|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: FINAL version of CyberCrime Treaty statement - ready for sign atures
Mike Prosser Research Manager Enterprise Solutions Division Symantec Corporation -----Original Message----- From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] Sent: Tuesday, May 16, 2000 3:44 PM To: cve-editorial-board-list@lists.mitre.org Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG Subject: FINAL version of CyberCrime Treaty statement - ready for signatures All, The final version of the CyberCrime treaty statement is ready for your signature. Editorial Board members from 26 different organizations have voted to ACCEPT the statement, and expect to endorse it as individuals or as official representatives of their companies. There are 28 organizations on the Board at this time, so this clearly satisfies any "quorum" requirement. I made two small grammatical changes based on comments by Andre Frech and Jim Magdych, which means that I added three commas. No other changes were made. The final text is below. At MITRE, Gary Gagnon (a director in our Security and Information Operations division) is working on a strategy for conducting the outreach. I expect that we will have a concrete approach, including a coordinator, in the next day or so. The next step is to gather the signatures from Editorial Board members so that we have a unified statement for the outreach. I will gather the signatures for this initial effort. Some Board members have expressed concerns that even if they sign as an individual and we include a disclaimer, that listing their company affiliation may cause careless readers to believe that the member is representing an official position. To address this, I propose the following convention: - If you're representing an official position for your company, include your title and the phrase "Representing XYZ Corporation" as part of your signature - If you're signing as an individual, you have the option to include your organization or not; if not, your title and/or role in the community is encouraged. Consider that your title may further reinforce the fact that you don't speak for your organization. The "Representing" tag will reinforce who's making an official organizational statement and who isn't. The disclaimer has been adapted as follows: This statement represents the professional opinion of each individual signer. Unless stated otherwise, it may not represent the official position of the signer's parent organization. Finally, because Adam Shostack and Scott Blake introduced this issue to the Board, I suggest that their signatures should be listed first. Thanks to everyone for the incredible level of participation in this effort. It's been a busy but rewarding experience. I look forward to collecting your signatures as we move into the next phase. - Steve ************** FINAL TEXT of CyberCrime Treaty Statement ************** Greetings: As leading security practitioners, educators, vendors, and users of information security, we wish to register our misgivings about the Council of Europe draft treaty on Crime in Cyberspace. We are concerned that portions of the proposed treaty may result in criminalizing techniques and software commonly used to make computer systems resistant to attack. Signatory states passing legislation to implement the treaty may endanger the security of their computer systems, because computer users in those countries will not be able to adequately protect their computer systems and the education of information protection specialists will be hindered. Critical to the protection of computer systems and infrastructure is the ability to * Test software for weaknesses * Verify the presence of defects in computer systems * Exchange vulnerability information System administrators, researchers, consultants, and companies all routinely develop, use, and share software designed to exercise known and suspected vulnerabilities. Academic institutions use these tools to educate students and in research to develop improved defenses. Our combined experience suggests that it is impossible to reliably distinguish software used in computer crime from that used for these legitimate purposes. In fact, they are often identical. Currently, article 6 of the draft treaty is vague regarding the use, distribution, and possession of software that could be used to violate the security of computer systems. We agree that damaging or breaking into computer systems is wrong and we unequivocally support laws against such inappropriate behavior. We affirm that a goal of the treaty and resulting legislation should be to permit the development and application of good security measures. However, legislation that criminalizes security software development, distribution, and use is counter to that goal, as it would adversely impact security practitioners, researchers, and educators. Therefore, we respectfully request that the treaty drafters remove section a.1 from article 6, and modify section b accordingly; the articles on computer intrusion and damage (viz., articles 1-5) are already sufficient to proscribe any improper use of security-related software or information. Please do not hesitate to call on us for technical advice in your future deliberations. ---------------------------------------------------------------------- This statement represents the professional opinion of each individual signer. Unless stated otherwise, it may not represent the official position of the signer's parent organization. [Scott Blake and Adam Shostack signatures here] -- corporate signers: examples -- Jane Doe CTO Representing Big_Corporation_ABC Ralph Kramden Community-Based Transportation Technician Representing Small_Business_DEF -- individual signers: examples -- David LeBlanc, Ph.D. Microsoft Information Security Steve Christey Lead Information Systems Engineer The MITRE Corporation
|
||||
