Cатсн²² (in)sесuяitу / ChrisJohnRiley

Earlier on I posted up my thoughts on the EU Legislation – “Attacks against information systems”.

At the time I held back from commenting on some quotes in the news story as I wanted to mull over my response a little longer.

In the news article posted on europarl.europa.eu one of the MEPs responsible for the amendments and the final legislation was asked to comment on the proposal. A couple of her responses warrant a rebuttal.. although at this stage things are far to far gone to make much change at the EU level.

 “We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations. The financial damage caused for companies, private users and the public side amounts to several billions each year” said rapporteur Monika Hohlmeier (EPP, DE). “No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world” she added.

The last sentence in particular really made it clear the lack of understanding of the InfoSec industry. Monika Hohlmeier talks about liability incurred through lack of testing and confuses a number of issues.

This comment would fit nicely and make sense if we were talking about lack of security testing by software vendors. I agree they should be held liable for shortcuts and sloppy work. Especially if it puts others at risk!

However in the context of this legislation it seems to point more to companies releasing tools that *could* be used by attackers.  Putting aside the fact that almost any program could be used offensively, it’s obvious that if security tools are outlawed by poorly drafted and written legislation like this, then companies won’t have the tools required to perform the testing required.

To put it in the same context as Monika Hohlmeier used…

A car manufacturer would not be able to test the reliability and security of their cars if the tools, methods and knowledge required for that testing was against the law. A company can only secure a product from potential problems (whether security or not) by using methods and techniques to test them. Car companies have and will continue to go through rigorous checks by crashing cars, dropping them on their roofs and spinning them on a wet surface to see how they react.

In the security field we do the same thing, by creating tests to see if systems are secure. We take an app and send unexpected input, attempt to force the application out of control, and take advantage of insecurities to see how far the issue goes.

You wouldn’t tell a car manufacturer that their crash tests are illegal as they cause a car to crash… So don’t try to tell us that possession of tools we need for our jobs put our jobs, and livelihoods at risk! The lack of context you placed in this legislation causes everybody to interpret the meaning. I doubt that your goal, or the goal of this legislation is to hinder, disrupt or block valid security research and testing, however the effects have to to be seen… 202(c) had the wrong effect due to it’s lax wording… don’t let this EU legislation drive all security research out of Europe.

My 0.02¢ on the issue…

Links:

• EU legislation – Digging below the FUD line (blog.c22.cc)
• Hacking IT Systems to become a criminal offence (Europarl article)
• Draft Report / Amendments –  Monika Hohlmeier (PDF)
• Draft Report / Amendments –  34 – 128 (PDF)
• Final  (Attacks against information systems) (PDF)
• Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
• Meeting notes and links LIBE Meeting (Europarl site)
• Monika Hohlmeier (MEP Information Page)
• Jan Philipp Albrech (MEP Information Page)