When Georgia Senate Bill 315 (SB-315) was introduced, people in the tech world anxiously awaited its fate, regardless of their geographic location. They knew that some laws initially restricted to single states become more widespread after politicians set precedents. And they knew that this law could potentially impact the way that they did business forever.
The bill passed in the General Assembly on March 29—and that was not the news tech companies were looking for. They hoped the bill would be shot down. But why?
SB-315 was a Republican-sponsored bill aiming to alter the state’s parameters on computer usage. If passed, it would have amended the original language of Georgia’s code that discusses “computer trespass.” The activities under that umbrella include deleting computer programs or data, altering or damaging hardware, and obstructing the use of a computer program. In short, Georgia’s code stated that unauthorized use only extended to malicious intent.
However, SB-315’s language is much more vague than the original Georgia code. It prohibits unauthorized computer access—period—although it doesn’t apply to people living in the same house, individuals using computers for legitimate business activities, or those engaged in active cyberdefense measures that stop or detect unauthorized use.
What prompted SB-315?
A security researcher named Logan Lamb found a vulnerability associated with Kennesaw State University’s (KSU) Center for Election Systems that exposed the details of 6.7 million voters in Georgia. He contacted the appropriate authority and received word that the issue would get fixed. A year later, Chris Grayson, a fellow cybersecurity researcher, found the vulnerability still existed.
Next, both Lamb and Grayson approached a KSU information security lecturer about the matter. That action finally got the problem fixed. Unfortunately, it also resulted in Lamb getting visited by FBI agents. They determined he didn’t do anything wrong but advised him to delete any downloaded data.
Lamb’s efforts to help protect that data would now be considered illegal under SB-315.
Tech companies raise concerns
Microsoft and Google are among the technology companies that urged Georgia governor Nathan Deal to veto the bill. In a joint letter distributed to Deal on April 15, representatives from tech companies took issue with criminalizing unauthorized computer access, saying the consequences could be damaging to Georgia’s infosec industry. They also argued against the provision of the bill that makes “hack backs” exempt.
The tech representatives asserted that the provision as written was too broad and its parameters were not clearly defined. As such, they recognized a strong potential for abuse for anti-competitive purposes rather than solely to protect networks. They also said that enabling Georgia businesses to “hack back” in defense of cybercriminals could have unintended consequences.
In addition, cybersecurity company Tripwire filed a letter with the governor’s office on April 16, arguing that SB-315 would ultimately weaken security. “SB-315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses,” the letter said.
Potential ramifications for cybersecurity researchers
In a separate letter to Congress, 55 tech professionals warned that the “legitimate business activity” exemption of the bill was dangerously unclear. The letter stated that this term “is undefined and creates ambiguity for researchers unconnected with a business…and how activities will be qualified as ‘legitimate.’”
Experts say SB-315 would have had a chilling effect on independent researchers, specifically those that perform penetration tests. Sometimes referred to as whitehat hackers, these cybersecurity specialists look for network weaknesses and find out what would happen if they were exploited.
After collecting the results of penetration tests, the researchers contact the appropriate parties to inform them of vulnerabilities. However, some people in the cybersecurity sector wondered if by disclosing the outcomes of penetration tests, researchers would violate SB-315 and risk fines or jail time.
Hackers showed their displeasure for SB-315 by hacking several Georgia websites, including the homepages of a church and two restaurants. In all cases, the infiltrators left messages on the sites to warn that SB-315 barred the ethical reporting of the vulnerabilities that allowed the attacks.
Nods of approval for SB-315
Chris Carr, the attorney general for the state of Georgia, issued a statement after SB-315 passed in the General Assembly that outlined his support of the bill. He asserted that Georgia is one of only three states that don’t make unauthorized computer or network without malicious intent illegal.
Carr referred to SB-315 as a “common sense solution” that prevented the opportunities hackers would otherwise seize. Moreover, his press release expressed gratitude to other sponsors of the bill, including Representative Christian Coomer, and Senators Renee Unterman and Butch Miller, among others.
Senator Bruce Thompson, who introduced the bill, largely steered clear of any controversy when discussing SB-315 on his Twitter feed.
At the end of March, though, one of his tweets mentioned Chairman Ed Seltzer. When the bill was on the House floor, Seltzer reportedly said the exemptions were “big enough to drive a truck through.” That was presumably Thompson’s way to respond to critics who thought the exceptions to the bill were too narrow in scope.
Representative Tom Graves, who sponsored the bill, stated that SB-315 would provide citizens and businesses with more resources to stay safe against hacks.
Deal gives his veto
Governor Nathan Deal ultimately chose to veto SB-315. In a related statement, he mentioned that such legislation requires further discussion before enactment. Additionally, he brought up private industries and government agencies, admitting that SB-315 could make it more difficult for those entities to stay protected.
Deal hoped legislators would continue to work together to find ways to enhance the state and national security against cyberattacks.
The concerns of tech companies about the language and specific provisions of SB-315 emphasize why it’s crucial to conduct all-encompassing analyses of pending legislation. The full impacts of proposed laws are not always immediately evident—especially when it comes to technology.
*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Kayla Matthews. Read the original post at: https://blog.malwarebytes.com/101/2018/05/tech-companies-wanted-senate-bill-315-vetoed/