Dropsafe

by Alec Muffett

New laws target terror training

Potential for IT Security Professionals to become illegal / subject to Govt registration, in UK.

Pardon the banner headline, but I just wanted to hammer point home before explaining it, because this is one of those times when I will be actively compaigning against a bill, and hope that by catching public perception whilst the matter is warming up, we may be spared having to fix it in the House of Lords.

Go read [news.bbc.co.uk] – specifically:

Providing or receiving terrorist training could be outlawed under planned new anti-terror laws.

New offences could cover people going to terrorist camps overseas or finding out how to build a bomb through the internet, said the Home Office.

So, aside from the implicit desire of the government to filter your Google search results (“Click [here] to disable your local Government-approved result-filtering, please be aware that doing so will result in notification of your local criminal authorities”) – here is a slightly more scary train of thought for Computer Security professionals such as myself:

  1. the only way to secure an architecture is to know how hackers work
  2. “hacking techniques” == “potential terrorism methodology”
  3. “learning security” == “act preparatory to terrorism”
  4. “being a security person” == “being a terrorist, or submitting self to registration and government watch, paying for membership of an accredited body (ie: a stealth tax) to obtain a permit to work.”

Sound crazy? Not really. This sort of legislation has been mooted before, specifically the Private Security Industry Act of 2001 which was deployed to filter out bogus nightclub doormen (“bouncers”) but was written in an all-embracing way that would mandate registration of IT Security Consultants – a feature which I seem to remember taking considerable effort of many people to have revoked.

For what happened to the bouncers, go check-out the Security Industry Authoirity:

Welcome to the SIA

Welcome to the website for the Security Industry Authority (SIA). We exist to manage the licensing of the private security industry as set out in the Private Security Industry Act 2001. We also aim to raise standards of professionalism and skills within the private security industry and to promote and spread best practice.

This site will keep you up to date on all aspects of licensing, the impacts that licensing will have on the private security industry, progress being made and what those connected with the security industry may need to do as a result of the new regulations.

…which sounds great if you visit pubs and clubs and want to be sure of not being knifed by the guy who’s on the door, but if you’re a IT Contractor and have ever been asked to prod a customer’s firewall ruleset, consider very carefully whether you want to have to get a ID Card to permit you to do so.

Or to configure SSH.

Or to have the root password.

Or indeed do anything on a computer, because everything on a computer is something to do with security.

Blair may have said that the government would act with caution and not bring in strict new laws to boost security – but I see reason to doubt him in the light of these reports.

And yes, I would rather we didn’t react at all.

Comments

7 responses to “New laws target terror training”

  1. alecm
    URL for Private Security Industries Bill

    A URL regarding the debate of the Private Security Industries Bill (now Act):

    http http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2002-February/057735.html

    Reply
  2. alecm
    NTK did it better…

    From http http://www.ntk.net/2001/03/30/

    More cut-and-pasting from ukcrypto, Britain’s last remaining form of parliamentary oversight. This week: the government’s plans to require all security consultants to register with the authorities, and be strictly licensed afore passing on their forbidden, arcane wisdom. First the bad news: the bill in question, the PRIVATE SECURITY INDUSTRY BILL, is already at its Commons’ Second Reading, and is set to be law in two months (barring those pesky elections). Now, the good news: at the reading, HO minister Charles “RIP” Clarke said it’s mainly aimed at security guards and bouncers, not IT security consultants. Now, the bad news: he added the word “currently” – and, “currently”, the Home Office says it *does* apply to computer consultants, but they won’t get around to enforcing that until 2005. Now the good news: the main restriction on the license is that you mustn’t have a serious criminal record. The bad news: hasn’t *every* security consultant got at least a “Teenage Cyberthief Was Threat To World Security” headline under their belt? And if these badly-phrased tech laws keep on at this rate, we’ll all be criminals by 2005.

    http http://www.homeoffice.gov.uk/psib/ – that BOFH license in detail

    http http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2001-March/015267.html – best read the whole thread, because we’re sensationalising like crazy here

    http http://www.theregister.co.uk/content/50/17971.html – we should point out that Mr Kuji was not convicted of any crime

    Reply
  3. alecm
    …and Ross better still

    Ross Anderson Ross.Anderson@cl.cam.ac.uk

    If this bill passes, you will need a licence from the Home Office to consult on information security or cryptography. It introduces controls on `the giving of advice about the taking of security precautions in relation to any risk to property or to the person’ (schedule 2, part 1, 5 (1) b).

    There are exemptions for lawyers, accountants and management consultants. There’s even a training exemption that might be interpreted as a get-out for academics teaching security courses. But there is no exemption for the ordinary systems analyst who has to specify information protection mechanisms as part of his job. (The directors of his company can go to jail, too.)

    Some parts of the Bill have exemptions for journalists (e.g., the part on private eyes, schedule 2, part 1, 4). However, the part that deals with security consulting has no such exemption. SO even if material is destined for publication – newspaper articles, postings to ukcrypto, my next security book – it seems that the author may need to get a licence, if the bill is interpreted as meaning what it says.

    Help may be at hand, though. The Home Secretary can change the schedules `for the purpose of adding or excluding any such activities as he thinks fit’. So perhaps IT people can all write to him and ask politely not to have to pay dues to his latest quango.

    This bill was advertised as a means of licensing wheel-clampers, nightclub bouncers and private eyes. Nobody seems to have paid it much attention. My informant tells me that it’s now cleared the Lords and if it isn’t stopped in the commons, it could be law before the election

    Ross

    Reply
  4. Watching Them, Watching Us
    re: New laws target terror training

    “Weapons training” is already illegal, as is possessing “any item” which might be thought to be of use for terroist purposes, as is “collecting information” which may be of use to a terorist. “Directing” or “financing” a terorist organistion is also already illegal under the draconian Terrorism Act 2000

    http://www.opsi.gov.uk/acts/acts2000/00011–g.htm#54

    Reply
  5. Watching Them, Watching Us
    re: New laws target terror training

    Oops, apologies for the typos – next I will be confusing “terrorism” with” tourism” …

    Reply
  6. Watching Them, Watching Us
    re: New laws target terror training

    The Association of Chief Police Officers have published their “shopping list” of new powers (some of which are already actually on the statute book). e.g.

    “2.Offence not to disclose encryption keys etc

    Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part 3 of the Regulation of Investigatory Powers Act (RIPA) to make it an offence to fail to disclose such items would provide some sanction against suspects failing to cooperate with investigations.”

    “3.Use of the internet to prepare, encourage, facilitate acts of terrorism.

    The creation of an offence to suppress inappropriate internet usage is necessary in respect of today’s global communication capability. This preventative measure may well be catered for within the proposed new offence of acts preparatory to terrorism.”

    “4. Powers to attack identified websites.

    This power has significant benefits for counter terrorism and overlaps with other police priorities namely domestic extremism and paedophilia/child pornography. This issue goes beyond national borders and requires significant international cooperation. The need for appropriate authority and warrantry is implicit.”

    etc.

    http://www.spy.org.uk/spyblog/archives/2005/07/association_of.html

    Reply
  7. Watching Them, Watching Us
    re: New laws target terror training

    There are is much more to worry about in the ACPO power grab shopping list e.g.

    “9. Protective security powers.

    Government to consider creating a duty on the public and private sector to install and maintain to approved standards protective security in designated locations. Also consideration should be given to creating a duty whereby privately employed security staff are put at the disposal of the police in the immediate aftermath of an outrage.”

    Privately employed IT Security staff “at the disposal of the police” ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts