Moves by several European countries to tighten laws against computer hacking worry security professionals who often use the same tools as hackers but for legitimate purposes.
The U.K. and Germany are among the countries that are considering revisions to their computer crime laws in line with the 2001 Convention on Cybercrime, a Europe-wide treaty, and with a similar European Union measure passed in early 2005.
But security professionals are scrutinizing those revisions out of concern for how prosecutors and judges could apply the laws. Security professionals are especially concerned about cases where the revisions apply to programs that could be used for bad or good. Companies often use hacking programs to test the mettle of their own systems.
“One useful utility in the wrong hands is a potentially malicious hacking tool,” said Graham Cluley, senior technology consultant at Sophos PLC in Abingdon, England.
In the U.K., legislators are debating amendments to the Computer Misuse Act (CMA) of 1990. The proposed revisions would make it illegal to create or supply a tool to someone who intends to use it for unauthorized computer access or modification.
Likewise, the proposed changes to German law would also criminalize making and distributing hacking tools. The German government said the changes will bring it into compliance with the 2001 Convention on Cybercrime.
Several German security companies are planning to lobby against the law, as they fear it could hamper those who test security systems, said Alexander Kornbrust, founder and chief executive officer of Red-Database-Security GmbH in Neunkirchen, Germany. For example, tools to check the strength of passwords, often freely distributed, could also be used by malicious hackers, he said.
“The security community is very unhappy with this approach,” Kornbrust said. “The concern is that the usage and possession of so called hacker tools will become illegal.”
The U.K. and Germany are trying to align their laws with Article 6 of the Convention, which bans the creation of computer programs for the purpose of committing cybercrime.
So far, 43 countries have signed the Convention, which indicates their willingness to revise their laws to comply. Fifteen have ratified the Convention. After a country changes its laws, it can ratify the convention and put it into force.
The Convention does not mandate a deadline for when countries must comply, and the process of changing laws can be lengthy depending on the country, said Margaret Killerby, head of the European Committee on Crime Problems, which tracks implementation of the Convention.
But the goal is for Europe — and other countries, such as the U.S., which also said it will implement the Convention soon — to mount a consistent defense against computer criminals given the transnational nature of computer crime, Killerby said.
A key point of the Convention requires countries to have a law enforcement contact available at all times to assist foreign authorities in obtaining electronic evidence, which can disappear quickly without quick moves by law enforcement.
“What we want to have is an institution to allow states to cooperate with each other as rapidly as possible,” she said.
Those requirements are devoid of controversy. Individual countries can draft their own customized legislation to comply with the Convention, which can be used as a checklist, Killerby said. The Council has provided assistance to countries in central and eastern Europe in creating computer crime laws where none were on the books, Killerby said.
Countries with existing laws will have find a medium that satisfies their own legal requirements and the Convention. In the U.K., the House of Lords is scheduled next month to debate changes in the part of the CMA concerning creation and distribution of hacking tools.
The proposed revision to the CMA says a person is guilty of an offense if he makes or supplies something intending it to be used to commit an offense or “believing that it is likely to be so used.”
But officials are confident that the wording can be smoothed. The controversy could be dampened merely by changing “likely” to “primarily” which could “make sure we don’t catch the legitimate penetration testers,” said Merlin Erroll, a Lord who sits on the All Party Parliamentary Internet Group (APIG), during a recent presentation in London.