Bill Criminalizing ‘Unauthorized Computer Access’ Concerns Security Experts
A bill that makes most acts of accessing a computer without permission a crime is now awaiting Gov. Nathan Deal’s signature.
Some Atlanta-area cybersecurity experts said if it becomes law, they will be less likely to report security vulnerabilities.
State Elections Center Incident
Georgia’s Attorney General Chris Carr pushed for this bill after an independent security researcher Logan Lamb accessed voter records at the state’s election center at Kennesaw State University two years ago.
The state was unable to prosecute him because he only accessed the records and didn’t copy or alter any data. This is how many ethical security researchers or “white-hat” hackers operate.
Alpharetta resident Craig Young works for the cybersecurity firm Tripwire. In his free time, Young said he investigates networks, like the one at his kid’s school, to see if it’s secure. If it’s not, he lets them know.
“They need to be encouraging security researchers such as myself to actually look at these systems and report back with flaws in them, rather than kind of threatening us with legal action,” Young said.
The bill does protect people who access computer networks for “legitimate business activity” and “cybersecurity active defense measures.”
Xavier Ashe, president of a cybersecurity firm in Atlanta, said the language is too vague. He said he routinely hires independent “security researchers.”
“While they’re not under contract by me or another company, they’re also doing their own security research, which right now currently leaves them exposed to prosecution,” Ashe said.
Roy Hadley is a privacy and cybersecurity attorney with Adams and Reese and chair of the information security society for the Technology Association of Georgia. He said he understands why lawmakers were trying to pass cybersecurity legislation, but said it still leaves many questions unanswered.
“The bill itself is not very clearly worded and because of that there’s a lot of ambiguity and anytime you have ambiguity it’s not a good thing,” Hadley said. “The problem for the business community is that, especially when the lawsuits start flying, it’s going to be difficult to interpret what you can and cannot do unless and until the courts interpret it more narrowly and say ‘OK, this is what the legislature meant by that’ and at that point may go back and say this isn’t what we intended.”
Andy Green, an information security lecturer at Kennesaw State University, said if it becomes law, he would think twice about investigating the city of Atlanta’s networks for example – and letting them know they have security problems.
“We will continue to see systems put online that have vulnerabilities,” Green said. “As a state, do we want qualified individuals finding these things and bringing them to our attention? And the answer seems to be no.”
Since the bill was first up for discussion last fall, Green said he told his students to stop working on assignments he had given them.
Georgia Attorney General Chris Carr pushed for the bill after someone accessed voter records at the state’s election center at Kennesaw State University two years ago.
“Before the General Assembly passed this measure, we were one of only three states in the nation where it was not illegal to access a computer or computer network so long as nothing was disrupted, altered or stolen,” said Attorney General Carr in a press release after the bill passed the House on Thursday night. “In a world where hackers – whether they are state-sponsored actors, organized criminal enterprises, loose confederations or lone wolves – attempt every single second of every single day to gain unauthorized access to our computers and computer networks, this common sense solution will close a window of opportunity for those who wish us harm.”
Frank Rietta is president of Rietta Inc. in Johns Creek, which employs threat researchers.
“The X-Force, which is now owned by IBM and services billions of security incidents, employs thousands of people doing this kind of research all the time and is based out of Sandy Springs, Georgia still. I don’t think that company could exist and I don’t think we would have the security industry we have now if this law had been enforced in the 1990s,” Rietta said. “Whether or not the security industry can survive, law-abiding companies can do law-abiding things and jobs will shift but the landscape will be altered because it was built upon the very sort of work that’s being outlawed.”
Rietta said instead of fixing problems researchers discover, many companies and public institutions are purchasing cyber insurance.
The city of Atlanta said it experienced a ransomware attack on March 22. According to an Augusta-based cybersecurity firm Rendition Infosec, the city of Atlanta was also hacked and had data exposed in April 2017.