Wednesday, May 31, 2023 | Back issues
Courthouse News Service Courthouse News Service

Microsoft and Google Urge Veto of Georgia Cybersecurity Bill

Microsoft and Google are among the tech giants who are urging Georgia Governor Nathan Deal to veto a proposed state law that would make unauthorized computer access a crime punishable by up to a year in prison.

ATLANTA (CN) — Microsoft and Google are among the tech giants who are urging Georgia Governor Nathan Deal to veto a proposed state law that would make unauthorized computer access a crime punishable by up to a year in prison.

The law, Georgia Senate Bill 315, passed the state's General Assembly on March 29, the final day of the legislative session. The governor is expected to either sign or reject the bill either Monday or Tuesday.

What has the tech community nervous is that the bill makes it illegal for anyone to access any computer without authorization, even if the access is not malicious and no information is stolen.

The only exception written into the law is when access occurs for a "legitimate business activity," a qualification that some tech professionals have categorized as woefully vague.

In a letter sent to Deal on April 16, Microsoft and Google asked the governor to veto the bill, arguing that criminalizing unauthorized computer access is a "potentially grave step" with consequences that could be damaging to Georgia's information security industry.

Georgia currently has the third largest information security sector in the country.

Tech experts believe that the bill will create extraordinary liability for independent security researchers who identify and disclose vulnerabilities in system networks. These "white hat" hackers point out system vulnerabilities to administrators to help improve cybersecurity.

SB 315 was introduced by state Senator Bruce Thompson after a major voter data breach at Kennesaw State University was exposed by a security researcher.

The researcher notified Georgia election officials of a vulnerability in the Kennesaw State University Election Center's network which left millions of voters' data unprotected.

The researcher, who was cleared of any wrongdoing by the FBI, was performing the kind of security probe which would be made illegal under SB 315.

Although the bill landed on Gov. Deal's desk on April 5, the governor still has not indicated whether he will sign or veto the legislation.

While SB 315 has come under fire by critics for its ban on "ethical hacking," tech giants like Microsoft and Google largely take issue with an exception written into the legislation which is known as a "hack back" provision.

The provision would allow companies to "hack back" or spy on independent security researchers, white hat hackers or innocent people that a company suspects of bad intentions.

In their April 16 letter, representatives for Microsoft and Google pointed out the potential danger inherent in the bill's "hack back" provision.

"On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity," the letter explains.

"Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses "hack back" authority in "defense" or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy. Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes," the letter says.

The letter cautioned Gov. Deal against encoding "an undefined concept of cybersecurity active defense" into law.

"We believe that Senate Bill 315 will make Georgia a laboratory for offensive cyber security practices that may have unintended consequences and that have not been authorized in other jurisdictions," the letter states.

A separate April letter signed by 55 tech professionals, including a former Director of Technology for Verizon, warned that an exemption in the bill which allows unauthorized access to networks "for a legitimate business activity" is also dangerously vague.

"Though the bill includes an exception for "legitimate business activites," this term is undefined and creates ambiguity for researchers unconnected with a business (such as academics or independent researchers acting without remuneration) and how activities will be qualified as "legitimate," the letter says.

Tripwire, a cyber threat detection and remediation firm, filed a letter with the governor's office on April 16 as well. The company argued that SB 315 would ultimately weaken security.

"It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack," Tripwire wrote.

"Without this exclusion, SB 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses," the letter said.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.