In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers.
This isn’t just a matter of solidarity among those in the profession. Georgia represents our nation’s third largest information security sector. The signers have clients, partners, and offices in Georgia. They attend conferences in Georgia. They teach and study in Georgia or recruit students from Georgia. And they all agree that S.B. 315, which would create a new crime of "unauthorized access," would do more harm than good.
The signers include top academics such as Harvard Kennedy School Lecturer Bruce Schneier, Kennesaw State University lecturer Andy Green, and Keith Watson, Information Security Manager at Georgia Tech's College of Computing. Executives at HackerOne, Eyra Security, Enguity Technology Corp., R3ality Inc., and Covici Computer Systems are also calling for a veto. The names include some of the top professionals in the field, such as John Vittal, former director of technology for Verizon, and Peter G. Neumann, Chief Scientist at SRI International’s Computer Science Lab, as well as engineers from Google, Cox Communications, and Dell Technologies, signing in their personal capacities.
The letter calls out two particular problems with the legislation.
First, the bill potentially “creates new liability for independent researchers that identify and disclose vulnerabilities to improve cybersecurity.” Although the bill exempts “legitimate business activities,” this term is not defined in a meaningful way, leaving ambiguity for how the law would be enforced by prosecutors.
Second, the bill includes an exemption for “active defense” measures, which is also left perilously undefined. As the researchers write, “this provision could give authority under state law to companies to ‘hack back’ or spy on independent researchers, unwitting users whose devices have been compromised by malicious hackers, or innocent people that a company merely suspects of bad intentions.”
S.B. 315 would provide district attorneys and the attorney general with broad latitude to selectively prosecute researchers who shed light on embarrassing problems with computer systems. The signers want Gov. Deal to know that the bill would not only harm Georgia’s information security sector, but also make people nationwide less safe by chilling research that could bring light to vulnerabilities.
We wholeheartedly agree. If you live in Georgia, please join the effort and tell Gov. Deal to veto S.B. 315 immediately.