RE: FINAL version of CyberCrime Treaty statement - ready for sign atures
Enterprise Solutions Division
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Tuesday, May 16, 2000 3:44 PM
Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
Subject: FINAL version of CyberCrime Treaty statement - ready for
The final version of the CyberCrime treaty statement is ready for your
Editorial Board members from 26 different organizations have voted to
ACCEPT the statement, and expect to endorse it as individuals or as
official representatives of their companies. There are 28
organizations on the Board at this time, so this clearly satisfies any
I made two small grammatical changes based on comments by Andre Frech
and Jim Magdych, which means that I added three commas. No other
changes were made. The final text is below.
At MITRE, Gary Gagnon (a director in our Security and Information
Operations division) is working on a strategy for conducting the
outreach. I expect that we will have a concrete approach, including a
coordinator, in the next day or so.
The next step is to gather the signatures from Editorial Board members
so that we have a unified statement for the outreach. I will gather
the signatures for this initial effort.
Some Board members have expressed concerns that even if they sign as
an individual and we include a disclaimer, that listing their company
affiliation may cause careless readers to believe that the member is
representing an official position. To address this, I propose the
- If you're representing an official position for your company,
include your title and the phrase "Representing XYZ Corporation"
as part of your signature
- If you're signing as an individual, you have the option to include
your organization or not; if not, your title and/or role in the
community is encouraged. Consider that your title may further
reinforce the fact that you don't speak for your organization.
The "Representing" tag will reinforce who's making an official
organizational statement and who isn't. The disclaimer has been
adapted as follows:
This statement represents the professional opinion of each
individual signer. Unless stated otherwise, it may not represent
the official position of the signer's parent organization.
Finally, because Adam Shostack and Scott Blake introduced this issue
to the Board, I suggest that their signatures should be listed first.
Thanks to everyone for the incredible level of participation in this
effort. It's been a busy but rewarding experience. I look forward to
collecting your signatures as we move into the next phase.
************** FINAL TEXT of CyberCrime Treaty Statement **************
As leading security practitioners, educators, vendors, and users of
information security, we wish to register our misgivings about the
Council of Europe draft treaty on Crime in Cyberspace.
We are concerned that portions of the proposed treaty may result in
criminalizing techniques and software commonly used to make computer
systems resistant to attack. Signatory states passing legislation to
implement the treaty may endanger the security of their computer
systems, because computer users in those countries will not be able to
adequately protect their computer systems and the education of
information protection specialists will be hindered.
Critical to the protection of computer systems and infrastructure is
the ability to
* Test software for weaknesses
* Verify the presence of defects in computer systems
* Exchange vulnerability information
System administrators, researchers, consultants, and companies all
routinely develop, use, and share software designed to exercise known
and suspected vulnerabilities. Academic institutions use these tools
to educate students and in research to develop improved defenses. Our
combined experience suggests that it is impossible to reliably
distinguish software used in computer crime from that used for these
legitimate purposes. In fact, they are often identical.
Currently, article 6 of the draft treaty is vague regarding the use,
distribution, and possession of software that could be used to violate
the security of computer systems. We agree that damaging or breaking
into computer systems is wrong and we unequivocally support laws
against such inappropriate behavior. We affirm that a goal of the
treaty and resulting legislation should be to permit the development
and application of good security measures. However, legislation that
criminalizes security software development, distribution, and use is
counter to that goal, as it would adversely impact security
practitioners, researchers, and educators.
Therefore, we respectfully request that the treaty drafters remove
section a.1 from article 6, and modify section b accordingly; the
articles on computer intrusion and damage (viz., articles 1-5) are
already sufficient to proscribe any improper use of security-related
software or information.
Please do not hesitate to call on us for technical advice in your
This statement represents the professional opinion of each individual
signer. Unless stated otherwise, it may not represent the official
position of the signer's parent organization.
[Scott Blake and Adam Shostack signatures here]
-- corporate signers: examples --
Community-Based Transportation Technician
-- individual signers: examples --
David LeBlanc, Ph.D.
Microsoft Information Security
Lead Information Systems Engineer
The MITRE Corporation