Georgia cybercrime bill has security execs baffled
Georgia cybercrime bill has security execs baffled

The governor of Georgia may be within a month of signing a law that would make it a criminal offense for white hat hackers and bug bounty hunters to find vulnerabilities in computer systems residing in that state.

The bill, SB 315, would amend the Official Code of Georgia, creating a new law named Unauthorized Criminal Access making it a crime for “Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.”

Lisa Wiswell, HackerOne policy advisor, said the Georgia bill is modeled after what she called the “highly controversial” Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage.

“Georgia State Bill 315 has the entire cybersecurity community shaking its head in disbelief. While many parts of the U.S. government are advancing cybersecurity by adopting industry's best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks,” Wiswell told SC Media.

While the bill does exempt certain people, such as members of the same household, those accessing a computer or computer network for a legitimate business activity and cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access, many feel the provisions do not strongly protect researchers searching for vulnerabilities.

The Electronic Freedom Frontier, and its Georgia affiliate the EFGA, have called for Georgia Governor Nathan Deal to veto the legislation.

“EFGA is opposed to rejection of the amendment and will continue to fight the bill.  EFGA was unable to secure broad protections needed to give confidence to the entire security research community, so that they may continue to have a "safe space" to operate in,” the EFGA said in a statement.

Frank Rietta, who heads the security firm Rietta.com and who told SC Media he testified against the bill in committee, said even though the bill allows companies to continue their bug bounty programs, an activity most firms lack. 

"It will remain legal for bug bounty hunters to work with the few companies who have official bug bounty programs. However, most companies have no such program. Given that 94% of the Forbes 2000 largest companies do not have any published means to responsibly contact for security disclosures, independent researchers will be barred from effectively getting companies with poor security to fix their holes to protect the public," Rietta said.

Casey Ellis, founder and CTO of Bugcrowd, said the bill's main problem is it does not differentiate between the good and bad guys, but instead lumps them all in the same bucket.

"The internet is more secure today because of the efforts of good-faith hackers - many of whom live in Georgia - and their efforts to help will now be chilled by this bill, he said, adding, “While bug bounty programs started as a niche Silicon Valley tech thing, you'd now be hard pressed to find an industry that isn't using this solution. Soon these programs will be the norm - it will be weird if your organization isn't running some sort of vulnerability disclosure or bug bounty program. And the federal sector is no exception -  it's been great to watch this concept begin to take hold within the government.”

Several federal agencies including the State Department, Department of Defense and U.S. Air Force have all rolled out bug bounty programs in recent months.

As the bill sits on Deal's desk he has helped push Georgia to develop a strong cybersecurity infrastructure for the itself and the nation. On January 11 Deal announced that the state will invest $60 million for a cyber range and training facility named the Hull McKnight Georgia Cyber Innovation and Training Center in Augusta that will combine expertise in academia, private industry and government to establish statewide cybersecurity standards. Construction of the 167,000-square-foot facility is underway with the final part of the steel structure being completed in mid-November with the grand opening scheduled for July 2018.