In an era where breaches and leaks have become a weekly thing, it may be surprising to know that security research is being criminalized in one state.
It may sound like all that covers incidences spread over the last few years, but those are the headlines we published this month so far.
While all that is bad news, a lot of those headlines are brought to you by the hard work of security researchers. Had they not been able to discover some of those leaks, people with more nefarious intentions may have found those leaks and exploited them for their own personal gain. As such, your information might have been compromised and you wouldn’t have even known it. It’s a pretty straight forward decision of what you would rather have.
So, it may seem like a backwards idea to criminalize such research in the first place. Yet, here we are with a bill being discussed in the state of Georgia. The bill is known as SB 315 or the Georgia CyberSecurity bill. While on the surface, it sounds like something that is pretty straight forward, many in the security community are raising the alarms over it. The EFF highlights two major concerns over it via an open letter:
The letter calls out two particular problems with the legislation.
First, the bill potentially “creates new liability for independent researchers that identify and disclose vulnerabilities to improve cybersecurity.” Although the bill exempts “legitimate business activities,” this term is not defined in a meaningful way, leaving ambiguity for how the law would be enforced by prosecutors.
Second, the bill includes an exemption for “active defense” measures, which is also left perilously undefined. As the researchers write, “this provision could give authority under state law to companies to ‘hack back’ or spy on independent researchers, unwitting users whose devices have been compromised by malicious hackers, or innocent people that a company merely suspects of bad intentions.”
S.B. 315 would provide district attorneys and the attorney general with broad latitude to selectively prosecute researchers who shed light on embarrassing problems with computer systems. The signers want Gov. Deal to know that the bill would not only harm Georgia’s information security sector, but also make people nationwide less safe by chilling research that could bring light to vulnerabilities.
At the moment, the bill has passed and is currently waiting for the governor’s signature. From Slate:
On April 5, the Georgia State Legislature sent Senate Bill 315 to Gov. Nathan Deal’s desk for his signature. The bill largely focuses on cybercrime, but it goes awry in its penalties for all unauthorized access to computer systems—even if such access is well-intentioned. Proponents of the bill, including state Attorney General Chris Carr, argue that SB 315 will reduce cybercrime by creating harsher punishments for those who access computer systems without authorization. Cybersecurity experts, independent security researchers, and many representatives from the Georgia technology community, however, disagree. They argue that SB 315 will instead discourage independent cybersecurity research that often helps, not hurts, private companies and government agencies identify vulnerabilities in their computer systems.
Ethical independent cybersecurity research, sometimes labeled “white hat” research, is fairly common. Private citizens, including students, academics, and other cybercurious folks, intentionally poke around on computer systems every day to enhance their skills and find and report digital vulnerabilities. When notified of a vulnerability by a white hat researcher, companies and governments have the opportunity to patch that vulnerability and prevent it from being exploited.
While it may be looking like it, it is not too late for Georgian’s to oppose the legislation. Many are urging the state’s citizens to make their voices heard over the legislation.