{"id":12339,"date":"2018-05-18T09:10:03","date_gmt":"2018-05-18T17:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/05\/18\/news-6108\/"},"modified":"2018-05-18T09:10:03","modified_gmt":"2018-05-18T17:10:03","slug":"news-6108","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/18\/news-6108\/","title":{"rendered":"Why tech companies wanted Senate Bill 315 vetoed"},"content":{"rendered":"

Credit to Author: Kayla Matthews| Date: Fri, 18 May 2018 16:00:38 +0000<\/strong><\/p>\n

When Georgia Senate Bill 315 (SB-315) was introduced, people in the tech world anxiously awaited its fate, regardless of their geographic location. They knew that some laws initially restricted to single states become more widespread after politicians set precedents. And they knew that this law could potentially impact the way that they did business forever.<\/p>\n

The bill passed in the General Assembly on March 29\u2014and that was not the news tech companies were looking for. They hoped the bill would be shot down. But why?<\/p>\n

The bill<\/h3>\n

SB-315 was a Republican-sponsored bill aiming to alter the state\u2019s parameters on computer usage. If passed, it would have amended the original language of Georgia\u2019s code that discusses \u201ccomputer trespass.\u201d The activities under that umbrella include deleting computer programs or data, altering or damaging hardware, and obstructing the use of a computer program. In short, Georgia\u2019s code stated that unauthorized use only extended to malicious intent.<\/p>\n

However, SB-315\u2019s language is much more vague than the original Georgia code. It prohibits unauthorized computer access<\/a>\u2014period\u2014although it doesn\u2019t apply to people living in the same house, individuals using computers for legitimate business activities, or those engaged in active cyberdefense measures that stop or detect unauthorized use.<\/p>\n

What prompted SB-315?<\/h3>\n

A security researcher named Logan Lamb found a vulnerability associated with Kennesaw State University’s (KSU) Center for Election Systems that exposed the details of 6.7 million voters in Georgia<\/a>. He contacted the appropriate authority and received word that the issue would get fixed. A year later, Chris Grayson, a fellow cybersecurity researcher, found the vulnerability still existed.<\/p>\n

Next, both Lamb and Grayson approached a KSU information security lecturer about the matter. That action finally got the problem fixed. Unfortunately, it also resulted in Lamb getting visited by FBI agents. They determined he didn\u2019t do anything wrong but advised him to delete any downloaded data.<\/p>\n

Lamb\u2019s efforts to help protect that data would now be considered illegal under SB-315.<\/p>\n

Tech companies raise concerns<\/h3>\n

Microsoft and Google are among the technology companies that urged Georgia governor Nathan Deal to veto the bill. In a joint letter distributed to Deal on April 15, representatives from tech companies took issue<\/a> with criminalizing unauthorized computer access, saying the consequences could be damaging to Georgia\u2019s infosec industry. They also argued against the provision of the bill that makes \u201chack backs\u201d exempt.<\/p>\n

The tech representatives asserted that the provision as written was too broad and its parameters were not clearly defined. As such, they recognized a strong potential for abuse for anti-competitive purposes rather than solely to protect networks. They also said that enabling Georgia businesses to \u201chack back\u201d in defense of cybercriminals could have unintended consequences.<\/p>\n

In addition, cybersecurity company Tripwire filed a letter with the governor\u2019s office on April 16, arguing that SB-315 would ultimately weaken security. \u201cSB-315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses,\u201d the letter said.<\/p>\n

Potential ramifications for cybersecurity researchers<\/h3>\n

In a separate letter to Congress, 55 tech professionals warned that the \u201clegitimate business activity\u201d exemption of the bill was dangerously unclear. The letter stated that this term \u201cis undefined and creates ambiguity for researchers unconnected with a business\u2026and how activities will be qualified as \u2018legitimate.\u2019\u201d<\/p>\n

Experts say SB-315 would have had a chilling effect<\/a> on independent researchers, specifically those that perform penetration tests. Sometimes referred to as whitehat hackers, these cybersecurity specialists look for network weaknesses<\/a> and find out what would happen if they were exploited.<\/p>\n

After collecting the results of penetration tests, the researchers contact the appropriate parties to inform them of vulnerabilities. However, some people in the cybersecurity sector wondered if by disclosing the outcomes of penetration tests, researchers would violate SB-315 and risk fines or jail time.<\/p>\n

Hackers showed their displeasure for SB-315 by hacking several Georgia websites, including the homepages of a church and two restaurants. In all cases, the infiltrators left messages on the sites to warn that SB-315 barred the ethical reporting<\/a> of the vulnerabilities that allowed the attacks.<\/p>\n

Nods of approval for SB-315<\/h3>\n

Chris Carr, the attorney general for the state of Georgia, issued a statement after SB-315 passed in the General Assembly that outlined his support of the bill<\/a>. He asserted that Georgia is one of only three states that don\u2019t make unauthorized computer or network without malicious intent illegal.<\/p>\n

Carr referred to SB-315 as a \u201ccommon sense solution\u201d that prevented the opportunities hackers would otherwise seize. Moreover, his press release expressed gratitude to other sponsors of the bill, including Representative Christian Coomer, and Senators Renee Unterman and Butch Miller, among others.<\/p>\n

Senator Bruce Thompson, who introduced the bill, largely steered clear of any controversy when discussing SB-315 on his Twitter feed.<\/p>\n

At the end of March, though, one of his tweets<\/a> mentioned Chairman Ed Seltzer. When the bill was on the House floor, Seltzer reportedly said the exemptions were \u201cbig enough to drive a truck through.\u201d That was presumably Thompson\u2019s way to respond to critics who thought the exceptions to the bill were too narrow in scope.<\/p>\n

Representative Tom Graves, who sponsored the bill, stated that SB-315 would provide citizens and businesses with more resources to stay safe<\/a> against hacks.<\/p>\n

Deal gives his veto<\/h3>\n

Governor Nathan Deal ultimately chose to veto SB-315. In a related statement<\/a>, he mentioned that such legislation requires further discussion before enactment. Additionally, he brought up private industries and government agencies, admitting that SB-315 could make it more difficult for those entities to stay protected.<\/p>\n

Deal hoped legislators would continue to work together to find ways to enhance the state and national security against cyberattacks.<\/p>\n

The concerns of tech companies about the language and specific provisions of SB-315 emphasize why it\u2019s crucial to conduct all-encompassing analyses of pending legislation. The full impacts of proposed laws are not always immediately evident\u2014especially when it comes to technology.<\/p>\n

The post Why tech companies wanted Senate Bill 315 vetoed<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Kayla Matthews| Date: Fri, 18 May 2018 16:00:38 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Georgia Senate Bill 315 aimed to make all unauthorized access to computers illegal\u2014sounds good, right? Read why provisions in its fine print made tech and security companies more than uncomfortable.<\/p>\n

Categories: <\/p>\n