Cатсн²² (in)sесuяitу / ChrisJohnRiley

Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks. Before I dig into some of the quoted content and some of the details I’d like to make it clear that I’m not a lawyer, I didn’t stay at a Holiday Inn last night, and I’m probably not smart enough to really understand how politicians think… also, as with everything in legal terms, there’s a whole other area of how people interpret these legislations. So, take what’s said here as a personal opinion!

The initial link I saw posted on Twitter (care of my good friend @wimremes) was to a new article on the European Parliament News site (article can be found HERE). I clicked through to see what all the fuss was about and was greeted with the FUDridden headline of:

Hacking IT systems to become a criminal offence

OMG, the sky is falling! Despite the fact that in most countries in the EU, “hacking” in the sense of illegally gaining entry to IT systems, has been a crime for a long time already! Moving past the large print, the thing that really seemed to be rattling people was the explicit legislation surrounding “hacking” tools.

The news article goes on to state:

Possessing or distributing hacking software and tools would also be an offence

and then further on gives a small paragraph detailing things:

Cyber-attack tools

The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.

Those reading this article without further context would have little choice but to think back to the poor decisions made in Germany (see 202(c) )  that resulted in many security researchers from upping sticks and moving out. The news article makes it very clear that “hacking” tools are seen as the problem, and anybody in possession of them is a criminal…

Digging deeper

Call me a cynic, but I’m not one to trust journalists much, at least without reason… so I dug a little deeper.

The new EU Legislation discussed in the news article is based on a draft report by Monika Hohlmeier originally written back in November 2011. For those that want to get the details, you can read a copy of the draft report HERE.

This version of the draft report includes not only the proposed amendments, but also justifications. So, lets have a quick search and see where the news article got it’s content.

Searching on the word “tools” provides only 5 results… none of which seem to state that writing, or possessing them is a crime.

Searching on the word “possession” however brings up some interesting information (Amendment 22).

The text on the left-hand side is the origin text proposed by the commission, and includes a clause for possession. As you can see from the amendment voted on and accepted this week, the word “possession” has been completely removed, and the wording slight altered to change “for the purpose of committing any offences” to “for the clear purpose of committing any offences”.

The justification given in the amendment makes it plain that the goal of this legislation is not to target people working in security, but malicious attackers!

Justification

Given the possibility to use programmes in dual forms, i.e. for legal as well as criminal
purposes, the possession of a tool should as such not be punishable. In addition, the purpose
of the actions described in this article should only be punishable when it is clearly aimed at
committing an offence.

There are more than a number of clarifications present in these amendments that I think help to make the legislation clearer and more targeted towards criminal usage, without infringing on the InfoSec community. I won’t cover all the changes here, but if you’re interested I suggest reading through the 26 page draft report HERE.

So, were’s the problem! Well, this draft report seemingly never made it through… instead it was once again amended, and replaced in January this year by a draft report (PDF) that takes these changes, and deletes them.

Initially I thought this deletion was to remove the amendment, but instead the justification makes it clear that the deletion was mean to remove this section from the EU legislation completely! As I said, I’m no expert on these things 😉

Justification
So-called ‘hacker tools’ are inherently dual-use, and they are crucially needed for security
testing. If we want to have the whistleblower protection, we also have to legalise their
possession and distribution. Passwords and access codes should not be regarded as hacker
tools. If they get lost, the operator should immediately improve his security measures and set
up new passwords, just as people do when they lose their keys

It’s nice to see that at least somebody understands that security testing is important, and that outlawing tools isn’t the way to go!

End-Game

Despite there being some good amendments suggested, ones that not only help clear up any misconceptions, but also help to clarify the use and possession of “hacking” tools… these clear minded and well-reasoned amendments didn’t seem to make it into the final document delivered to the 2010 committee proposal (PDF) I can#t seem to find anywhere that explains which were accepted and which were denied!

This final version 2010 committee proposal includes the following in regards to possession, creation and distribution of “hacking” tools.

General Context

….  Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools (‘malware’ and ‘botnets’), while offering offenders anonymity and dispersing responsibility across jurisdictions…

At least they make a clear distinction here that they refer to “tools” as a shortcut for “malware” and “botnets”.  Still, this is where the good news seems to end!

Summary of the proposed action

A: Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offence

…

…this Directive shall refer to ’tools’ that can be used in order to commit the crimes listed in this Directive. Tools refer to, for example, malicious software, including botnets, used to commit cyber attacks.

So it seems that “hacking” tools aren’t welcome, at least in the original committee proposal. The text describing what those tools are is open to interpretation and as a result could easily be applied to people producing anything from scanners through to example exploit code for penetration testing and vulnerability analysis purposes. As with everything, it’s not set in stone until somebody takes it to court and defines it!

Article 7
Tools used for committing offences

Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the purpose of committing any of the offences referred to in Articles 3 to 6:

(a) device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;

(b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.

The only saving grace here is the inclusion of the phrase “when committed intentionally and without right for the purpose of committing”. This still doesn’t save things from being a total car wreck however.

Conclusion

I started this write-up based on the amendments I saw from Monika Hohlmeier in the belief that things had been altered for the better… however after taking time to dig through the various proposals, amendments and finally reviewing the all the available documentation it’s unclear what changes will be made. Without a clear list of amendments that were accepted, and that were either withdrawn or denied, it’s very hard to tell where this is heading.

I’ll fall short of saying what I really think… but the future doesn’t look good if the only people offering sane advice are ignored in favour of such poorly thought out legislation. Is there anywhere left were you can ply your honest trade anymore? Hopefully these proposals will become clearer once documentation is released.

Hopefully somebody with a little more legal background will take a look at this and post their opinions. Until then, I hope people keep doing what they’re doing. Without sharing of tools, techniques and knowledge, we’ve already lost!

Update: I’ve also posted some follow up comments/thoughts HERE

Update 2: A commenter has drawn my attention to a flaw in my review. I’ve attempted to rework some of the thought and information to reflect this flaw… apologies for any confusion. I’ve sent an email to Monika Hohlmeier requesting further information on what was and was not accepted. Hopefully this will clear up some confusion.

Links:

• Hacking IT Systems to become a criminal offence (Europarl article)
• Draft Report / Amendments –  Monika Hohlmeier (PDF)
• Draft Report / Amendments –  34 – 128 (PDF)
• Final commission proposal 2010  – Attacks against information systems (PDF)
• Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
• Meeting notes and links LIBE Meeting (Europarl site)
• Monika Hohlmeier (MEP Information Page)
• Jan Philipp Albrech (MEP Information Page)