Following weeks of outcry from cybersecurity companies and independent researchers, Republican Georgia Gov. Nathan Deal vetoed the state’s proposed “hack back” bill on Tuesday.
The bill, SB 315, sought to create the misdemeanor crime of “unauthorized” computer or computer network access, criminalizing the act of “intentionally” logging into a computer or website hosted in Georgia without the user first asking permission or being granted authority.
“Certain components of the legislation have led to concerns regarding national security implications and other potential ramifications,” Deal’s veto statement reads. “Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.”
The bill would have also exempted such access in cases of shared households, legitimate business activity, terms of service agreements and cybersecurity active defense measures — broad exemptions, none of which were explained in sufficient detail while the bill was in the legislature, cybersecurity researchers told StateScoop in April.
“They wanted to give prosecutors and judges discretion,” Chris Risley, CEO of Bastille Networks said. “So what they did was create a crime that will happen five million times a day. People will visit websites in Georgia. Some very small percentage of those will get charged. Their point is ‘You’ll get a fair trial.’ Nobody wants a fair trial. Nobody wants a trial at all — they don’t want to commit crimes.”
The exceptionally broad language used in the bill had many independent security researchers, academics, white-hat hackers and companies concerned about the sanctity of Georgia’s $4.7 billion cybersecurity industry. The bill, researchers said, would have been used to specifically target white-hat hackers looking to point out vulnerabilities — which, under SB 315, would turn into an admission of guilt for “unauthorized access” as well.
“Here’s how this bill is going to be used,” Risley said. “When you come to a company and you say you have a vulnerability and you’re going to announce it in 90 days, they’re not going to charge you then — they’re going to say if you make a public announcement, then we’re going to charge you in violation of SB 315.”
IBM, Google and Microsoft, all of which have offices in Georgia, wrote letters of concern to Deal during and after the legislative process, urging a veto or reconsideration of the bill. A coalition of Georgia-based and national information security professionals and academics also sent a letter urging a veto of the legislation.
Deal commended the state legislature on providing a “solid foundation” for continued discussion on the issue of cybercrime. The issue is a hot-button topic in the state, as Atlanta continues to feel the aftershocks of a crippling ransomware attack. Deal shared his hope that a comprehensive policy could be worked out by legislators next session — one that “promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry.”