Georgia governor vetoes bill that would criminalize good-faith security research, permit vigilante action

Veto comes in response to overwhelming criticism from industry. Georgia cybersecurity folks had been outraged about SB 315, and warned that it could cost the state jobs.

04 cyberlaws gavel
George Hodan

The governor of Georgia, Nathan Deal, has vetoed SB 315, the controversial bill that would have criminalized many forms of routine security research, and legalized vigilante action by victims of cybercrime (so-called "hack back").

In a statement, the governor wrote, "while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so."

The veto sends the bill back to the Georgia legislature, which may try to override Deal's veto. "It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry," the governor added.

Electronic Frontiers Georgia welcomed the veto, writing in a tweet, "Although we are delighted and very thankful, we recognize there is much work to do with our legislature and law enforcement going forward."

SB-315 opposed by the cybersecurity industry

The state of Georgia's attempt to ban good-faith cybersecurity research left the state's cybersecurity businesses are hoppin' mad. SB 315, The Unauthorized Computer Access Bill, threatened to outlaw good-faith security research and enable "hack back" vigilante action.

Georgia is one of the top cybersecurity hubs in the country, with more than 115 cybersecurity businesses generating more than $4.7 billion in revenue, according to the state of Georgia. The bill, if signed into law, would hurt the state's economy and drive jobs and talent out of state, Robert Graham, a Georgia-based security researcher, tells CSO.

"I can tell you as the former chief scientist of ISS (Internet Security Systems), the dot-com era startup that created the vibrant cybersecurity community in Georgia, that [jobs leaving the state] will be the long-term effect," Graham says. "The first time they prosecute a cybersecurity researcher, companies will rethink their location in Georgia."

Passed by large margins of both houses of the Georgia legislature, the new law would make it a crime, punishable by a $5,000 fine and a year in jail, to access a computer without authorization. The bill is so vague that that it would outlaw reporting security vulnerabilities in good faith, Electronic Frontier Foundation (EFF) senior staff attorney Nate Cardozo warns.

"A legitimate reading of this law could criminalize independent security research and vulnerability disclosure, and that's not good for anybody," Cardozo says.

SB 315 reads:

"Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access."

Bill a reaction to 2016 election data snafu

The bill comes in response to the embarrassment the Georgia state government suffered in 2016 when Georgia security researcher Logan Lamb discovered "6.7 million voters, PDFs with passwords for election workers, software files for devices used by poll workers to verify a voter is registered, and what appears to be databases used to tabulate votes," according to WABE Atlanta.

"The office that is in charge of the voting machines sent [Kennesaw State University (KSU)] this data to do some contract research for them, and [KSU] didn't secure the machines properly," Keith Watson, information security manager at Georgia Tech's College of Computing, tells CSO.

The data was publicly available for download on KSU's web server without any form of authentication or access control. Alarmed by the large amount of sensitive voter information published on KSU's web site, Lamb notified KSU and made a good-faith effort to responsibly disclose the security issue.

In 2017, a second Georgia security researcher, Christopher Grayson, discovered that KSU botched their response to Lamb's initial report, and the voter data remained publicly available for download on KSU's web server. KSU responded in 2017 by reporting both researchers to the FBI, who promptly cleared both Lamb and Grayson of any wrongdoing, noting that the two had broken no federal or state laws.

EF Georgia head Scott Jones believes the law is payback for the political embarrassment the government suffered. Since the state cannot retroactively go after Lamb and Grayson, SB 315 is designed to prevent similar embarrassment in the future. "They created a law that you can essentially violate with a web browser," Jones said. "You don't even need an attack tool."

Governor's veto had been uncertain

The governor, whose term ends this year and who cannot run again because of term limits, had until July 1 to sign the bill into law or to veto it. The governor could have done nothing, in which case the bill becomes law automatically on July 1. In the event of a veto, a two-thirds majority of both houses is required to override the veto--a plausible, even likely, scenario, given the large majorities that passed SB 315 in the first place.

Numerous high-profile security experts had written to the governor, urging him to veto the bill. "S.B. 315, as written, creates barriers to cybersecurity research that can damage the state's information security industry and ultimately make its citizens less safe," one letter read.

IBM, whose X-Force Command Center in Atlanta employs some of IBM's 8,000 security researchers, also publicly called on the Georgia state government to reconsider the bill, writing, "We are very concerned that the exemptions within SB315 for unauthorized computer access are both too broad and too narrow and will create more uncertainty and inefficiency by deviating from the federal standard, Computer Fraud and Abuse Act (CFAA) by which we currently operate."

The EFF has also questioned the wisdom of letting victims of computer crime retaliate. "From our perspective, the hack-back provision authorizes vigilante action," Cardozo tells CSO. "That would be a first in American computer crime law."

The Georgia government is scapegoating security researchers, many sources said. "This looks like it's trying to shift the blame on Georgia's election security failings to the people who pointed out those systems' failings," Cardozo added.

If the bill becomes law with an override of the veto, pre-emptive legal action to prevent enforcement seems likely. For his part, Graham is itching for a fight. "I'm the sort of guy who would love to get prosecuted under the law (it's a misdemeanor and I can handle the fine and year in jail) for the fame it would create," he tells CSO. "So, I'm just as likely to start looking at Georgia computers and poke the bear."

NEW! Download the Winter 2018 issue of Security Smart