Google, Microsoft Urge Veto of Proposed Georgia “Hack Back” Bill
Tech titans Google and Microsoft are urging Georgia Governor Nathan Deal to veto proposed cybercrime legislation written to criminalize hacking but could outlaw white hat researchers looking for security flaws.
Roughly two weeks ago, a group of 55 cybersecurity specialists, computer scientists, business owners, academics and students asked Deal to veto Georgia State Bill (S.B.) 315, which prohibits “unauthorized computer access,” or actions by anyone who “intentionally accesses a computer or computer network with knowledge that such access is without authority.”
Included is a clause that the collection of naysayers object to that on its face outlaws ethical hacking.
However, the proposed ban on white hat hacking isn’t what concerns Google and Microsoft. It’s the so-called “hack back” provision, that gives companies the legal ground to “take action on servers, networks, and infrastructure they do not own to establish attribution of an attack, disrupt an ongoing attack, protect data, and monitor the attacker.” (via TechBeacon).
Google, Microsoft: In Their Own Words
In their letter dated April 16, the IT super heavyweights suggest that S.B. 315’s authors may not know exactly what they’re messing with:
“Georgia codifying this concept in its criminal code is potentially a grave step that has some known and many unknown ramifications for technology companies, the tech community at large, and any company with a computer network,” Google and Microsoft wrote.
“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy. Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.
“We believe that Senate Bill 315 will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions.”
In other words, it would legally allow companies responding to an attack to leave behind collateral damage during “hack back” actions aimed at cybercriminals.
FireEye Weighs In
Chris Porter, FireEye’s chief strategist, told TechBeacon that most companies don’t command the necessary expertise to launch a cyber offensive against their attackers. That could make for unintended but extensive collateral damage, he said.
“Even when the FBI gets a court order and is careful in doing a shutdown, there is still collateral damage. So you can imagine [that], in the heat of an incident, a company responding to an attack could certainly do a lot of collateral damage, ” he said.
Hackers could easily accommodate hack backs by using false alarms to trick companies into attacking each other, Porter said. “If hacking back became a standard, then the more sophisticated attackers would lead their victims to attack back at the wrong people.”