GA SB315 – Rendition Infosec’s thoughts

Rendition Infosec has been in lock step with other cybersecurity companies being vocal in our opposition to GA SB315, an extremely flawed piece of legislation that will likely hurt cyber security organizations that operate in GA. The bill itself is extremely poorly worded and leaves much to the discretion of prosecutors and judges. For instance, simply editing a URL in your browser while communicating with a server in the state of GA, from the state of GA, or if your network traffic transits GA, could be considered a crime as “exceeding authorized access” on the remote system. Clearly prosecutions using this law will be cherry picked since there is no practical way that the law can be fully enforced.

You don’t need much legal background to see the obvious problems with the bill. The total lack of understanding by those proposing and voting on this act are clear. Check out this video starting at about 4:30 to see some of the obvious problems with the bill. This State Senator repeatedly admits that he doesn’t understand. He repeatedly turns to the talking point of “we are anti hacking.” Despite the fact that the US House and Senate believe that nobody reads terms of service, this State Senator does. The list of statements that highlight a lack of basic cyber security understanding goes on and on.

Microsoft and Google sent a letter to Governor Deal highlighting how flawed the legislation is. Ironically, they are concerned about something different than unauthorized access. Microsoft and Google are concerned about the broad authorization the bill may give to perform “active defense measures that are designed to prevent or detect unauthorized computer access.”  This may broadly authorize “hacking back” operations without any real oversight.

The long and the short of it is that SB315 will hurt GA businesses. Unauthorized access using a computer is already a crime under the (also extremely flawed) federal Computer Fraud and Abuse Act (CFAA). Further, GA doesn’t really have the appropriate law enforcement investigative powers to bring the type of high profile hacking case to the courts. That GA lawmakers couldn’t learn from the CFAA and other flawed state statutes is unfortunate.

Brandon McCrillis and Jake Williams from Rendition Infosec got together to discuss SB315 and the hacktivists using the same name.