to
| implement the treaty may endanger the security of their computer
| systems, because computer users in those countries will not be able to
| adequately protect their computer systems and the education of
| information protection specialists will be hindered.
| 
| Critical to the protection of computer systems and infrastructure is
| the ability to
| * Test software for weaknesses
| * Verify the presence of defects in computer systems
| * Exchange vulnerability information
| 
| System administrators, researchers, consultants, and companies all
| routinely develop, use, and share software designed to exercise known
| and suspected vulnerabilities.  Academic institutions use these tools
| to educate students and in research to develop improved defenses.  Our
| combined experience suggests that it is impossible to reliably
| distinguish software used in computer crime from that used for these
| legitimate purposes.  In fact, they are often identical.
| 
| Currently, article 6 of the draft treaty is vague regarding the use,
| distribution, and possession of software that could be used to violate
| the security of computer systems.  We agree that damaging or breaking
| into computer systems is wrong and we unequivocally support laws
| against such inappropriate behavior.  We affirm that a goal of the
| treaty and resulting legislation should be to permit the development
| and application of good security measures.  However, legislation that
| criminalizes security software development, distribution, and use is
| counter to that goal, as it would adversely impact security
| practitioners, researchers, and educators.
| 
| Therefore, we respectfully request that the treaty drafters remove
| section a.1 from article 6, and modify section b accordingly; the
| articles on computer intrusion and damage (viz., articles 1-5) are
| already sufficient to proscribe any improper use of security-related
| software or information.
| 
| Please do not hesitate to call on us for technical advice in your
| future deliberations.
| 
| ----------------------------------------------------------------------
| 
| This statement represents the professional opinion of each individual
| signer.  Unless stated otherwise, it may not represent the official
| position of the signer's parent organization.
| 
| 
| [Scott Blake and Adam Shostack signatures here]
| 
| -- corporate signers: examples --
| 
| Jane Doe
| CTO
| Representing Big_Corporation_ABC
| 
| Ralph Kramden
| Community-Based Transportation Technician
| Representing Small_Business_DEF
| 
| -- individual signers: examples --
| 
| David LeBlanc, Ph.D.
| Microsoft Information Security
| 
| Steve Christey
| Lead Information Systems Engineer
The MITRE Corporation

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOSKNlXfba3jWxdCmEQK7EwCdGPfYbaYMW5v5I3SYNEVL5EiXx84An2sN
RFi/BxfjvF7iWCw2ZMbg5Z5B
=KKNb
-----END PGP SIGNATURE-----