The US state of Georgia has passed a new anti-hacking legislation named SB 315 which will criminalise any form of unauthorised access to computer systems owned by companies, thereby making the activities of security researchers and ethical hackers unlawful as well.
The bill was passed by the Senate in Georgia earlier today and will now come before the house of representatives for their assent. According to Chris Carr, the Attorney General of Georgia, SB 315 plugs a major loophole in Georgia’s existing cyber laws according to which any unauthorised access to computers would not be unlawful so long as nothing is disrupted or stolen.
“This doesn’t make any sense. Unlawfully accessing any computer in Georgia should be a crime, and we must fix this loophole,” he said.
According to Craig Young, a computer security researcher at Tripwire, the new law (SB 315) is in violation of the federal Computer Fraud and Abuse Act (CFAA) which offers protection for responsible security researchers. As such, the new law will penalise even those who will recognise security concerns and bring them to the attention of those who could fix them.
“While it could be argued that this is not the legislative intent and the state would not seek criminal charges in such cases, it is important to note that the statute also enables civil litigation against researchers. This means that a firm could use the law to seek revenge against a researcher who embarrassed them.
“The end result is that altruistic hackers will likely stop looking for (or at least stop disclosing) vulnerabilities leaving only those with a truly malicious criminal agenda left to find and exploit the risks,” he added.
“While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks,” said Lisa Wiswell, an advisor at HackerOne.
Criminalising security researchers
The passage of SB 315 by the Georgian Senate earned severe protests from the Electronic Frontier Foundation which said on Twitter that the bill was passed without a crucial amendment that would have provided broader protection for all of the information security community.
“A misguided bill in Georgia (S.B. 315) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully anticipated,” EFF said in its website.
The situation in Georgia, if the law gets the nod from the house of representatives, will be much different than in the UK where ethical hackers and security researchers are now following responsible disclosure norms to alert organisations about security flaws in their systems.
In fact, NHS Digital announced in November last year that it would spend £20 million on hiring additional cyber defence experts/ethical hackers who will monitor existing vulnerabilities and security threats in systems owned by the organisation.
“The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.
“It will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats,” said NHS Digital.