In 2017, an independent security researcher discovered that a vulnerability had been exploited in the Kennesaw State University Election Center. The researcher responsibly reported the breach to authorities. In response, the Georgia Attorney General’s office requested that a bill (be drafted to criminalize any unauthorized access to any computer or network, even if the access is non-malicious and results in no harm such as independent white-hat security research.

The resulting bill, S.B. 315, was passed by the Georgia state legislature on April 5, 2018, and is now on Governor Deal’s desk for signature or veto. For the reasons discussed below, Tripwire believes that this bill will actually increase cybersecurity risks by criminalizing responsible non-malicious security research.

Here is a letter that was sent to Governor Nathan Deal:

April 16, 2018
Governor Nathan Deal
Office of the Governor
206 Washington Street
Suite 203, State Capitol
Atlanta, Georgia  30334

Re: S.B. 315 – Request to Veto this Bill

Dear Governor Deal,

As an industry-leading provider of threat detection and remediation, Tripwire is committed to advancing the state-of-the-art in information security and risk management. Contributions from independent security researchers serve a critical role in this pursuit.  Because of this, we have serious concerns about the impact S.B. 315 may have on their and our ability to operate within clear legal guidelines.

According to the wording of S.B. 315, well-intentioned (“white hat”) researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from (Read more...)