Recognizing the concerns of tech giants and security researchers alike, Georgia Gov. Nathan Deal has vetoed a controversial “hack-back” bill that would have allowed companies in the state to perform offensive cyber-actions in the face of an attack.
“Certain components of the legislation have led to concerns regarding national security implications and other potential ramifications,” Deal said in his veto statement. “Consequently, while intending to protect against online breaches and hacks, S.B. 315 may inadvertently hinder the ability of government and private industries to do so. After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cybersecurity legislation.”
State Bill 315 would have allowed “active defense measures that are designed to prevent or detect unauthorized computer access;” and, sought to criminalize “unauthorized computer access,” stipulating that accessing an outside computer or network is only valid when done “for a legitimate business activity.”
Opponents questioned both aspects: Some argued whether legitimizing offensive attacks would open the door to a new kind of corporate warfare; others were concerned that the law would have a chilling effect on cyber-research by criminalizing white-hat activity, like vulnerability research and pen-testing.
In a letter to the governor, Microsoft and Google argued that S.B. 315 “will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” and that “provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”
Members of the security community meanwhile said that the criminalization of the vaguely worded “unauthorized computer access” could result in ethical-hacking researchers being fined or even sent to jail, as well as take the air out of bug-bounty programs.
“When Georgia lawmakers initially passed S.B. 315 in April, the legislation had all the warning signs of a reactionary strategy spurred by the exposure of personal information of 6.7 million voters in July,” said Sanjay Beri, CEO and co-founder at Netskope, via email. “Instead of creating a law to proactively address the security shortcomings of state systems and infrastructure, lawmakers chose the stick over the carrot, and opted to simply create harsher penalties for ‘unauthorized access.’ The problem is their definition of what ‘unauthorized’ access looks like is ill defined, and fails to account for the work of well-intentioned cybersecurity researchers, such as bug bounty hunters.”
While I’m glad the bill was ultimately vetoed, the fact that it made it this far in the face of nearly unanimous criticism from the security industry should be a cautionary tale. If our lawmakers hope to move the needle for security, their efforts would be better spent on laws that also require organizations to bolster their defenses, as opposed to simply increasing penalties for a somewhat cavalier definition of attackers.”
According to the Electronic Frontier Foundation, which opposed the bill. Nearly 200 Georgia residents emailed the governor demanding a veto, while 55 computer professionals from around the country submitted a joint letter of opposition. Professors also organized at Georgia Tech to call upon the governor to veto the bill.
“Georgia State Bill 315 had the entire cybersecurity community shaking its head in disbelief, so I’m relieved the governor ultimately chose to veto the legislation, demonstrating that cybersecurity is important, and ensuring experts have the ability to help Georgia overcome its unique challenges is clearly is a priority,” said Lisa Wiswell, policy advisor at bug-bounty platform HackerOne, via email. “As written, the bill was modeled after the highly-controversial Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage. While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, if they had passed the bill, Georgia would have been closing door to these folks. I’m glad Georgia has rejected the stunting cybersecurity legislation of the past, and is open-minded to industry best practices.”