The European Commission is capable of the worst as best ideas! A few days ago, they announced the imminent setup of a CERT (“Computer Emergency Response Team”) to protect the institutions, agencies and bodies against cyber-attacks. Good idea!
But, a few days ago, a press-release announced that Justice Ministers, who met last week, want to create a law to fight the creation of “hacking tools”. The statement says:
“The new rules would retain most of the provisions currently in place – namely the penalisation of illegal access, illegal system interference and illegal data interference as well as instigation, aiding, abetting and attempt to commit those criminal offences – and include the following new elements:
- penalisation of the production and making available of tools (e.g. malicious software designed to create “botnets” or unrightfully obtained computer passwords) for committing the offences;
- illegal interception of computer data will become a criminal offence;
- improvement of European cooperation in criminal matters by strengthening the existing structure of 24/7 contact points, including an obligation to provide feedback within eight hours to urgent requests; and
- the obligation to collect basic statistical data on cybercrimes.”
(Source PDF – page 18)
This is not a brand new idea. Some countries already have laws which go in the same direction (UK and Germany). Of course, this news does not make Infosec professionals happy and lot of reactions quickly emerged:
“A country which prevents its researchers from developing hacking/pentesting tools, in in unfavorable position on the cyberwarfare front!” (@danchodanchev)
“A hacking tool is a system administrator’s tool in wrong hands” (@rmcok)
If I look at my own situation:
- I’ve always a BackTrack USB key with me (on my keyring)
- My laptop has several hacking tools installed
- I’m using such tools for my job
- I download such tools to test them (in lab only of course)
Am I now considered as a criminal? Will I still be authorized to cross borders? Here is an interesting quote from a friend:
“Maybe security professionals should get state support like the weapon factories?” (@cherssen)
Will Security Researchers need a license to kill soon or could an official certification in information security by a good start? Example: CISSP’s must follow the (ISC)² Code of Ethics.
My point of view is NO! There are plenty of security researchers who do a wonderful job and those guys are not (yet?) professionals (students) or do not have budgets to pass certifications (yes, there is clearly a business beyond certifications) . And, even if you passed certifications, it does not mean to you are competent in all the covered domains. Like a school diploma, it’s only a piece of paper. Only the experience makes the difference! By introducing a “license to kill” system, money will be injected in the loop and there will be risks of a decrease in the security researches quality.
Dear European Justice Ministers, by preventing white hats to develop or to play with hacking tools, you’ll open the door to all black hats! Just my two cents.
I definitely agree with you on this, as probably the large majority of the IT security community.
In my opinion, the penalization of security research will not change much to the IT threats we are facing (yeah, #cyber, #apt, etc.). On the contrary: black hats won’t be dissuaded at all and white hats will be prevented of doing adequate and necessary research to increase our security knowledge.
I call it security by obscurity: you can’t buy guns so people won’t be able to shoot at each other. But nothing will keep the evil haxorz from attacking the poor obedient sheep.
And think about it: financial institutions and insurance companies need to present penetration test reports every year to the CBFA (Belgian Bank and Insurance Commission). But how can such institution present a representative assessment report if the pentester can only use 5% of his digital artillery (being commercial and legal tools)?
I sincerely hope our EU commissioners won’t vote any unreasonable bills and understand the futility of a couple of their statements.
Crime must be punished, but adequate research and testing for defense and protection are also crucial.
So they are just following in the footsteps of some of the member states (more specifically France & Germany) who have already in acted laws of this nature.
IMHO its probably just those countries pushing to have the same thing applied to the whole of Europe.
These countries don’t understand that making something illegal is going to fix the problem…