As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to “hack back” with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure.
Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill.
Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.
Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows “active defense measures that are designed to prevent or detect unauthorized computer access.”
In a letter to the governor, the two argued that S.B. 315 “will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” and that “provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”
They added: “On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity….[B]efore Georgia endorses the ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy.”
When it comes to the second set of concerns, the so-called “hack-back” bill also seeks to criminalize “unauthorized computer access” and stipulates that accessing a computer or network is only valid when done “for a legitimate business activity.” Members of the security community say this is too vague, and could result in ethical-hacking researchers being fined or even sent to jail, as well as take the air out of bug-bounty programs.
Tripwire filed a letter with the governor’s office arguing that “according to the wording of S.B. 315, well-intentioned (‘white-hat’) researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses.”
The company also noted that the bill’s imprecise language could impact the responsible disclosure practice: “When all reasonable attempts to inform a vendor have been exhausted or the vendor demonstrates an unwillingness to act on the information, it is sometimes appropriate to publicly disclose limited details of the security threat so that affected individuals and organizations can take appropriate steps to protect themselves. The vague definitions of S.B. 315 could enable frivolous lawsuits by vendors looking to hide their security defects.”
Ironically, the bill is a direct result of an independent security researcher discovering that a vulnerability had been exploited in the Kennesaw State University Election Center. The researcher responsibly reported the breach to authorities. In response, the Georgia Attorney General’s office requested that a bill be drafted to criminalize unauthorized access.
Meanwhile, the hacktivist group, which calls itself SB315 after the bill, has defaced the websites of Augusta restaurants Blue Sky Kitchen and Soy Noodle House, as well as the website of Augusta’s Calvary Baptist church; all three share a web designer. SB315 has also targeted Georgia Southern, sending what it claims are student email addresses and passwords along with a student’s MyGeorgiaSouthern personal profile to the Augusta Chronicle. A spokesperson for the collective said that it has the power to change the student’s major or “pretty much anything else regarding their future.” SB315 has vowed additional attacks if the bill passes.
Similar legislation was introduced to the Federal legislature last fall (itself a revision of an earlier “Active Defense” bill), which would amend a 1986 law that made it a federal crime to access someone else’s computer without proper authorization. That bill, introduced by U.S. Representatives Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.), would for the first time make it legal for companies to go beyond their network perimeters to attribute or disrupt attacks, regain stolen data or to deploy beacons to uncover hacker activity. The bill, if passed, would also make legal surveillance on known or suspected hackers. So far it’s gone nowhere, however, and the Senate hasn’t introduced a companion bill.