A group of 55 cybersecurity specialists, computer scientists, business owners, academics and students are urging Georgia Governor Nathan Deal to veto a hacking crime bill they say will hamper white hat researchers from uncovering security flaws.
Georgia State Bill (S.B.) 315 criminalizes “unauthorized computer access,” or actions by anyone who “intentionally accesses a computer or computer network with knowledge that such access is without authority.” Those authorized to use a computer or a network to conduct a “legitimate business activity” or enact cybersecurity “active defense measures” are exempt from the proposed legislation. Neither of the exempt provisions are clearly defined in the bill, making it all the more difficult to determine if Georgia legislators are out front in prosecuting cybercrime or hopelessly uninformed.
The legislation was initially proposed in early January, subsequently passed by the state Senate and House and sent to Deal on April 8. He has until May 8 to act on bills that passed the Georgia legislature this year. So far, Deal has not indicated his intentions. Of note, Georgia’s $4.7 billion cybersecurity industry is the third largest in the country.
Missing the Mark?
Opponents of the legislation concede that while the bill is well intentioned, it “risks long-term negative consequences for digital security in Georgia and beyond. We are concerned that this legislation will chill security research and harm the state’s cybersecurity industry,” they said in a signed letter. Should Deal sign the bill into law, security vulnerabilities will go undiscovered and undisclosed, making it "easier for bad actors to exploit them,” the signees said.
Two significant flaws impair the bill, the letter's authors said:
- It’s ambiguous. Because the bill’s authors leave undefined the meaning of "legitimate business activities,” there’s potential “liability for independent researchers that identify and disclose vulnerabilities to improve cybersecurity.” It’s unclear how activities will be categorized as legitimate and how the law will be enforced.
- It’s potentially sneaky. The “active defense” provision, which also is undefined, could give companies the legal right to “hack back” or initiate countermeasures to surveil independent researchers, users whose devices have been infected or innocent bystanders.
“S.B. 315, as written, creates barriers to cybersecurity research that can damage the state’s information security industry and ultimately make its citizens less safe,” the letter reads. “It gives state approval for dangerous ‘hacking back’ methods that will cause more problems than they solve. The bill is more likely to hurt researchers, professionals, and law-abiding citizens than improve cybersecurity. We urge you to veto this legislation.”
Vulnerability Hunters At Risk?
The Electronic Frontier Foundation (EFF) also weighed in on the proposed bill. “This isn’t just a matter of solidarity among those in the profession,” the EFF said in a blog post. “S.B. 315 would provide district attorneys and the attorney general with broad latitude to selectively prosecute researchers who shed light on embarrassing problems with computer systems.”
Georgia Attorney General Chris Carr has advocated for the bill and still supports it, Atlanta media outlet WABE reported. “Senate Bill 315 strikes the proper balance between protecting Georgians from online criminals and not stifling the incredible cybersecurity and infosec infrastructure we have developed in our state,” Carr told the station.