Re: FINAL version of CyberCrime Treaty statement - ready for signatures

[Bill Hill <bill@mitre.org>]

William Hill
Principal INFOSEC Engineer
The MITRE Corporation

"Steven M. Christey" wrote:

> All,
>
> The final version of the CyberCrime treaty statement is ready for your
> signature.
>
> Editorial Board members from 26 different organizations have voted to
> ACCEPT the statement, and expect to endorse it as individuals or as
> official representatives of their companies.  There are 28
> organizations on the Board at this time, so this clearly satisfies any
> "quorum" requirement.
>
> I made two small grammatical changes based on comments by Andre Frech
> and Jim Magdych, which means that I added three commas.  No other
> changes were made.  The final text is below.
>
> At MITRE, Gary Gagnon (a director in our Security and Information
> Operations division) is working on a strategy for conducting the
> outreach.  I expect that we will have a concrete approach, including a
> coordinator, in the next day or so.
>
> The next step is to gather the signatures from Editorial Board members
> so that we have a unified statement for the outreach.  I will gather
> the signatures for this initial effort.
>
> Some Board members have expressed concerns that even if they sign as
> an individual and we include a disclaimer, that listing their company
> affiliation may cause careless readers to believe that the member is
> representing an official position.  To address this, I propose the
> following convention:
>
>   - If you're representing an official position for your company,
>     include your title and the phrase "Representing XYZ Corporation"
>     as part of your signature
>
>   - If you're signing as an individual, you have the option to include
>     your organization or not; if not, your title and/or role in the
>     community is encouraged.  Consider that your title may further
>     reinforce the fact that you don't speak for your organization.
>
> The "Representing" tag will reinforce who's making an official
> organizational statement and who isn't.  The disclaimer has been
> adapted as follows:
>
>   This statement represents the professional opinion of each
>   individual signer.  Unless stated otherwise, it may not represent
>   the official position of the signer's parent organization.
>
> Finally, because Adam Shostack and Scott Blake introduced this issue
> to the Board, I suggest that their signatures should be listed first.
>
> Thanks to everyone for the incredible level of participation in this
> effort.  It's been a busy but rewarding experience.  I look forward to
> collecting your signatures as we move into the next phase.
>
> - Steve
>
> ************** FINAL TEXT of CyberCrime Treaty Statement **************
>
> Greetings:
>
> As leading security practitioners, educators, vendors, and users of
> information security, we wish to register our misgivings about the
> Council of Europe draft treaty on Crime in Cyberspace.
>
> We are concerned that portions of the proposed treaty may result in
> criminalizing techniques and software commonly used to make computer
> systems resistant to attack.  Signatory states passing legislation to
> implement the treaty may endanger the security of their computer
> systems, because computer users in those countries will not be able to
> adequately protect their computer systems and the education of
> information protection specialists will be hindered.
>
> Critical to the protection of computer systems and infrastructure is
> the ability to
> * Test software for weaknesses
> * Verify the presence of defects in computer systems
> * Exchange vulnerability information
>
> System administrators, researchers, consultants, and companies all
> routinely develop, use, and share software designed to exercise known
> and suspected vulnerabilities.  Academic institutions use these tools
> to educate students and in research to develop improved defenses.  Our
> combined experience suggests that it is impossible to reliably
> distinguish software used in computer crime from that used for these
> legitimate purposes.  In fact, they are often identical.
>
> Currently, article 6 of the draft treaty is vague regarding the use,
> distribution, and possession of software that could be used to violate
> the security of computer systems.  We agree that damaging or breaking
> into computer systems is wrong and we unequivocally support laws
> against such inappropriate behavior.  We affirm that a goal of the
> treaty and resulting legislation should be to permit the development
> and application of good security measures.  However, legislation that
> criminalizes security software development, distribution, and use is
> counter to that goal, as it would adversely impact security
> practitioners, researchers, and educators.
>
> Therefore, we respectfully request that the treaty drafters remove
> section a.1 from article 6, and modify section b accordingly; the
> articles on computer intrusion and damage (viz., articles 1-5) are
> already sufficient to proscribe any improper use of security-related
> software or information.
>
> Please do not hesitate to call on us for technical advice in your
> future deliberations.
>
> ----------------------------------------------------------------------
>
> This statement represents the professional opinion of each individual
> signer.  Unless stated otherwise, it may not represent the official
> position of the signer's parent organization.
>
> [Scott Blake and Adam Shostack signatures here]
>
> -- corporate signers: examples --
>
> Jane Doe
> CTO
> Representing Big_Corporation_ABC
>
> Ralph Kramden
> Community-Based Transportation Technician
> Representing Small_Business_DEF
>
> -- individual signers: examples --
>
> David LeBlanc, Ph.D.
> Microsoft Information Security
>
> Steve Christey
> Lead Information Systems Engineer
> The MITRE Corporation
begin:vcard 
n:Hill;William
tel;work:703-883-6416
x-mozilla-html:TRUE
org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
version:2.1
email;internet:bill@mitre.org
title:INFOSEC Engineer
fn:Bill Hill
end:vcard

S/MIME Cryptographic Signature