Georgia Hacking Bill SB315 Gets Cybersecurity All Wrong

In March, the Georgia State General Assembly passed a bill that would make it illegal to access a computer or network “without authority.” Georgia Governor Nathan Deal has until Tuesday to decide whether to sign it into law or veto it. The 40-day limbo has morphed from a bureaucratic formality, though, into a heated debate with national implications. In just 43 lines, the bill raises fundamental questions about how to establish boundaries in cyberspace without hindering vital security research and, crucially, the ethics of “hacking back,” in which institutions that have been attacked can digitally pursue the hackers and even potentially retaliate.

Georgia Senate Bill 315 emerged in part out of an embarrassing and troubling incident in which a massive trove of sensitive election and voter data sat exposed for months in Georgia’s unified election center at Kennesaw State University. Frustrated that it wasn’t illegal for people to access the data when it was accidentally publicly available, lawmakers set out to limit the legality of unauthorized computer access. But critics say that the resulting legislation as written is too vague, and threatens to outlaw certain types of digital forensic research while exempting—and therefore potentially condoning—dangerous “cybersecurity active defense measures.”

see here now
see it here
see page
see post
see this
see this here
see this page
see this website
sell
she said
site
site web
sites
sneak a peek at these guys
sneak a peek at this site
sneak a peek at this web-site
sneak a peek at this web-site.
sneak a peek at this website
sneak a peek here
source
[source]
sources tell me
speaking of
special info
straight from the source
such a good point
super fast reply
take a look at the site here
talking to
talks about it
that guy
the
the advantage
the full details
the full report
the original source
their explanation
their website
these details
they said
this
this article
this contact form
this content
this guy
this hyperlink
this link
this page
this post
this site
this website
top article
total stranger
try here
try these guys
try these guys out
try these out
try this
try this out
try this site
try this web-site
try this website
try what he says
try what she says
understanding
updated blog post
url
us
use this link
via
view
view it
view it now
view publisher site
view siteÂ…
view website
visit
visit here
visit homepage
visit our website
visit site
visit the site
visit the website
visit their website
visit these guys
visit this page
visit this site
visit this site right here
visit this web-site
visit this website
visit website

“I don’t think this legislation actually solves a problem,” says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. “Information put in a publicly accessible location can and will be downloaded by unintended parties. Making that illegal brings into question so many other issues, like what is ‘authorized’ use? Is violating terms of service illegal?”

Hackers calling themselves SB315, meanwhile, have apparently launched attacks against a church, the City of Augusta, two restaurants, and Georgia Southern University in protest. The group claimed in a message on Calvary Baptist Church of Augusta’s website, according to the Augusta Chronicle, that they couldn’t report the vulnerability they exploited to infiltrate the site, because the legislation would make it illegal. In their various hacks, the group leaked what it claimed was compromised login credentials and other personal information, but the data from the City of Augusta and Georgia Southern University could also have been cobbled together from publicly accessible records.

“Protests resorting to hacking and threats of retaliation will do nothing but scare these particular legislators further and strengthen their resolve for the need for this sort of bill,” says Williams.

Beyond the stunt hacks, prominent digital rights organizations and even large tech firms have taken a hard stand against the bill. The Electronic Frontier Foundation said in April that the law would, “severely chill independent researchers’ ability to shine light on computer vulnerabilities,” describing it as “misguided.” Security researchers often find flaws and weaknesses in organizations’ networks incidentally, or through proactive probing. The Georgia bill would likely make this type of work illegal, because it would be considered “unauthorized computer access.” It would discourage people who find problems in digital systems from disclosing them so they could be fixed—a situation that hurts everyone by reducing collective security.

The proposed legislation in Georgia is far from the first time this tension has surfaced. The federal Computer Fraud and Abuse Act, which has similar provisions about computer and network access, has caused controversy for decades.

Leave a Reply

Your email address will not be published. Required fields are marked *