June 14, 2018
As they near the end of their fellowship, the 2017-18 Millennial Fellows have each chosen a piece from the Direct Message archives to reflect on. Here's Dillon on why he picked this particular article:
This article touches on a number of my interests: state and local cybersecurity efforts and offensive countermeasures, grassroots political organizing, and (of course) my beloved home-state of Georgia. After publishing this piece alongside coordinated efforts by national and local information security activists, technology experts, and advocacy organizations, Gov. Deal rightfully vetoed the bill we flagged as problematic. In his veto statement, Gov. Deal said that, despite "intending to protect against online breaches and hacks, [the bill] may inadvertently hinder the ability of government and private industries to do so"-- the exact argument we hoped would persuade him. In a think tank world where policy change can sometimes be difficult to measure, this win provided a clear example of how impactful our work can be at shaping policy discourse and decision making.
Atlanta is still recovering from the ransomware attack that held government systems and data hostage, with attackers demanding $51,000 in return for unlocking them. The attack seriously disrupted things for more than a week, shutting down Wi-Fi in the world’s busiest airport, preventing the Department of Finance from issuing business licenses, and forcing one of the largest courts in the Southeast to reschedule thousands of cases and resort back to a paper-based system.
Even more troubling is that this case is not unique to Georgia. In a 2016 survey, more than one-quarter of chief information officers in local governments across the United States said that their computer systems were subject to some form of attempted cyberattack as often as once or more every hour. Given the increasing adoption of networked technology in state and local governments, it’s possible that the frequency of these attempted attacks has increased since the 2016 survey. In February and March, for instance, back-to-back ransomware attacks shut down Colorado’s Department of Transportation, causing widespread disruption and loss of data. While existing federal and state-level legislation already prohibits such malicious attacks, state and local officials want to take further action.
Sometimes, the enthusiasm of these officials has led them to take action that is sorely misguided.
On April 5, the Georgia State Legislature sent Senate Bill 315 to Gov. Nathan Deal’s desk for his signature. The bill largely focuses on cybercrime, but it goes awry in its penalties for allunauthorized access to computer systems—even if such access is well-intentioned. Proponents of the bill, including state Attorney General Chris Carr, argue that SB 315 will reduce cybercrime by creating harsher punishments for those who access computer systems without authorization. Cybersecurity experts, independent security researchers, and many representatives from the Georgia technology community, however, disagree. They argue that SB 315 will instead discourage independent cybersecurity research that often helps, not hurts, private companies and government agencies identify vulnerabilities in their computer systems.
Ethical independent cybersecurity research, sometimes labeled “white hat” research, is fairly common. Private citizens, including students, academics, and other cybercurious folks, intentionally poke around on computer systems every day to enhance their skills and find and report digital vulnerabilities. When notified of a vulnerability by a white hat researcher, companies and governments have the opportunity to patch that vulnerability and prevent it from being exploited.
For example, in February, security researcher Anand Prakash discovered a simple vulnerability on Facebook’s website that would have allowed him to view users’ messages, credit card information, photos, and other information. Clearly, this vulnerability needed to be fixed in order to protect users’ private information. He immediately notified Facebook, which fixed the flaw and then gave him $15,000 for the tip, a monetary reward offered through their bug bounty program.
Another example of for-good white hat cybersecurity research occurred last summer during the global WannaCry attack. Attackers infected computers in more than 150 countries and demanded money in return for encrypted files. A white hat security researcher happened to discover a “kill switch” within the WannaCry bug. The researcher shared this fix, stopping the spread of the virus before it could wreak even more havoc on the nearly 200,000 victims, including hospitals, energy companies, high-tech manufacturers, and governments across the globe. Without the efforts of this researcher, the estimated $4 billion lost during the attack would have been even higher. (It should be noted that the researcher in this example is currently awaiting trial for an unrelated incident involving malware development, but the legal and cybersecurity communities have seriously questioned the merits of the case).
These sorts of stories happen all the time, even if they don’t get much media coverage, and they help keep us all safe online. Whether or not these efforts would be illegal under SB 315 largely depends on which cases the attorney general chooses to prosecute. But if Deal signs SB 315 into law, it will certainly freeze this sort of well-intended but unauthorized access to a computer system by making such access illegal in Georgia, an offense punishable by up to one year in prison and a $5,000 fine. Without getting too bogged down in the legalese, SB 315 generally says that no one can ever intentionally access someone else’s computer network without their permission. Ultimately, this restriction could freeze white hat cybersecurity researchers in their tracks for fear of prosecution. In fact, countless cybersecurity experts have expressed that very sentiment in public hearings, interviews, and statements on SB 315. According to the Electronic Frontier Foundation of Georgia, SB 315 is a “dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems.”
Imagine the highly probable scenario in which a security researcher reads a blog describing a software vulnerability in a popular content management system. The CMS provider has already issued a patch for the vulnerability, but it requires the user to manually download an update. While on a public government website, the security researcher discovers that it uses the same CMS platform, but the software update has not been installed. Knowing that the website contains sensitive and highly confidential data, the researcher immediately notifies the web manager with instructions on how to patch the vulnerability. Under SB 315, that researcher would be committing a crime.
Given that independent security researchers are doing no harm and are typically acting in the interests of their community, they should not be penalized for their actions. But there’s no clause in the current version of SB 315 requiring that there be malicious intent, which means that even those well-meaning white hat researchers could be vulnerable to prosecution.
Proponents of SB 315 may point to an exception for legitimate business activities, which would allow this sort of research to occur according to a formal agreement. But that carve-out would not cover those private citizens who conduct this sort of research outside of a formal contract. Currently, the bill’s “legitimate business” exception deviates from the federal standard under the Computer Fraud and Abuse Act and is poorly defined, muddying the waters on what constitutes legitimate security research and opening the door for an overzealous prosecutor to interpret the provision as he or she desires. Overall, SB 315 is viewed as more stringent than the CFAA, which is already criticized as too harsh and too easily subject to abuse. As a graduate of the Georgia Institute of Technology, I know countless computer science students and professors who would fall outside of this exemption and be liable under SB 315, especially if a prosecutor decided to interpret the business exception narrowly.
There are other concerning aspects to the legislation too. For instance, SB 315 allows companies to engage in offensive countermeasures and cybersecurity active defense after they’ve been breached. This provision is especially problematic because it allows companies to pursue so-called offensive hack-back actions that are both risky and widely considered by many security experts to be “the worst idea in cybersecurity.” Hacking back is illegal under federal law, and it’s stupid. According to Endgame CEO Nathaniel Fick, hacking back is like getting bitten by a rattlesnake and, instead of seeking medical help and buying tougher boots, deciding to bite the snake back to teach it a lesson.
Georgia has designs on becoming the nation’s leading cybersecurity state. But for that to happen, it must strengthen its laws to promote cybersecurity best practices, a healthy cybersecurity workforce, and cutting-edge cybersecurity research. SB 315 hinders progress toward each of these goals and Deal must veto it. If Georgia wants to be tough on cybercrime, it should be looking for ways to prevent it from happening in the first place—which means it should encourage white hat cybersecurity research, leveraging the expertise of independent security researchers in order to better identify and patch computer vulnerabilities before a malicious hacker is able to attack.
Update: Citing national security concerns, Georgia Governor Nathan Deal vetoed SB 315 on May 8th.