Information technology managers fear that the Council of Europe's final draft of a controversial cybercrime treaty, which was approved by the council's European Committee on Crime Problems last month, will affect their businesses from both a liability and a security perspective.
But before getting all worked up over liability issues, American IT leaders need to remember that European nation-states are behind the U.S. in terms of cyberlegislation and law enforcement, explains Martha Stansell-Gamm, chief of the Computer Crime and Intellectual Property Section at the U.S. Department of Justice (DOJ). Stansell-Gamm was the DOJ's representative in the drafting of the treaty. The U.S. participated because it has observer status within the Council of Europe.
"We already have many treaties—bilateral and multilateral—on law enforcement matters like extradition, mutual assistance, money laundering and corruption," she says. "An awful lot of what's going into this treaty is not new; this just combines technology and criminal law and international law."
Just as in other international law enforcement pacts, the primary objective of the treaty is to break the bottlenecks in international cyberinvestigations, says Stansell-Gamm.
For example, if the Philippines had the laws in place to become a signatory to the treaty, the creators of the "I Love You" virus may have been brought to trial there. But at the time, the Philippines had no laws addressing computer crime, and the U.S. had no treaty agreement with Philippine authorities to continue the investigation, so the virus writers were never charged.
"We want to avoid the situation where U.S. networks are being pounded from overseas and we can't do anything about it," Stansell-Gamm says.
Until now, domestic law enforcement agencies have been in a quandary over international cyberinvestigations. They've tried everything from training foreign authorities to luring a cracker from Russia to the U.S. and then tracing his cybertracks back to his server lair and downloading the contents of that server.
Yet despite the hope that the treaty will improve the ability of U.S. corporations to press criminal charges against foreign attackers, the American business community is concerned about a number of substantive laws that treaty participants must enact if they want to be signatories. In particular, U.S. firms are concerned about the following potential problems:
Increased corporate liability.
Granting too many investigative powers, to the detriment of corporate privacy.
Making the distribution and sale of hacking tools illegal.
Among these concerns, the one voiced loudest by corporate managers is the potential impact for businesses that use hacking tools to test the stealth of their networks. "Ping could be a hacking tool. TraceRoute [a tool used for IP tracking] could be a hacking tool. How do you define a hacking tool?" asks Frank Clark, network operations manager at Thaumaturgix Inc., a hosting and IT services firm in New York. "The people making these laws don't know what a hacking tool is. And to outlaw the wrong tools could make it impossible for me to do my job testing my network."
Mark Rasch, vice president of cyberlaw at Predictive Systems Inc., a tech consultancy in New York, says such restrictions could also violate First Amendment rights to free speech.
This particular concern isn't being driven by the language in the treaty document itself, but in a preamble press release published when the draft first went online in April 2000. The release stated, "The draft provides for the co-ordinated criminalisation of computer hacking and hacking devices," without going into further detail.
"The real problem we have is the document doesn't address intent," says Lisa Norton, an attorney for Internet Security Systems Inc. (ISS) in Atlanta. Norton lobbied against the outlawing of hacking tools because such laws could put tools vendors such as ISS out of business.
Fortunately, both the April and December 2000 treaty drafts clearly state that hacking tools are illegal only if used "for the purpose of committing offences established in Articles 2-5" (see list at right). The December treaty draft includes additional provisions allowing legitimate use of hacking tools.
Other IT professionals who have carefully read the document say they feel that the treaty clearly addresses the issue of intent and the legitimate use of hacking tools. "I spent 15 years as an attorney, and I do know ambiguous language. This [treaty draft] is something we're comfortable with," says Mitch Demblin, program director for the cyberattack team at Exodus Communications Inc. in Santa Clara, Calif.
For Web resources on this topic, head to our Cybercrime Research Links page.
|
Security Risk and Reward
Stories in this report:
- Want to Save Some Money? Automate Password Resets
- Knowldge Quest
- Companies Need Security Pros With More Varied Skills
- Finding Answers
- The Enemy Within
- The Threat of XML
- SOAP, Other Protocols Specify Security for XML
- The Problem With Power
- Top 10 Security Mistakes
- Playing By Europe's Rules
- False Alarm?
- An Ounce of Intrusion Prevention
- Deadly Pursuit
- IDS Products and Prices
- Should You Outsource IDS?
- Who He Is
- Manager Offers Primer On Computer Forensics
- Unlocking Secure Online Commerce
- Too Late For Digital Certificates?
- Giving Users Back Their Privacy
- Feeling Safe With IT Security Deals
- Finjan's Software Bolcks Active Content Threat
- Security Statistics
- The Guardian
- Congress Considers Slew of Bills That Will Affect IT, E-Commerce
- U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
- Rule Changes May Further Protect Company Security Data
- Getting Started in Computer Forensics
- PKI Carries the Mail for U.S. Postal Service
- Security by Syntax