In a recent post I had outlined my concerns about the Anti-Circumvention rules imposed by ACTA. I had suggested that as a result, legislation could in future be such that using certain tools required by the security profession – which could also be used by people with malicious intent such as disassembles – would be illegal.
Since then, support for ACTA seems to have diminished considerably and its approval and passage is all but certain; however, it has just been brought to my attention that the EU is currently proposing a new piece of legislation to target hacking and which will, in fact, outlaw security tools.
There are some serious concerns about this new legislation, and its effect on the security industry and security professionals will be major. Let’s take a closer look at what is being proposed.
Cyber-attack tools: “The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.”
What these pieces of legislation ignore is the fact that it is not the tools but the individual using the tools that is of concern. Using the same principle adopted here by lawmakers, one can argue that the use of a knife should be considered as a criminal offence because some people use it to commit murder. We all know, however, that knives and their derivatives can be put to good use as well. Where do you draw the line?
In a similar manner, these so-called “Cyber-attack tools” can be used to do good and to cause harm. An administrator might run a dictionary attack on his own network to ensure no user is using weak passwords. Some security scanners are designed to analyze and help improve security on a network, and one of the tasks carried out to do this is that of checking devices for default passwords or weak passwords.
If this legislation were to be approved, the use of such tools would be illegal and any administrator using or found in possession of these tools could face criminal action.
What this boils down to is that those who use cyber-attack tools to breach their target’s security won’t care what the legal consequences of hacking are (as they already don’t) and they will continue to do so. Meanwhile, their ‘target’ or ‘victim’, who cannot use these tools to protect his or her network, will continue to be easy targets and prone to additional attacks. Such an exercise will ultimately weaken security not strengthen it!
Liability of legal persons: “Legal persons would be liable for offences committed for their benefit (e.g. a company would be liable for hiring a hacker to get access to a competitor’s database), whether deliberately or through a lack of supervision. They would also face penalties such as exclusion for entitlement to public benefits or judicial winding-up.”
This section of the legislation seems to put an additional burden on businesses. Organizations will need to monitor their network thoroughly to detect if an employee has launched a hacking attack on an external entity. It might even mean that if your company network is compromised and a malicious person launches an attack from your systems, you’d be liable for that offence.
Such level of control would undoubtedly create a hostile working environment because even a totally harmless email can be used in a hacking attack – by bundling malware, or even if used as a social engineering attack, to trick the recipient into visiting a malicious link or disclosing confidential information. Nothing short of total monitoring of all users’ activity can provide any guarantees your employees are not trying to hack someone. Even then, you also need to deny any action until it is approved – which is completely unfeasible from an operational point of view.
It is worrying that 50 out of 54 committee members who voted on this legislative proposal considered it to be a good idea. Also worrying is the manner in which a civil liberties committee appears to be backing it when you consider how the burden it puts on companies can only be lifted through extensive employee monitoring.
This proposed legislation can seriously hamper the efforts of those trying to protect companies and individuals from hackers. I hope that once it gets to parliament, these issues are clearly spelt out and the proposal is rejected.