Disarming the Black Hats?

When does a security tool become a cyberweapon?

Responding to the increasing number of cyber- attacks and viruses, the Council of Europe is proposing a convention to harmonize cybercrime laws and facilitate international investigations. Among the many recommendations is one to limit the production, distribution and possession of the tools used by hackers and crackers to exploit system vulnerabilities. Is this proposal a good idea?

For years, the gun control debate remained deadlocked with advocates on both sides cancelling each other out. While supporters of firearm restrictions began winning small victories in the early 1990s, the scales didn't tip in their favor until April 1999. The senseless murder of 13 students and a teacher at Columbine High School sparked a national outcry that put the pro-gun lobby on the defensive.

Should the mounting damage caused by cyberattacks spark a similar call to action in the high-tech industry? While it's easy to blame vendors for not offering better security and users for not being vigilant, some are targeting another source of our woes: the proliferation of powerful, easy-to-use and damaging cyberweapons.

Cyberweapons-including malware and hacking tools-have generally escaped regulation. In many countries, the use of cyberweapons is now a crime, but the development, distribution and acquisition of these tools remain legal (with the exception of tools that circumvent copyright protection and clone cellular phones). By comparison, the possession, sale and transportion of firearms is highly regulated by domestic laws and international treaties.

Cyberweapons controls would establish a standard for behavior on the Internet and provide a means for prosecuting offenders. Their enforcement could curtail attacks and limit the damage by those brazen enough to violate the law. As things are now, hackers and crackers are admired and rewarded for their sometimes devious, often illegal, activities.

Although regulating cyberweapons has some appeal, the cure could be worse than the disease. Controls would be difficult to enforce, especially given the ease with which software leaps over international boundaries via the Internet. Effective enforcement would require a vast, tightly woven network of international agreements governing cyberspace.

Even then, all it would take is one country not adopting controls to create a safe haven for crackers and virus writers, as demonstrated by the failed prosecution of Onel de Guzman, creator of the LoveBug virus. Despite causing billions of dollars in damage around the world, de Guzman had the charges against him dismissed in August because the Philippines did not have an antivirus law until after the release of LoveBug. His absolution will also make it difficult for other countries, notably the United States, to extradite him.

In addition, it could be difficult to define limits of acceptable activity in legislation. Would it be legal to publish information about security weaknesses, but not the tools that exploit them? Would exceptions be granted for research, education and the development of security products? Which weapons would be controlled? Many security products, such as vulnerability scanners and penetration testing tools-including L0phtcrack, Nmap, Nessus and Whiskers-are used for offensive and defensive purposes alike. How can we distinguish harmful tools from those that help protect systems?

And then there's the consequence of impinging on free speech. Software is generally treated as a type of speech. While there's precedent for restricting certain types of speech, such as making threats and inciting violence, these laws could be misapplied to curtail free expression.

The Council of Europe in Strasbourg, France, has proposed a compromise approach in its CyberCrime Convention. The international agreement, which could be in final draft form by the end of the year, would call upon participating countries to make the production, distribution and possession of certain computer programs illegal when the intent is to use them to commit malicious acts. The key word here is intent. Cyber-weapons could be developed, distributed and used for legitimate purposes, such as security research.

A number of security practitioners-myself included-have signed a letter expressing concern that the language, as proposed by the Council of Europe's treaty, could inadvertently result in criminalizing techniques and software commonly used to make computer systems resistant to attack. Purdue University's Gene Spafford, who solicited the signatures, is worried that some countries might construe the mere possession of such software as intent of malicious activity. In such cases, the treaty could have a chilling effect on research and the use of many types of security tools.

Despite these misgivings, a modified proposal may be the best approach. Cyberweapons have the potential to cause grave harm to individuals, the economy and the stability of nations. Some limited form of cyberweapons control, tied to intent, could serve the Internet community's interests well.


DOROTHY E. DENNING ( ) is a professor of computer science at Georgetown University, director of the Georgetown Institute for Information Assurance and author of Information Warfare and Security (Addison-Wesley, 1999).