In 2017, an independent security researcher discovered that a vulnerability had been exploited in the Kennesaw State University Election Center. The researcher responsibly reported the breach to authorities. In response, the Georgia Attorney General’s office requested that a bill be drafted to criminalize any unauthorized access to any computer or network, even if the access is non-malicious and results in no harm such as independent white-hat security research. The resulting bill, S.B. 315, was passed by the Georgia state legislature on April 5, 2018, and is now on Governor Deal’s desk for signature or veto. For the reasons discussed below, Tripwire believes that this bill will actually increase cybersecurity risks by criminalizing responsible non-malicious security research. Here is a letter that was sent to Governor Nathan Deal:
April 16, 2018 Governor Nathan Deal Office of the Governor 206 Washington Street Suite 203, State Capitol Atlanta, Georgia 30334 Re: S.B. 315 – Request to Veto this Bill Dear Governor Deal, As an industry-leading provider of threat detection and remediation, Tripwire is committed to advancing the state-of-the-art in information security and risk management. Contributions from independent security researchers serve a critical role in this pursuit. Because of this, we have serious concerns about the impact S.B. 315 may have on their and our ability to operate within clear legal guidelines. According to the wording of S.B. 315, well-intentioned (“white hat”) researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses. There has been some discussion surrounding S.B. 315 with respect to whether it is appropriate for so-called “ethical hackers” to assess the security of websites without prior authorization. Data breaches cause considerable damage to consumers, and often stem from weaknesses which can be observed without disrupting service or causing harm. Looking for these weaknesses is one of the few ways in which consumers can judge whether their data is properly secured. Persons who identify and report the existence of a security flaw without causing harm should not face prosecution for reporting the flaw. As an employer of threat researchers in Georgia, the question of what constitutes “legitimate business activity” is also of particular concern to Tripwire. Our Georgia-based Vulnerability and Exposure Research Team (VERT) builds tools to help our customers identify risks within their computer networks. As part of this mission, VERT sometimes discovers previously unknown security flaws in products made by third-party vendors. When this happens, we follow our corporate “responsible disclosure” policy and inform the vendor of the weakness, and then work with them to remediate the risk. When notified of potential vulnerabilities, vendors are usually appreciative and will work with us to better protect their business. Unfortunately, there are also times when vendors are unresponsive or willfully ignore security reports leaving consumers exposed to attack. In these scenarios, when all reasonable attempts to inform a vendor have been exhausted or the vendor demonstrates an unwillingness to act on the information, it is sometimes appropriate to publicly disclose limited details of the security threat so that affected individuals and organizations can take appropriate steps to protect themselves. The vague definitions of S.B. 315 could enable frivolous lawsuits by vendors looking to hide their security defects. Legislation to criminalize non-malicious “trespass” such as S.B. 315 requires very clear definitions of what constitutes access, who can authorize it, and what constitutes “legitimate business activity”. Unfortunately, S.B. 315 as written, does not meet these requirements. For these reasons, we strongly urge you to veto S.B. 315. The bottom line is that S.B. 315:
- Does not promote good security practices;
- May enable irresponsible businesses to conceal critical security failures which endanger the public; and
- Will require Tripwire to reexamine whether we should continue the security research that is currently conducted by our employees located in Georgia.
Sincerely, David Meltzer Chief Technology Officer Tripwire, Inc.
You can voice your opinion on whether Gov. Deal should sign or veto S.B. 315 by using the Office of the Governor contact form, calling 404-656-1776, sending a fax to 404-657-7332, or sending a letter to: The Office of the Governor State of Georgia 203 State Capitol Atlanta, Georgia 30334
