[ISN] US defends cybercrime treaty - --- another proposal

Mon May 3 03:20:18 EDT 2004

Forwarded from: VytautasB at pastas.kam.lt

Dear Colleagues,

Mr. Poulsen's article reminds me of a conference I attendend recently.

On March 15-17 I participated at the George C. Marshall European
Center for Security Studies Conference on the Political-Military
Dimensions of Cyber Security
http://www.marshallcenter.org/site-graphic/lang-en/page-conf-summary-index/x
docs/conf/conference-summaries/0412/0412.htm .

It was a very interesting and thought provoking conference that was
co-sponsored by HQ EUCOM and the US DoD's Directorate of Information
Assurance.  Speakers came from a wide range of US and European
institutions and included private industry as well.  The sum of all
the discussions really brought out the vulnerability of national
infrastructure to cyber atttack.  One german firm demonstrated a
simulator that showed what happens to a country's infrastructure when
the electricity runs out (in 12 hours there is no more water being
pumped, after some time the transportation system fails etc,)

After each day's plenary session we broke up into work groups to
discuss responses to various cyber security scenarios.  The work group
which I was appointed to lead came up with the idea of preparing a
draft statement on cyber security.

Unfortunately we could not put the statement to a plenary vote since
by the end of the conference we were still waiting for German and
Russian translations of the text. The Marshall Center's administration
was also uncomfortable with the idea of commiting the participants to
some sort of binding document.  So the draft Statement was never
adopted and does not have the approval of the Marshall Center nor of
the other co-sponsors. For your information I will enclose a draft
copy of the text (see below).  Maybe you or your colleagues would care
to comment on it?

Is there a need for an international body to deal with the cyber
threat or is it enough to just rely on regional organisations like the
European Union's ENISA and the proposed Convention mentioned in Mr.
Poulsen's article or the G8's High Tech Crime Sub-group?  
International cooperation in fighting air piracy or hijacking has been
successful.

Sincerely yours,

Vytautas Butrimas
Deputy Chief
Communications and Informations Systems Service
Lithuanian Ministry of National Defense
Vilnius, Lithuania

****************************************************************
****************************************************************

Draft version 1.7

STATEMENT ON CYBER SECURITY

We the information security officials from 31 countries participating
at the George C. Marshall European Center for Security Studies
Conference on The Political-Military Dimensions of Cyber Security held
in Munich, Germany on March 15-17, 2004, recognize:

that our Governments, industries, and public service sectors depend on
information technology and telecommunications (ITT) to perform their
functions,

that our ITT infrastructure is dangerously vulnerable to electronic or
cyber attack from hostile states, terrorists, criminal activities, and
computer hackers ,

that the scale of the threat has both national and international
dimensions,

that there is a lack of an international legal framework for the
prevention and defense against cyber attack,

that a credible and effective defense requires international
cooperation ,

and have agreed to encourage the United Nations to initiate the
creation of an international body for the management of cyber security
events, risk and prevention.

This body should take under consideration the development of cyber
security proposals based upon existing models that have been
successful in dealing with the problems of other sectors such as the
Stanford Agreement on air piracy and the World Health Organization on
health issues.

In addition, the participants at this conference agree to promote this
statement in their nations.

Adopted* in Munich, Germany on March 17, 2004

*N.B. "Adopted" Only mentioned in the draft text and was not put to an
actual vote.  Meant for review and study only. (V. Butrimas)

**************************************************************
****************************************************************

-----Original Message-----
From: InfoSec News [mailto:isn at c4i.org]
Sent: Monday, April 26, 2004 9:34 AM
To: isn at attrition.org
Subject: [ISN] US defends cybercrime treaty 

http://www.theregister.co.uk/2004/04/24/us_defends_cybercrime_treaty/

By Kevin Poulsen, SecurityFocus
Published Saturday 24th April 2004 

Critics took aim this week at a controversial international treaty
intended to facilitate cross-boarder computer crime probes, arguing
that it would oblige the US and other signatories to cooperate with
repressive regimes - a charge that the Justice Department denied.

The US is one of 38 nations that have signed onto the Council of
Europe's "Convention on Cybercrime," but the US Senate has not yet
ratified the measure. In a letter to the Senate last November,
President Bush called the pact "the only multilateral treaty to
address the problems of computer-related crime and electronic evidence
gathering." The treaty, "would remove or minimize legal obstacles to
international cooperation that delay or endanger U.S. investigations
and prosecutions of computer-related crime," he said.

Drafted under strong US influence, the treaty aims to harmonize
computer crime laws around the world by obliging participating
countries to outlaw computer intrusion, child pornography, commercial
copyright infringement, and online fraud.

Another portion of the treaty requires each country to pass laws that
permit the government to search and seize email and computer records,
perform Internet surveillance, and to order ISPs to preserve logs in
connection with an investigation. A "mutual assistance" provision then
obligates the county to use those tools to help out other signatory
countries in cross-border investigations: France, for example, could
request from the US the traffic logs for an anonymous Hushmail user
suspected of violating French law.

[...]