There is a draft law by the EU that would make attacks on IT systems a criminal offense and punishable by at least two years in prison.  Additionally, possessing or distributing hacking software and tools would be an offense. 

I understand the potential motive here:  reduce the number of attacks and data breaches.  Europe has always taken a trailblazing approach to security and privacy, and I respect the value they place on these.  However, I don’t think this bill would reduce criminal attacks.  I think their time would be a better spent writing laws for those that are caught illegally hacking sites, disrupting business websites, etc.  Or, maybe they can take a fresh approach and solve the systemic issue which is our industry’s inability to create secure software.  What about a law that requires software engineers to be certified, as is seen in other industries? Ok –I won’t go down that rats hole, but it does beg the question that we need to really consider what kind of laws and regulations we need in the software space to improve the hacking pandemic.

This is analogous to the saying, “Guns don’t kill people; people kill people.”  Outlawing the tool isn’t going to stop attacks. In fact, making hacking tools illegal increases the sexiness of hacking and could motive attackers even more.  The black market for tools may even produce more sophisticated hacking tools than those that exist today.  These tools will be very easy to hide and distribute….attackers are masterful at this. 

How would a hacking tool be defined, anyway?  Would it be in the way the tool is uses/misused?  A web browser is a great hacking tool because you can perform SQL injection and XSS attacks in that user interface; so is notepad, Linux, and other seemingly innocuous products. A web vulnerability scanner or penetration testing product such as AppScan or Metasploit is certainly in a grey area – this isn’t a black and white answer. Tools are just that, tools. It’s the knowledge behind the tools (and attackers) that is the problem; it’s how one uses a tool that causes damage.   Legislations and regulations should focus on intent and damage inflicted, not the means that allowed the attack in the first place. 

If this law is not crafted carefully, it will likely prevent legitimate security teams from being able to find the exploitable vulnerabilities that the hackers are still going to find anyway with their black market, personally developed tools – not to mention their manual techniques which are often required to find the really nasty vulnerabilities.  If you take these tools out of the “good guys” hands how can one put a proper defense in place?