Georgia Passes Active Defense Law

in Off-Topic
Saw this pop up. As we all know Atlanta was hit by a ransomware attack and it seems that the legislature of Georgia had passed a law in March allowing for active defense of networks. Governor has until May 8th to veto it, but it's very interesting as I wrote my Master's thesis on the legality of active defense.
http://thehill.com/policy/cybersecurity/385743-tech-firms-fret-over-push-to-legalize-defensive-hacking
SB 315 2017-2018 Regular Session
I'm definitely interested to understand the why of the exemption they included in the bill.
(2) This subsection shall not apply to:
16 (A) Persons who are members of the same household;
17 (B) Access to a computer or computer network for a legitimate business activity;
18 (C) Cybersecurity active defense measures that are designed to prevent or detect
19 unauthorized computer access; or
20 (D) Persons based upon violations of terms of service or user agreements."
I did find it odd that they did not have an unauthorized access law on the books. But you do have to hand it to them for putting in writing that violations of terms or service or user agreements would not be construed as hacking.
My research didn't show that a lot of companies employed active defense, though that may mainly be because it would be construed as hacking and thus breaking the law.
http://thehill.com/policy/cybersecurity/385743-tech-firms-fret-over-push-to-legalize-defensive-hacking
SB 315 2017-2018 Regular Session
I'm definitely interested to understand the why of the exemption they included in the bill.
(2) This subsection shall not apply to:
16 (A) Persons who are members of the same household;
17 (B) Access to a computer or computer network for a legitimate business activity;
18 (C) Cybersecurity active defense measures that are designed to prevent or detect
19 unauthorized computer access; or
20 (D) Persons based upon violations of terms of service or user agreements."
I did find it odd that they did not have an unauthorized access law on the books. But you do have to hand it to them for putting in writing that violations of terms or service or user agreements would not be construed as hacking.
My research didn't show that a lot of companies employed active defense, though that may mainly be because it would be construed as hacking and thus breaking the law.
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Comments
And are the specifics described in the proposed law?
WORST case scenario is that this exemption nullifies the law, but it still doesn't allow anyone to do anything that's already illegal.
The issue I see with the law is that it provides for an exemption with no regards for the totality of that exemption:
Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access
I have several thoughts on this exemption. First, I suspect that those who wrote it did not fully understand the concept of active defense. Not a big leap as most politicians lack a full understand of technology. Second, I would also suspect that this was a "best of intentions" situation where they wanted to shield companies for a law that could be overly broad, but in turn opened a huge hole.
Best course of action, in my opinion, would be to veto and either strike that line or debate and write comprehensive legislation to allow for active defense.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
It appears they've decided to change what they termed as "Computer Trespass" to "Unauthorized Access". My analysis of this change is it was done due to the Computer Trespass requiring that something be changed or taken. Thus you had to delete, remove, or prevent access for that section to be applied (sort of defeats the purpose of trespass because one can trespass onto property without damaging it and/or removing something). But in turn, the old section of the law did not provide any sort of exemptions (which one might argue they should have left out of the new portions of the law). So as previously stated, they've broaden their hacking law and in turn added a defense for it (I'd argue unintentionally).
It's very stand your groundish in my humble opinion.
They do still have a computer theft law on the books so you couldn't break in and take data, but could still cause damage.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
This is bad for security researchers, bad for companies that reside in GA, bad for the state economy, and especially bad for consumers of services that are hosted there.
I've got no comment on the active defense piece - it's a bolt-on to the above issue.
Nice to have some background and this change in law would definitely backup what you are saying. They had no criminal legal remedy for what the security researcher accomplished, now they do.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Attribution is the biggest hiccup and honestly if I were a company in Georgia I wouldn't utilize this exemption without seriously knowing that an attack had come from a source within the state. Even then, I'd be hesitant because one zealous FBI agent or Federal prosecutor will jam you up big time.
But I will point out that I posted the topic with a headline which in hindsight is incorrect (FAKE NEWS!!). What Georgia did was change their hacking law and in turn added an exemption allowing "hacking back". The likely scenario is some outside influence pushed with this exemption because my experience in government has shown that few in power have "hacking back" on their radar and I highly doubt they've employed any one on their team who does.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
1)Company A has some web servers that are vulnerable to reflected DDoS attacks. This isn't that uncommon.
2)Rival company B discovers this.
3)Rival company B pays some group some money under the table in Southeast Asia/Eastern Europe.
4)In a "coincidence", rival company B's logs start getting filled with (half-baked) DDoS attempts with a good percentage coming from company A.
5)Rival company B is now free to reciprocate. Trade secrets get stolen, data breaches happen, etc.
There are enough Martin Shkreli's in the world that haven't gotten caught to make this vision be true.
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
"After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cybersecurity legislation." -Governor of Georgia
It's always great when idiots don't prevail (in this case, criminalizing standard security research).