Note: Craig Young contributed to this article in his personal capacity. The views expressed are his own and do not necessarily represent the views of Tripwire.
A controversial computer intrusion bill is inching closer to becoming Georgia state law. As a Principal Security Researcher for Tripwire, I have made a career out of recognizing and understanding computer vulnerabilities. I have spent countless hours working with some of the biggest players in tech including Google, Apple, and IBM and I’ve been a regular presenter and instructor at prestigious security conferences around the world like DEF CON. Despite this, my research, which has helped dozens of businesses provide improved security controls for millions of people, could soon land me in jail.
Proponents of the bill argue that Senate Bill 315 is necessary to fill a gap in state law where access to a computer system without authorization is not expressly forbidden. They point to the fact that Georgia is one of only three states where there is no explicit law prohibiting access to a computer without authorization. Opponents of the bill (myself included) are concerned that the bill’s vague language does not differentiate between malicious attackers and researchers who report flaws and work with organizations to harden their security. The legislators involved in crafting this bill are absolutely right that we need to strengthen cybercrime laws, but as is often the case with technology law, there are a lot of complexities which are not immediately clear even to those familiar with the technology.
The current version of the bill states that, “Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access.” On its surface, this seems reasonable, but it is worth considering some real-world analogies. Picture yourself driving to visit a friend who has just moved into a new home. If you aren’t careful, you might miss their house and pull into a neighbor’s drive to turn around. While in the driveway, you notice that smoke is pouring out the windows. You dial 911 to report a fire but instead of fire engines to extinguish the flames, they send police to arrest you and use your 911 call as evidence of trespassing. This sounds absurd but it is effectively no different from what is being proposed with this bill. For a seasoned security researcher, there are many telltale signs of computer vulnerabilities which are just as obvious as a smoking house. In both cases, the responsible action is to report the problem to appropriate authorities to prevent further damage.
There are many problems with this legislation, but the most concerning one is that it considers neither intent nor damage related to the unauthorized access. In 2016, my doctor began using a new electronic health record (EHR) system and asked me to gauge the system’s security. My informal review uncovered a critical flaw which jeopardized the confidentiality and integrity of all patient records. More recently, I collaborated on research which revealed serious flaws in the HTTPS encryption used to protect tens of thousands of popular Internet sites and private businesses. This flaw existed for years and could expose passwords, financial data, and other personal information. My research had no negative impact on these businesses beyond whatever extra work was needed to fix their mistakes and it had a clearly positive impact on those who benefited from the increased protection of their data. Under the current version of Senate Bill 315, however, my good intentions would be irrelevant in determining whether I committed criminal unauthorized computer access. As such, I will not be able to participate in this type of beneficial research without the threat of jail time and/or civil litigation if Senate Bill 315 becomes law without additional protections.
Another point of confusion is whether the bill would criminalize the act of finding vulnerabilities in a device that you own. The underlying question here is whether a device maker could argue that jailbreaking or otherwise hacking one’s own device might constitute unauthorized access. This is a particularly critical question for me because I actively research and teach about the security of embedded computing systems (sometimes referred to as IoT devices). I frequently find vulnerabilities in devices and share details with the device makers so they can add protections. Most businesses are happy to receive these reports but some device makers are quite hostile to the InfoSec research community and might jump at the chance to discourage people from analyzing the security of their products. This could be another negative consequence if SB 315 becomes law in its current form.
Security researchers working independently, in academia, and in private corporations serve a critical role in the security ecosystem. This is a primary way in which software firms and website operators learn of their weaknesses so that they are able to deploy patches before a malicious attack. Coordinated or responsible disclosure has long been recognized in the industry as crucial for protecting the computer systems we rely upon. Protecting this requires that researchers can operate under clearly defined and uniform legal guidance such as the existing federal Computer Fraud and Abuse Act (CFAA). If Georgia lawmakers would like to prohibit unauthorized computer access, why not simply mirror the federal standards to avoid unintended consequences? Due to its vagueness, prosecution under this bill would be discretionary with almost any activity being potentially criminal. This threat of litigation and financial burden is more than enough to discourage me and other good intentioned researchers from reporting vulnerabilities. Although it is undoubtedly crucial for law enforcement to have tools for arresting criminal hackers, it is equally important if not more important to have laws ensuring that security research is able to continue.
About the Author:
Craig Young is a security researcher for Tripwire. He writes security content for Tripwire IP360 and performs security research as a member of Tripwire VERT. Young is a graduate of The Georgia Institute of Technology.
