- Australia's IT security industry has been scathing in its attacks this week on the Cybercrime Bill 2001, labelling it "draconian and dangerous".
Under the bill, which proposes seven new computer offences carrying jail terms of up to 10 years, it is illegal to possess hacker tool kits, scanners and virus code.
These are 'tools of the trade' for security vendors to test systems placing a burden on lawyers drafting ethical hacking agreements with corporations.
Bernard Hill, barrister and corporate services manager of Canberra-based security consultancy 90East, says the act complicates the necessary testing undertaken by the company which manages a number of Commonwealth agencies.
"It's a burden for lawyers drafting agreements with companies and will prove very tricky legally to test denial-of-service attacks," Hill says.
Amendments to the bill will be debated when parliament sits again in August and Hill says 90East is preparing a submission identifying these loopholes. He agrees such tools and information are also required by systems administrators to secure electronic infrastructure.
The proposed bill does allow the Defence Signals Directorate (DSD) and Australian Security Intelligence Organisation (ASIS) to hack legally. It also forces companies by law to reveal passwords, keys, codes, cryptographic and steganographic methods used to protect information.
Hill says companies may be concerned about intellectual property being compromised, but protecting the national information infrastructure is critical.
"There have been allegations made about the Government's use of surveillance networks, such as Echelon, and there being no checks and balances in place when agencies are given such broad ranging powers. It is a vexed issue, but the cyber terrorist threat at this time is too great to ignore," he says.
Describing the bill as "draconian"' Unisys E-security Architecture Director Ajoy Ghosh says the new laws need to be enforceable. The bill will not change the current situation where Australia's enforcement agencies have scant resources to tackle investigations seriously, he adds.
He says the solution is to empower the private sector, allowing it access to information necessary to detect, identify and prosecute.
Many private security consultancies already investigate cybercrime but Ghosh says they are hampered by current laws.
"For example, the inability to get access to ISP billing records; the private sector could focus on opportunistic crimes while the public sector concentrates on crimes of mass victimisation or those that threaten our economic infrastructure," he says.
Internet Industry Association executive director Peter Coroneos supports the proposed bill in principle, but says it needs to find a balance between privacy concerns and the need to prosecute illegal hacking activities.
A spokesperson for the Minister for Justice and Customers Senator Chris Ellison was unavailable for comment but said in a statement: "The large amount of data that can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators. The legislation will enable police powers to copy computer data and examine computer equipment and disks off-site and enable them to obtain assistance from computer owners."