Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

European Legislation Might Outlaw Security Tools

on April 13, 2012

In a recent post I had outlined my concerns about the Anti-Circumvention rules imposed by ACTA. I had suggested that as a result, legislation could in future be such that using certain tools required by the security profession – which could also be used by people with malicious intent such as disassembles – would be illegal.

Since then, support for ACTA seems to have diminished considerably and its approval and passage is all but certain; however, it has just been brought to my attention that the EU is currently proposing a new piece of legislation to target hacking and which will, in fact, outlaw security tools.

There are some serious concerns about this new legislation, and its effect on the security industry and security professionals will be major. Let’s take a closer look at what is being proposed.

 

“Cyber-attack tools

The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.”

What these pieces of legislation ignore is the fact that it is not the tools but the individual using the tools that is of concern. Using the same principle adopted here by lawmakers, one can argue that the use of a knife should be considered as a criminal offence because some people use it to commit murder. We all know, however, that knives and their derivatives can be put to good use as well. Where do you draw the line?

In a similar manner, these so-called “Cyber-attack tools” can be used to do good and to cause harm. An administrator might run a dictionary attack on his own network to ensure no user is using weak passwords. Some security scanners are designed to analyze and help improve security on a network, and one of the tasks carried out to do this is that of checking devices for default passwords or weak passwords.

If this legislation were to be approved, the use of such tools would be illegal and any administrator using or found in possession of these tools could face criminal action.

What this boils down to is that those who use cyber-attack tools to breach their target’s security won’t care what the legal consequences of hacking are (as they already don’t) and they will continue to do so. Meanwhile, their ‘target’ or ‘victim’, who cannot use these tools to protect his or her network, will continue to be easy targets and prone to additional attacks. Such an exercise will ultimately weaken security not strengthen it!

 

“Liability of legal persons

Legal persons would be liable for offences committed for their benefit (e.g. a company would be liable for hiring a hacker to get access to a competitor’s database), whether deliberately or through a lack of supervision. They would also face penalties such as exclusion for entitlement to public benefits or judicial winding-up.”

This section of the legislation seems to put an additional burden on businesses. Organizations will need to monitor their network thoroughly to detect if an employee has launched a hacking attack on an external entity. It might even mean that if your company network is compromised and a malicious person launches an attack from your systems, you’d be liable for that offence.

Such level of control would undoubtedly create a hostile working environment because even a totally harmless email can be used in a hacking attack – by bundling malware, or even if used as a social engineering attack, to trick the recipient into visiting a malicious link or disclosing confidential information. Nothing short of total monitoring of all users’ activity can provide any guarantees your employees are not trying to hack someone. Even then, you also need to deny any action until it is approved – which is completely unfeasible from an operational point of view.

 

It is worrying that 50 out of 54 committee members who voted on this legislative proposal considered it to be a good idea. Also worrying is the manner in which a civil liberties committee appears to be backing it when you consider how the burden it puts on companies can only be lifted through extensive employee monitoring.

This proposed legislation can seriously hamper the efforts of those trying to protect companies and individuals from hackers. I hope that once it gets to parliament, these issues are clearly spelt out and the proposal is rejected.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

 
Comments
Bill Trombley April 14, 20123:10 pm

You bring up a fantastic point about the knives, no pun intended, but wasn’t there a legislator in the UK who actually wanted to uniformly dull knives to prevent such a thing from happening? It’s the same with any “tool” legislation, and I’m amazed at the brazenness at which these bills and whatnot continue to be proposed. Hopefully, history repeats, somebody stands up and says “actually, we need these things, how about tougher regulation on those who do harm rather than the means by which they do it” and we can actually progress as a species instead of completely ruining our best lines of defense.

 
Emmanuel Carabott April 17, 201210:22 am

The problem here is that when one legislation fails, a new one, which is generally worse then the previous one, starts almost immediately.

We need to succeed every time and they only need succeed once. The odds are that eventually all the legislations being pushed, for no matter how bad they are, will pass and that is what really worries me.

 
Rebecca Jane April 16, 20123:46 pm

I think it is just right to make the company accountable for any employee involved in any illegal access of data. It is the company’s responsibility to impose to its employees their rules in handling data within and outside its system. With this, the company will be more strict and watchful on every person within the organization. There has to be loyalty check every now and then. In the long run, it is the company that can benefit for always being on the lookout. Also, the workers play their part by being cautious whenever dealing with the company’s both internal and external network.

Then both parties can work hand in hand as a team to counter any illegal acts and attacks on their network.

Emmanuel Carabott April 17, 201210:20 am

@Rebecca,

I am afraid I disagree with you. Making the company accountable of crimes committed by the employee, even if unaware of such crimes, is dangerous. Only total monitoring and control can ensure a company detects such illegalities. Think about it – an employee can send an email with malicious links, or social engineering attacks. How can you prevent that? Monitor and block any outgoing email until a person reads and approves it. How can you prevent an employee for committing a crime through a phone call? Not allowing personal mobile phones and having someone listing on every phone-call with the ability to stop the call at the instant a crime starts to be committed is really the only way. To do such things would make the work environment way too hostile and oppressive which will, in turn, create disgruntled employees that are yet another security risk. This will reduce productivity, increase cost and increase the security risk. All in all it will just create negativity with nothing really positive coming out of it.

Bottom line, security needs to be a balance between mitigating a certain level of risk and personal freedom. If the consequence of that mitigation failing is increased, the whole equation will lean towards the need to mitigate more and more risk. This is both more expensive and oppressive.