Google and Microsoft are asking Georgia Gov. Nathan Deal to veto a controversial bill that would criminalize “unauthorized computer access” and potentially allow companies to conduct offensive hacking operations.
The Georgia General Assembly passed the bill in late March and sent it over to Deal, who has 40 days to sign it. The legislation has been met with outcries from the security researcher community. Critics say it would put a chilling effect on legitimate cybersecurity research, in which ethical hackers find and report vulnerabilities in organizations’ networks.
But in a in a letter dated April 16, representatives from Microsoft and Google focus on one of the bill’s provisions exempting “active defense measures that are designed to prevent or detect unauthorized computer access.” The companies say that this exemption gives companies broad authority to “hack back” if said hacking is deemed to be for the sake of cybersecurity.
“On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity,” the letter says.
— Johnny Kauffman (@JohnnyIK) April 25, 2018
The tech giants argue that this exemption goes far beyond simply giving organizations the authority to defend against outside attack. They say the bill could give companies free reign to conduct offensive operations for competitive purposes.
“[B]efore Georgia endorses the ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” the companies write. “Provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”
Other security research advocates have written to Deal urging him to veto the bill because they say another exemption — accessing a computer or network “for a legitimate business activity” — is too vague and threatens a broad base of people with being charged for unauthorized access.
In their letter, Google and Microsoft don’t address these concerns, rather highlighting the “hack back” issue.
“We believe that Senate Bill 315 will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” the letter says.