Georgia’s Governor Is About to Sign a Terrible Cybersecurity Bill

Atlanta is still
recovering from the ransomware attack that held government
systems and data hostage, with attackers demanding $51,000 in return for
unlocking them. The attack seriously disrupted things for more than a week,
shutting down Wi-Fi in the world’s busiest airport, preventing the Department
of Finance from issuing business licenses, and forcing one of the largest
courts in the Southeast to reschedule thousands of cases and resort back to a
paper-based system.

Even more troubling is
that this case is not unique to Georgia. In a 2016 survey, more than one-quarter of chief
information officers in local governments across the United States said that
their computer systems were subject to some form of attempted cyberattack as
often as once or more every hour. Given the increasing adoption of networked
technology in state and local governments, it’s possible that the frequency of
these attempted attacks has increased since the 2016 survey. In February and
March, for instance, back-to-back ransomware attacks shut down
Colorado’s Department of Transportation, causing widespread disruption and loss
of data. While existing federal and state-level legislation already prohibits
such malicious attacks, state and local officials want to take further action.

Sometimes, the enthusiasm
of these officials has led them to take action that is sorely misguided.

On April 5, the Georgia
State Legislature sent Senate Bill 315 to Gov. Nathan Deal’s desk
for his signature. The bill largely focuses on cybercrime, but it goes awry in
its penalties for allunauthorized access to computer systems—even
if such access is well-intentioned. Proponents of the bill, including state
Attorney General Chris Carr, argue that SB 315 will reduce cybercrime by
creating harsher punishments for those who access computer systems without
authorization. Cybersecurity experts, independent security researchers, and
many representatives from the Georgia technology community, however, disagree.
They argue that SB 315 will instead discourage independent cybersecurity
research that often helps, not hurts, private companies and
government agencies identify vulnerabilities in their computer systems.

Ethical independent
cybersecurity research, sometimes labeled “white hat” research, is fairly
common. Private citizens, including students, academics, and other cybercurious
folks, intentionally poke around on computer systems every day to enhance their
skills and find and report digital vulnerabilities. When notified of a
vulnerability by a white hat researcher, companies and governments have the
opportunity to patch that vulnerability and prevent it from being exploited.

For example, in February,
security researcher Anand Prakash discovered a simple vulnerability on Facebook’s website that
would have allowed him to view users’ messages, credit card information,
photos, and other information. Clearly, this vulnerability needed to be fixed
in order to protect users’ private information. He immediately notified
Facebook, which fixed the flaw and then gave him $15,000 for the tip, a
monetary reward offered through their bug bounty program.

Another example of
for-good white hat cybersecurity research occurred last summer during the
global WannaCry attack. Attackers infected computers in more than 150 countries
and demanded money in return for encrypted files. A white hat security researcher happened to discover a
“kill switch” within the WannaCry bug. The researcher shared this fix, stopping
the spread of the virus before it could wreak even more havoc on the nearly
200,000 victims, including hospitals, energy companies, high-tech
manufacturers, and governments across the globe. Without the efforts of this
researcher, the estimated $4 billion lost during the attack would
have been even higher. (It should be noted that the researcher in this example
is currently awaiting trial for an unrelated incident involving malware
development, but the legal and cybersecurity communities have seriously questioned the merits of the case).

These sorts of stories
happen all the time, even if they don’t get much media coverage, and they help
keep us all safe online. Whether or not these efforts would be illegal under SB
315 largely depends on which cases the attorney general chooses to prosecute.
But if Deal signs SB 315 into law, it will certainly freeze this sort of
well-intended but unauthorized access to a computer system by making such access
illegal in Georgia, an offense punishable by up to one year in prison and a
$5,000 fine. Without getting too bogged down in the legalese, SB 315 generally
says that no one can ever intentionally access someone else’s computer network
without their permission. Ultimately, this restriction could freeze white hat
cybersecurity researchers in their tracks for fear of prosecution. In fact,
countless cybersecurity experts have expressed that very sentiment in public
hearings, interviews, and statements on SB 315. According to the Electronic Frontier Foundation of Georgia, SB 315
is a “dangerous bill with ramifications far beyond what the legislature imagined,
including discouraging researchers from coming forward with vulnerabilities
they discover in critical systems.”

Imagine the highly
probable scenario in which a security researcher reads a blog describing a
software vulnerability in a popular content management system. The CMS provider
has already issued a patch for the vulnerability, but it requires the user to
manually download an update. While on a public government website, the security
researcher discovers that it uses the same CMS platform, but the software
update has not been installed. Knowing that the website contains sensitive and
highly confidential data, the researcher immediately notifies the web manager
with instructions on how to patch the vulnerability. Under SB 315, that
researcher would be committing a crime.

Given that independent
security researchers are doing no harm and are typically acting in the
interests of their community, they should not be penalized for their actions.
But there’s no clause in the current version of SB 315 requiring that there be
malicious intent, which means that even those well-meaning white hat
researchers could be vulnerable to prosecution.

Proponents of SB 315 may
point to an exception for legitimate business activities, which would allow
this sort of research to occur according to a formal agreement. But that
carve-out would not cover those private citizens who conduct this sort of
research outside of a formal contract. Currently, the bill’s “legitimate
business” exception deviates from the federal standard under the Computer Fraud
and Abuse Act and is poorly defined, muddying the waters on what constitutes
legitimate security research and opening the door for an overzealous prosecutor
to interpret the provision as he or she desires. Overall, SB 315 is viewed as
more stringent than the CFAA, which is already criticized as too harsh and too easily subject to
abuse. As a graduate of the Georgia Institute of Technology, I know
countless computer science students and professors who would fall outside of
this exemption and be liable under SB 315, especially if a prosecutor decided
to interpret the business exception narrowly.

There are other
concerning aspects to the legislation too. For instance, SB 315 allows
companies to engage in offensive countermeasures and cybersecurity active
defense after they’ve been breached. This provision is especially problematic
because it allows companies to pursue so-called offensive hack-back actions
that are both risky and widely considered by many security experts to be “the worst idea in cybersecurity.” Hacking back is
illegal under federal law, and it’s stupid. According
to Endgame CEO Nathaniel Fick, hacking back is like getting bitten
by a rattlesnake and, instead of seeking medical help and buying tougher boots,
deciding to bite the snake back to teach it a lesson.

Georgia has designs on
becoming the nation’s leading cybersecurity state. But for that to happen, it
must strengthen its laws to promote cybersecurity best practices, a healthy
cybersecurity workforce, and cutting-edge cybersecurity research. SB 315
hinders progress toward each of these goals and Deal must veto it. If Georgia
wants to be tough on cybercrime, it should be looking for ways to prevent it
from happening in the first place—which means it should encourage white
hat cybersecurity research, leveraging the expertise of independent security
researchers in order to better identify and patch computer vulnerabilities
before a malicious hacker is able to attack.