Will Security Researchers Need a License to kill?

Licence to killThe European Commission is capable of the worst as best ideas! A few days ago, they announced the imminent setup  of a CERT (“Computer Emergency Response Team”) to protect the institutions, agencies and bodies against cyber-attacks. Good idea!

But, a few days ago, a press-release announced that Justice Ministers, who met last week, want to create a law to fight the creation of “hacking tools”. The statement says:

“The new rules would retain most of the provisions currently in place – namely the penalisation of illegal access, illegal system interference and illegal data interference as well as instigation, aiding, abetting and attempt to commit those criminal offences – and include the following new elements:

  • penalisation of the production and making available of tools (e.g. malicious software designed to create “botnets” or unrightfully obtained computer passwords) for committing the offences;
  • illegal interception of computer data will become a criminal offence;
  • improvement of European cooperation in criminal matters by strengthening the existing structure of 24/7 contact points, including an obligation to provide feedback within eight hours to urgent requests; and
  • the obligation to collect basic statistical data on cybercrimes.”

(Source PDF – page 18)

This is not a brand new idea. Some countries already have laws which go in the same direction (UK and Germany). Of course, this news does not make Infosec professionals happy and lot of reactions quickly emerged:

A country which prevents its researchers from developing hacking/pentesting tools, in in unfavorable position on the cyberwarfare front!” (@danchodanchev)

A hacking tool is a system administrator’s tool in wrong hands” (@rmcok)

If I look at my own situation:

  • I’ve always a BackTrack USB key with me (on my keyring)
  • My laptop has several hacking tools installed
  • I’m using such tools for my job
  • I download such tools to test them (in lab only of course)

Am I now considered as a criminal? Will I still be authorized to cross borders? Here is an interesting quote from a friend:

Maybe security professionals should get state support like the weapon factories?” (@cherssen)

Will Security Researchers need a license to kill soon or could an official certification in information security by a good start? Example: CISSP’s must follow the (ISC)² Code of Ethics.

My point of view is NO! There are plenty of security researchers who do a wonderful job and those guys are not (yet?) professionals (students) or do not have budgets to pass certifications (yes, there is clearly a business beyond certifications) . And, even if you passed certifications, it does not mean to you are competent in all the covered domains. Like a school diploma, it’s only a piece of paper. Only the experience makes the difference! By introducing a “license to kill” system, money will be injected in the loop and there will be risks of a decrease in the security researches quality.

Dear European Justice Ministers, by preventing white hats to develop or to play with hacking tools, you’ll open the door to all black hats! Just my two cents.