|
| |
International Convention on Cybercrime Could Chill Computer
Security Research
by Carolyn Meinel
The end of today's freedom (or anarchy, depending on one's
point of view) to create or possess exploit proof of concept code may now be
within sight. Nov. 17, 2003, President George W. Bush submitted the Council of
Europe's Convention on Cybercrime to the U.S. Senate. If ratified, this could
mean the end of the era of full disclosure of computer exploits. This could mean
the end of Happyhacker.org. The end of Zone-h.org. Bye bye, Bugtraq.
In Budapest, Hungary, on Nov. 23, 2001, the heads of the U.S. and twenty-nine
other nations signed the treaty.(1) Yet George W. Bush waited two years to
submit it to the U.S. Senate. He may have delayed because it has stirred up
opposition from both the U.S. Department of Justice and advocates of free speech
such as the Electronic Frontier Foundation (http://www.eff.org).
The treaty will not go into force until at least five nations ratify it, three
of which must be members of the Council of Europe. Once in force, it will apply
to all nations that ratify it.
Many signatory nations appear to have had second thoughts. As of this writing,
more than two years after the signing ceremony, only four have ratified the
Cybercrime Treaty: Albania, Estonia, Croatia and Hungary. All are members of the
Council of Europe. A current list of nations that have ratified the treaty is
located at
http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=185&CM=&DF=.
Clearly, even if the U.S. were the only other nation to finally ratify the
treaty, it would trigger the provision that sets it into force.
Why have so many signatory nations balked at ratifying the treaty?(2) The area
of concern that is most relevant to computer security researchers is Section I,
Article 6 - "Misuse of devices":
1. Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under it is domestic law, when
committed intentionally and without right: a. the production, sale, procurement
for use, import, distribution or otherwise making available of:
i. a device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offences established in accordance with Article
2 - 5;
ii. a computer password, access code, or similar data by which the whole or any
part of a computer system is capable of being accessed with intent that it be
used for the purpose of committing any of the offences established in Articles 2
- 5; and
b. the possession of an item referred to in paragraphs (a)(1) or (2) above, with
intent that it be used for the purpose of committing any of the offences
established in Articles 2 - 5. A Party may
require by law that a number of such items be possessed before criminal
liability attaches.
2. This article shall not be interpreted as imposing criminal
liability where the production, sale, procurement for use, import, distribution
or otherwise making available or possession referred to in paragraph 1 of this
Article is not for the purpose of committing an offence established in
accordance with articles 2 through 5 of this Convention, such as for the
authorised testing or protection of a computer system.
3. Each Party may reserve the right not to apply paragraph 1
of this Article, provided that the reservation does not concern the sale,
distribution or otherwise making available of the items referred to in paragraph
1 (a) (2). (3)
Basically this article commits all nations that adopt the treaty to pass laws
making it a criminal offense to create, possess or distribute exploit code if
the authorities believe it was done with criminal intent.
Advocates of the Treaty say that the "intent" provision will protect legitimate
researchers, presuming that under point #3 a nation adopts the Treaty with the
reservation of the right for researchers to produce and possess exploit code for
internal use only.
An important issue is that the Treaty is explicit about the provisions that a
nation may alter through reservations. Thus a nation may not reserve anything
more than the mere right to create or possess exploit code for internal use
only.
What would this do to the Bugtraq, Packetstorm.nl or zone-h.org archives? Do
they distribute exploit code with criminal intent? Or as resources for computer
security? With passage of this treaty, the legal system within each Treaty
nation would be making these decisions. Because it is an international treaty,
the interpretation of intent by any nation would affect the enforcement of the
law in all other nations that have agreed to abide by the treaty.
Specifically, the Treaty has a robust section on extradition. All nations that
agree to the Treaty will be bound to allow all other Treaty nations to extradite
its citizens for crimes it covers.(4)
How might this play out? Consider the case of the Code Red worms. In 2001, Eeye
Digital Security released proof of concept code against IIS that soon became
incorporated into Code Red. Eeye decompiled the worm and released it in an
advisory to the public via the SecurityFocus Bugtraq email list. Eeye's advisory
revealed that the pseudorandom number generator had failed to choose a different
seed for each instance of the worm, causing it to spread only linearly. Within
hours of this release, a version that had fixed the bug exploded exponentially
across the Internet.
How would a legal system gauge intent? Russ Cooper, who runs the NTBugtraq list,
says regarding intent, "It depends. If the code is incomplete, then I feel it's
OK. If it's a complete attack, then it's not good. Proving a concept doesn't
take a working exploit, at least not if you're simply trying to prove you've
found what you say you have. People who write complete PoC [proof of concept]
and post it are trying to show off, get attention, or generally be malicious,
IMO."(5)
Was the release of the source code for Code Red merely poor judgement? Within
the U.S. there are activist organizations that might be able to rein in
overzealous prosecutors of any law that might be passed covering intent. The
danger is that in the legal environment of the Cybercrime treaty, it might have
been possible for any nation party to the treaty to run Eeye out of business,
and put its staff behind bars.
Should working exploit code be driven back underground? The argument in favor of
exploit code is that it may be an effective way to be certain that a program is
secure. This would have arguably been useful in the case of the vulnerability
exploited by the Sapphire (AKA SQL Slammer) worm. Many sysadmins who thought
they had patched everything discovered vulnerable Microsoft SQL servers hidden
in many other applications, including on desktop computers.
Yet it is not clear that sysadmins have a legitimate need for working exploit
code. An alternative is to use something such as Nessus that automatically
discovers vulnerabilities.
On the other hand, the Cybercrime Treaty might give many nations the opportunity
to outlaw Nessus. According to the Nessus web site, "It will not make its
security tests regarding the version number of the remote services, but will
really attempt to exploit the vulnerability."(6) An intrusion detection system
would likely flag a Nessus scan from a host outside one's network as a probable
break-in attempt.
What about Bugtraq and archives such as Zone-H.org and Packetstorm.nl? Many
nations will be making interpretations of intent. So even if the U.S. were to
attach reservations to the Treaty designed to protect companies such as Security
Focus, these would not be binding on other nations. As noted above, the scope of
allowable reservations is in any case quite limited. Just one controversial
prosecution could discourage computer security researchers, especially those who
already post under pseudonyms.
The Biological Pathogen Research Analogy
Chaos now roiling the biological pathogen research community suggests that
concerns over the Cybercrime treaty may be justified. Most notably, Nov. 12,
2003 was the deadline for U.S. pathogen research labs to comply with post 9-11
laws. Yet no lab was able to satisfy the bureaucrats administering the law. Not
one.
(Imagine some hacker gang that has been posting to Bugtraq trying to get through
similar paperwork in order to be certified that they don't intend for their
security advisory to be used to commit crime.)
At issue are two new laws that, according to an editorial in Science magazine,
have created a "perfect storm of confusion and frustration among universities
and scientists who are doing their best to comply." These are the Public Health
Security and Bioterrorism Preparedness and Response Act, and the Agricultural
Bioterrorism Protection Act. At the time they were enacted, these laws seemed to
be a good idea. Yet already they appear to be endangering the public they were
designed to protect.
R. Timothy Mulcahy, the Associate Vice Chancellor for Research Policy at the
University of Wisconsin at Madison, says, "We have already seen consequences in
the ability of the Wisconsin State Laboratory of Hygiene (WSLH) to cope with the
recent monkeypox outbreak.. Clinical specimens could not legally be transferred
to the WSLH from the clinic in Marshfield, Wisconsin, where the virus was first
isolated.. delaying definitive specimen identification, and prolonging response
time."
Mulcahy says the impact of these laws "leaves us wondering how a serious health
crisis involving a select agent such as anthrax might evolve in the current
regulatory environment."(7)
Could the Cybercrime Treaty hamper a crash effort to counter a new Internet
worm? Suppose someone steals a proof of concept program created for testing
only, and incorporates it into an Internet worm. Does the FBI raid the company
where it was created and force it to spend millions prove that no one ever
intended the release? What if Slovenia acts against a U.S. company? Fear of this
outcome could prevent those who know the most about an outbreak from helping to
combat the infection.
It might not matter if the individual who wrote the code was highly respected.
Already a highly respected plague scientist has spent nearly a year fighting
felony charges over what may have been just errors in paperwork, and a theft
from his laboratory.
In Nov. 2003, Texas Tech University Professor Thomas Butler went on trial on 69
criminal counts related to mishandling 30 vials of plague bacteria. If convicted
of these charges, he could have been sentenced to hundreds of years in prison.
The jury acquitted Butler on all of the FBI's original charges of smuggling and
lying. "By acquitting him. the jury specifically rejected the testimony of over
half a dozen FBI agents," his lawyer said. "It is highly disturbing to see all
of these original charges rejected after this massive prosecution," which
brought 60 FBI agents to the Texas Tech campus. The split jury only found him
guilty of minor charges initiated by his employer of fraud and improper
shipping. Butler plans to appeal the conviction.(8)
Nobel Prize winners Peter Agre, Sidney Altman, Robert Curl, and Torston Wiesel
have come out in support of Butler. They warn that "those scientists most
involved in bioterrorism-related research are most likely to be victims of
punitive attacks at the hands of federal authorities." The Butler case
intimidates "precisely the scientists we need most in this effort of high
national priority." They have called for a plea bargain that does not include
prison time.(9)
Some argue that researchers at the Centers for Disease Control (CDC) and U.S.
Army Institute of Infectious Diseases (USAMRIID) either encouraged Butler to
bend the regulations when shipping pathogens to them, or failed in their
promises to get the necessary paperwork in place.(10) Some say his ordeal was
largely an outgrowth of a contractual dispute between him and the administration
of Texas Tech.(11)
The Butler case represents a slippery slope of the kind posed by the Cybercrime
treaty. The difference is that Butler's woes are the result of U.S. laws that
can be modified or repealed by a simple act of Congress. If the U.S. were to
adopt the Cybercrime Treaty, changing or repealing it would require multilateral
diplomatic negotiations.
The Butler case is closely relevant to computer security research. Just as proof
of concept code is often created to test computer vulnerabilities, the
biotechnology community not only manipulates existing pathogens, it now
routinely creates biological viruses from scratch. This, many scientists say, is
necessary for research.
In July 2003, scientists at the University of New York at Stony Brook announced
that they had recreated a poliovirus from scratch and "injected it into mice to
demonstrate it was active. The animals were paralyzed and then died.. The reason
we did it was to prove it can be done," said Dr. Ecard Wimmer, head of the
research team.
Dr. C. J. Peters, director of the Center for Biodefense at the University of
Texas Medical Center at Galveston, says that it is now possible that scientists
could create viruses such as Ebola from scratch.(12) Peters was only stating
the obvious. Today the question is no longer can it be done, but how fast can we
do it? In Nov. 2003, the U.S. Dept. of Energy announced that J. Craig Venter,
working under a $3 million DOE program, built a virus from scratch in just two
weeks.(13)
There are other forms of biotechnology that are as dangerous as building or
modifying genomes. According to a Feb. 2002 news release from the American
Association for the Advancement of Science, "The strain of anthrax that
contaminated the office of Senator Tom Daschle (D-SD). was produced by a
sophisticated scientist, who 'knew what he was doing.'" It had been weaponized,
not by altering it is DNA, but by creating a better dispersal mechanism.
Scientists at a bioterrorism workshop held that week argued that we should not
outlaw anthrax research. Instead, they proposed yet more research into the
mechanics of weaponized diseases. Claire Fraser, President of The Institute for
Genomic Research, urged the sequencing of the DNA for various anthrax strains
and other "dangerous pathogens." Only then, she said, could the nation cope with
bioterrorists.(14)
Yet the result of well-meaning attempts to rein in those working on biological
pathogens is, as of this writing, the failure of every known U.S. research
facility to comply with the law. Responses to new epidemics and biowarfare
attacks must, due to the new laws, proceed slowly or not at all.
The U.S. Federal government is now threatening to extend restrictions on
biological research far beyond known dangerous pathogens. Anthony Fauci, head of
the National Institute of Allergy and Infectious Diseases and the Federal point
man on bioterrorism, says, "The goal is to create a culture of responsibility
among researchers who work in biodefense and biotechnology." He says the Federal
government is setting up a panel to review experiments they deem worrisome.(15)
The problem is that even a basically harmless organism might be morphed into
something deadly. This became evident when Australian recombinant DNA
researchers accidentally altered an innocuous mouse virus to cause it to become
highly lethal.(16)
The Nuclear Weapons Analogy
More may be at stake than freedom of research. In the field of nuclear weapons,
merely advocating full disclosure has wrecked the careers of scientists. The
Cybercrime Treaty could possibly usher in an environment in which today's
advocates of full disclosure could also become blacklisted, and their companies
bankrupted.
Many physicists in the U.S. Manhattan project, which produced the world's first
nuclear weapons, favored full disclosure. Even Robert J. Oppenheimer, head of
the effort, believed this would "turn over to mankind at large the greatest
possible power to control the world and deal with it according to it is lights
and values."(17)
The concept was that you couldn't keep the knowledge of basic physics secret
forever, and you couldn't sequester the raw materials everywhere and forever, so
others were bound to reinvent the bomb. Oppenheimer and his allies hoped that
full disclosure would engage the world in a fully informed debate. This would
lead, they hoped, to a voluntary, worldwide renouncing of the use of nuclear
weapons.
Despite this, work on the bomb began in the utmost secrecy and continues to be
secret everywhere such work is conducted.
Things got ugly because some feared that Oppenheimer might be sending
information to the Soviet Union. This devolved into a battle to revoke
Oppenheimer's clearance. Edward Teller, the father of the hydrogen bomb,
testified against Oppenheimer in 1954 congressional hearings. Oppenheimer lost
his clearance even though no evidence ever surfaced that he had violated
security regulations.
Long after the hearings many nuclear physicists refused to even shake Teller's
hand. For the rest of his life, Teller was an outcast from much of his
scientific community.(18) Oppenheimer and others tarred with the brush of
advocating full disclosure suffered irreparable harm to their careers.
As computer worms in particular become more damaging, and perhaps are clearly
used in warfare or terrorism, we may risk similar fratricide within the computer
security community. Once we begin witch-hunting over intent, computer security
professionals might lose their careers because of youthful membership in a
hacker gang. Who might become the next Oppenheimer?
Did nuclear secrecy even accomplish it is goal? Oppenheimer's argument for full
disclosure now has some degree of support in current events. Nuclear weapons are
within reach of almost any nation: witness the profoundly impoverished, backward
nation of North Korea.
One may argue that secrecy and controls over fissile materials has at least
slowed the proliferation of nuclear weapons. Was this what slowed North Korea?
Or were the limiting factors the challenges of precision machining of fissile
material and HE (the high explosive used for implosion) and precision in the
timing of the control systems?
One could argue that reliance on secrecy and controls over fissile materials
lulled the world into procrastinating on developing defenses. In the case of
Internet worms and viruses, would chilling research merely hamper defenses?
Where the Biotechnology and Nuclear Weapons Analogies Break Down
We may not even be able to impose effective controls on exploit code.
Biotechnology and nuclear weapons require vast resources and highly educated
scientists and engineers. Despite this, international programs to control the
development of weapons of mass destruction have lost ground. And the
perpetrators of the weaponized anthrax attacks of 2001 were never caught.
By contrast, lone programmers of unimpressive skills often create Internet worms
and viruses. Already many nations have laws against release of worms and
viruses, yet these attacks continue to increase, and convictions are rare. Would
driving exploit programs underground make much of a difference? Or would it be
like stamping out marijuana patches?
Conclusion
* Is the potential for good greater than the risk if we continue to allow
unregulated research in computer security?
* Is a treaty the best way to regulate creation and release of exploit code? Or
is it better to leave this up to national and local authorities?
* If a decision is made to regulate exploit code, can it be enforced in a way
that does more good than harm?
*Should computer security professionals fight to prevent their nations from
ratifying the Cybercrime Treaty?
If the Cybercrime Treaty is a bad idea, the time to act is now. A bad law can
readily be repealed. By contrast, if a nation chooses to abrogate a treaty, or
even fails to establish and enforce the criminal penalties a treaty may demand,
it would damage that nation's credibility in foreign affairs. To smooth things
over at the Department of State, it could be expedient to sacrifice computer
security researchers.
For U.S. citizens, your best opportunity to make your opinion count is to
contact members of the Senate Foreign Relations Committee. If you live in the
home state of a member, you will be most effective by contacting him or her. If
not, you can contact the Chairman or the Ranking Minority Member. Another good
person to contact is committee member John Kerry. As a candidate for President,
he should be interested in the opinions (votes) of everyone in the U.S.
Also, if you would like to get into contact with others who oppose the treaty,
please email Carolyn Meinel at
cmeinel@techbroker.com or phone Meinel at 505-281-9675. If enough people are
interested, we could set up an email discussion group or host a meeting where we
could get together in person.
Members of the Senate Foreign Relations Committee:
Chairman: Senator Richard G. Lugar, Republican, Indiana, (202) 224-4814
Ranking Minority Member: Senator Joseph R. Biden Jr., Democrat, Delaware
Chuck Hagel, Republican, Nebraska, 202-224-4224
Lincoln Chafee, Republican, Rhode Island (202) 224-2921
Chairman of the Senate Foreign Relations Committee's Subcommittee on European
Affairs, George Allen, Republican, Virginia (202) 224-4024
Sam Brownback, Republican, Kansas (202) 224-6521
Michael Enzi, Republican, Wyoming (202) 224-3424
George V. Voinovich, Republican, Ohio (202) 224-3353
Lamar Alexander, Republican, Tennessee (202) 224-4944
Norm Coleman, Republican, Minnesota 202-224-5641
John E. Sununu, Republican, New Hampshire (202) 224-2841
Paul S. Sarbanes, Democrat, Maryland (202) 224-4524
Christopher J. Dodd, Democrat, Connecticut (202) 224-2823
John F. Kerry, Democrat, Massachusetts (202) 224-2742
Russell D. Feingold, Democrat, Wisconsin (202) 224-5323
Barbara Boxer, Democrat, California (202)224-3553
Bill Nelson, Democrat, Florida (202)224-5274
John D. Rockefeller IV, Democrat, West Virginia (202) 224-6472
Jon S. Corzine, Democrat, New Jersey (202) 224-4744
Footnotes
(1) Ministers or their representatives from the 26 following Member States
signed the treaty: Albania, Armenia, Austria, Belgium, Bulgaria, Croatia,
Cyprus, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Moldova, the
Netherlands, Norway, Poland, Portugal, Romania, Spain, Sweden, Switzerland, "the
Former Yugoslav Republic of Macedonia", Ukraine and the United Kingdom. Canada,
Japan, South Africa and the United States, who took part in the drafting, also
signed the treaty.
http://press.coe.int/cp/2001/875a(2001).htm
(2) Another possibility is that this Treaty might set a precedent for imposing
formal international control over the Internet. This has been discussed at
length at the recent U.N. conference on the Internet. See "U.N. Agrees to
Examine How Internet Is Governed," by Jennifer L. Schenker,
International Herald Tribune, December 15, 2003, .
(3)For the full text of this treaty, see
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm.
(4) Article 24 - Extradition,
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm.
(5) "Keeping NT admins informed: a list-editor speaks," by Sam
Varghese January 8, 2004,
http://www.theage.com.au/articles/2004/01/07/1073437335868.html
(6) http://www.nessus.org
(7) "An Uncertain Partnership," by R. Timothy Mulcahy, Science, Vol. 302, #7,
Nov. 7, 2003, pg. 949.
(8) "Smallpox expert decries treatment of two scientists," by John Dudley
Miller, Sept. 5, 2003
http://www.biomedcentral.com/news/20031202/07
(9) "Nobel Laureates declare support for Butler," by John Dudley Miller, The
Scientist, November 5, 2003,
http://www.biomedcentral.com/news/20031105/07.
(10) "Butler's Samples Spelled Trouble for U.S. Agencies," Science, Dec. 19,
2003, pg. 2058.
(11) "Thomas Butler convicted," by John Dudley Miller, dec. 2, 2003
http://www.biomedcentral.com/news/20030905/04/
(12) BBC News, World Edition, July 11, 2003,
http://news.bbc.co.uk/2/hi/science/nature/2122619.stm.
(13) "Venter Cooks Up a Synthetic Genome in Record Time," Science, Vol. 302,
Nov. 12, 2003, pg.1307.
(14) "Scientists Cautious on Ability to Find Anthrax Terrorist; Seek Funding for
Sequencing Genomes of Other Pathogens," by Coimbra Sirica,
http://www.aaas.org/news/releases/bioterrorism.shtml
(15) "Researchers Await Government Re3sponse to Self-Regulation Plea," Science,
Vol. 302, Oct. 17, 2003, pg.368.
(16) R.J. Hackson,et. al. "Expression of Mouse3 Interleukin-4 by a recombinant
Ectromelia Virus Suppresses Cytolytic Lymphocyte Responses and Overcomes Genetic
Resistance to Mousepox," Journal of Virology 75: 1205-1210.
(17) The Making of the Atomic Bomb, by Richard Rhodes (Simon & Schuster, 1986).
(18) "Richard Rhodes on:
Edward Teller's Role in the Oppenheimer Hearings,"
| |
!
Web Design & Development
Internet Marketing & Advertising
English-Romanian Translation
Nicolae Sfetcu
E-mail, Tel.: 0745-526896
|
