Georgia governor vetoes cyber bill that would criminalize “unauthorized access”

A bill passed by Georgia's legislature that would have criminalized unauthorized access of computer systems and allowed companies to "hack back" in defense against breaches was vetoed on May 8 by Georgia Governor Nathan Deal. The veto came after many weeks of opposition from information security firms and professionals, as well as major technology companies—including Google and Microsoft executives, who expressed concern that the bill would actually make it more difficult to secure computer systems.

Given that Georgia is the home of Fort Gordon, an Army base that serves as home to units of the Army's Cyber Command and to parts of the National Security Agency, and that Georgia has become home to an increasing number of cybersecurity firms as a result both of the Army/NSA presence and research at Georgia's universities, Deal realized after feedback from the industry that the bill could have resulted in inadvertent damage.

But Deal's reasoning wasn't necessarily what individuals in the information security research community would have hoped for. And there's still a chance that another bill—one more acceptable to technology giants but still criminalizing some aspects of information security research—could emerge in the next legislative session and win Deal's approval.

Biting the hand that secures you

The bill was a direct result of the controversy that followed the discovery of major security issues in Georgia's election systems by Georgia-based security researcher Logan Lamb. Lamb found that a flaw in a Drupal-based system at Kennesaw State University's (KSU's) Center for Election Systems (CES) left the personal data of 6.7 million Georgia voters exposed to the Internet—including dates of birth and Social Security Numbers. Lamb contacted CES Director Merle King with details of the exposure immediately; King told him that the misconfigured Web server would be fixed.

But another researcher, Chris Grayson, then pointed out a year later that the unencrypted data was still accessible. Grayson and Lamb went to KSU information security lecturer Andy Green with the information. The hole was promptly closed this time, but Lamb's reward was a visit from FBI agents, who determined he had done nothing wrong and told him he should probably delete any data he had downloaded.

Georgia Senate Bill 315 was designed to make what Grayson and Lamb did illegal. While it had carve outs for specifically sanctioned system testing, the bill would have made "unauthorized access" a misdemeanor carrying a potential year-long jail sentence and a $5,000 fine.

Hack back cloud provider attack

While that provision caused widespread concern among the information security community, it wasn't the part of the bill that concerned Microsoft and Google. Another provision carved out an exemption for "cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access." In a joint letter to Deal, Google Head of State Legislative Affairs Roy Barnes and Microsoft Director of State Affairs and Public Policy Ryan Harkins wrote:

On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity. The concept encapsulated in this exemption is commonly called "hacking back” and is highly controversial within cybersecurity circles. Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses “hack back” authority in “defense” or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy. Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.

Deal also got an earful on the bill from the growing cyber industry, as is evident from Deal's veto statement:

Georgia’s emergence as a leader in cyber technology, particularly the presence of US Army Cyber Command, the state’s Cyber Range, and a wide range of private tech companies and cyber research institutions, further necessitates the need for comprehensive cyber security debate, discussion, and measures… Certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so. After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation.

Deal did not dismiss the provisions of the bill outright. He called the work done by the bill's sponsors "a solid foundation for continued collaboration on this issue," and said he hoped "legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry."

Georgia Attorney General Chris Carr had vociferously supported the bill, saying, "In a world where hackers—whether they are state-sponsored actors, organized criminal enterprises, loose confederations or lone wolves—attempt every single second of every single day to gain unauthorized access to our computers and computer networks, this common-sense solution will close a window of opportunity for those who wish us harm." And Georgia Republican legislators appear to agree. So, stay tuned for a redux of this bill next year.