Georgia’s Sb 315: History, Controversy, and Suggestions for The Future

In March, the Georgia State Legislature passed SB 315 only for Governor Deal veto the bill. Supporters of S. B. 315 saw the legislation as necessary to protect private data, deter malicious hackers, and empower companies to “hack back, ” while opponents feared it would chill cybersecurity research, harm Georgia’s growing cybersecurity industry, see abuse by malicious hackers and over-zealous prosecutors alike.

Background

In August of 2017, cybersecurity researcher Logan Lamb discovered Kennesaw State University Center for Election Systems’ voter database was built using a misconfigured server and unpatched Drupal PHP content-management framework. If a malicious actor took advantage of these vulnerabilities, not only would they have had access to the registration records for Georgia’s 6. 7 million voters but could alter voter rolls and compromise the tabulation of election results. Shortly after this revelation, Georgia State Senator Bruce Thompson introduced SB 315 and encouraged the General Assembly pass legislation criminalizing illegitimate computer access. Further, starting on March 22, 2018, one week before the Georgia State Legislature was to vote on SB 315, the City of Atlanta suffered a debilitating ransomware attack, pressuring lawmakers to expand enforcement of hacking-related incidents.

Main Issue

On March 29, 2018, the Georgia State Legislature passed SB 315. SB 315 would have amended the Official Code of Georgia Annotated to establish the new crime of “unauthorized computer access. ” The bill defined “unauthorized computer access” as “any person who accesses a computer or computer network with knowledge that such access is without authority. ” Violators of this new law would be charged with a misdemeanor of a high and aggravated nature and, if deemed relevant to the violation, have their personal computers and property declared contraband subject to civil asset forfeiture. SB 315 also included four exceptions to the crime of “unauthorized computer access, ” as the bill would not apply to

a) anybody who are members of the same household,

b) access a computer or computer network for legitimate business activity

c) cybersecurity active defense measures and d) persons based upon violations of terms of service or user agreements.

Almost immediately, news of the bill’s legislative success resulted in a heated public debate between the bill’s sponsors, civil liberty groups, hacktivists, and invested industries. Supporters of SB 315, including Georgia’s Attorney General Chris Carr, contended that, as one of only three states that had not criminalized “unauthorized computer access, ” Georgia was long overdue. Carr argued that, even if no information was pilfered or changed, unauthorized computer access still breached the confidentiality of personal information (PI). In addition, refraining from criminalizing unauthorized computer access unless PI was used maliciously would inhibit prosecutors from intervening before bad actors exploit compromised PI.

Opponents, including many white and grey-hat hackers who conduct vulnerability research and pen-testing, voiced strong opposition to the S. B. 315, fearing the legislation would chilling cybersecurity research. They alleged that the overly-broad language of S. B. 315 would have caused information security professionals to stop searching for and reporting vulnerabilities for fear that an overzealous prosecutor would then file charges against them. In addition, they pointed out that, as written, the bill appeared to criminalize any violation of any website’s terms of service.

Of lesser but still notable concern was SB 315’s exception for “active defense measures. ” While the bill did not define “active defense measures, ” the language is loosely understood as a “hack back” provision, or more specifically, “countermeasures that entail more than merely hardening one’s own network against threats and instead seek to unmask one’s attacker or disable the attacker’s system. ” Examples of offensive “active defense measures” likely include beacon files and traffic deflection. [footnoteRef:6] Catching wind of the bill, internet behemoths Google and Microsoft issued a joint-statement expressing opposition to SB 315’s active defense language writing that the bill “could easily lead to abuse and be deployed for anticompetitive, not protective purposes. ”

Shortly after passing the Georgia State Legislature, on May 8, 2018, Georgia Governor Nathan Deal vetoed SB 315 under the justification that the bill failed to adequately address the reasonable concerns of its stakeholders. Governor Deal encouraged legislatures develop a robust and comprehensive cybersecurity policy that incorporated the feedback of both law enforcement and the ethical hacking community.

Recommendations

Today Georgia ranks third in the nation in Information Security, generates more than $4. 7 billion annually from its 115 information security companies, and has invested more than $100 million in cybersecurity education and research. In 2017 Fortune magazine predicted seven contenders for the future cybersecurity capital of the world including Atlanta and Augusta. If Georgia hopes to incubate the next the Silicon Valley or Wall Street of cybersecurity, it will need to stay receptive to the concerns of industry professionals and ensure any legislation drafted to criminalize “unauthorized computer access” provides exceptions for white and grey-hat hackers.

However, S. B. 315 is not useless. Despite concerns from large internet corporations, Georgia should not act hastily and dismiss the possibility of creating a climate receptive to “active defense measures, ” as such tactics enable corporations to disrupt botnets and disable black-hat operations. As laboratories of democracy, states should remain open to new ways of fighting crime and protecting consumers before such activities are permitted nationally. Future legislation could mitigate Microsoft and Google’s fears of “unintended consequences” by including language that requires federal or state law enforcement to deputize firms before offensive cyber defense tactics are pursued and only if the firm accepts stiff statutory damage if the active defense measures ends up harming innocent parties caused by misattribution.