New Georgia bill could be a setback to cybersecurity
INSIGHT ARTICLE |
A proposed bill in Georgia could have big implications not only for the security industry, but for any industry that leverages security research and testing to some extent. If you have offices, partners, facilities or clients in Georgia, this bill could impact the way your business operates when it comes to security.
The Georgia bill (SB315) would make unauthorized computer access illegal. The purported goal is to better protect Georgia citizens and businesses from computer crimes. The bill reads, “Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.”
The bill allows for some exemptions, including individuals in the same household, those conducting legitimate business activity and those performing cybersecurity defense activities. Currently, the bill has passed the Georgia Legislature and awaits the governor’s signature to be enacted as law.
What does this mean?
On the surface, outlawing unauthorized computer access sounds like a no-brainer. However, many are concerned that this could in fact be a major setback for security initiatives in the state of Georgia—a state that, up to this point, has been a leader in cybersecurity research.
While the bill has some exemptions for cyber defense activities, it does not sufficiently carve out protections for white hat researchers and penetration testers who perform ethical hacking. These individuals utilize their skills to identify vulnerabilities, not to exploit them for their own gain, but rather to report them so they can be fixed.
Under the proposed law, these researchers could be classified as having unauthorized computer access, even if they are using this access in an ethical way. This could discourage researchers who have found critical vulnerabilities from coming forward, with the fear that they could now be punished for their efforts. In turn, this might stifle the kind of research and testing efforts that have thus far been a catalyst for cybersecurity improvements.
Note that while this bill would prevent ethical hackers from helping companies identify vulnerabilities, it would not prevent criminal hackers from identifying the same vulnerabilities and causing real harm.
What’s the impact on businesses?
This proposed bill could not only impact security researchers themselves, but all the organizations who rely on their work to better secure their systems.
For example, this bill could hit bug bounty programs particularly hard. Bug bounty programs offer rewards and recognition to researchers who find software vulnerabilities and bugs. Organizations like Google and Facebook—not to mention countless other businesses across all industries—have already implemented such programs with great success. These programs have been vital to identifying and mitigating flaws before they can be leveraged in the wild. Under this bill, this activity could be criminalized, even if it’s done in an ethical, nondestructive way.
Organizations with offices in Georgia may need to rethink their use of such programs, as well as revise the way they test their own systems in order to comply with these requirements. These organizations may in fact need to approach security differently in order to meet local laws. For those in the cybersecurity sector, this is yet another reminder that the industry is volatile and can change at a moment’s notice.
Speaking more broadly, this is a reminder that we live in a time when organizations must juggle multiple compliance obligations. These obligations might vary from state to state (and nation to nation) and might change at a moment’s notice. These regulations often require organizations to change the way they do business, depending on where they are operating. Without a program to track and manage these obligations, organizations can easily become overwhelmed by the ever-changing regulatory environment.
Finally, this also demonstrates how well-intentioned laws can have drastic, unintended consequences. Regardless of the initial intent of such laws, organizations need to be prepared to respond to such changes in a way that allows them to continue to conduct business while also meeting compliance requirements.