EU cybercrime treaty puts users at risk, warn experts

Bill Goodwin

European proposals for an international treaty to combat cybercrime have come under fire from security experts who fear it...

Bill Goodwin

European proposals for an international treaty to combat cybercrime have come under fire from security experts who fear it will outlaw legitimate techniques needed to ensure the security of commercial IT systems.

The Council of Europe's Convention on Crime in Cyberspace, which is still in draft form, aims to make it easier for law enforcement agencies to collaborate on cross-border computer crime investigations.

The treaty proposes a crackdown on the dissemination of software and techniques used by hackers to illegally tap into computer systems.

However, security experts have warned that, unless there are substantial changes, the treaty will also make it difficult for legitimate users who want to test and improve the security of their IT systems.

IT security consultant Peter Sommer said the convention could end up criminalising programs such as ISS and Satan, which are used by IT departments to protect the security of their systems.

"The programs used by hackers are often identical to those used for legitimate purposes, " he said.

Sommer is one of more than 80 security experts, academics and security software suppliers to sign a letter outlining their concerns to the Council of Europe.

"Legislation that criminalises security software development, distribution and useÉ would severely impact security practitioners," the group warned.

At question is article six of the draft treaty, which makes the distribution, import and use of computer programs, data and passwords used for illegal access or interception illegal.

Christopher W Klaus, chief technical officer of security company Internet Security Systems, said the treaty would make it impossible to test software for security flaws.

"If people cannot legally validate whether a system is secure or not, only criminals will be able to get that information. To defeat the criminals we need to be out there proactively to make sure we are more secure," he said

Mark Drew, group security manager at Norwich Union, said the treaty would make it much harder for users to check the security of their IT systems if it goes ahead. He believes the treaty will force users to build their own security teams, rather than rely on external consultants.

"If someone has to set up a security bunker of their own they are not going to be as effective. Without sharing information, it could engender a false sense of security if our team could not crack a system," he warned.

More e-security news

Read more on IT risk management