In March, the Georgia State General Assembly passed a bill that would make it illegal to access a computer or network “without authority.” Georgia Governor Nathan Deal has until Tuesday to decide whether to sign it into law or veto it. The 40-day limbo has morphed from a bureaucratic formality, though, into a heated debate with national implications. In just 43 lines, the bill raises fundamental questions about how to establish boundaries in cyberspace without hindering vital security research and, crucially, the ethics of “hacking back,” in which institutions that have been attacked can digitally pursue the hackers and even potentially retaliate.
Georgia Senate Bill 315 emerged in part out of an embarrassing and troubling incident in which a massive trove of sensitive election and voter data sat exposed for months in Georgia’s unified election center at Kennesaw State University. Frustrated that it wasn’t illegal for people to access the data when it was accidentally publicly available, lawmakers set out to limit the legality of unauthorized computer access. But critics say that the resulting legislation as written is too vague, and threatens to outlaw certain types of digital forensic research while exempting—and therefore potentially condoning—dangerous “cybersecurity active defense measures.”
“I don’t think this legislation actually solves a problem,” says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. “Information put in a publicly accessible location can and will be downloaded by unintended parties. Making that illegal brings into question so many other issues, like what is ‘authorized’ use? Is violating terms of service illegal?”