Georgia Passes Active Defense Law

the_Grinch

Saw this pop up. As we all know Atlanta was hit by a ransomware attack and it seems that the legislature of Georgia had passed a law in March allowing for active defense of networks. Governor has until May 8th to veto it, but it's very interesting as I wrote my Master's thesis on the legality of active defense.

http://thehill.com/policy/cybersecurity/385743-tech-firms-fret-over-push-to-legalize-defensive-hacking

SB 315 2017-2018 Regular Session

I'm definitely interested to understand the why of the exemption they included in the bill.

(2) This subsection shall not apply to:
16 (A) Persons who are members of the same household;
17 (B) Access to a computer or computer network for a legitimate business activity;
18 (C) Cybersecurity active defense measures that are designed to prevent or detect
19 unauthorized computer access; or
20 (D) Persons based upon violations of terms of service or user agreements."

I did find it odd that they did not have an unauthorized access law on the books. But you do have to hand it to them for putting in writing that violations of terms or service or user agreements would not be construed as hacking.

My research didn't show that a lot of companies employed active defense, though that may mainly be because it would be construed as hacking and thus breaking the law.

slinuxuzer

What in your opinion is active defense? I have an idea of what it could be based on its name, but obviously with a term like that, the definitions could be very broad and vary based on different opinions, of exactly when "active defense" begins, is it back scanning, back hacking, back root kitting?

And are the specifics described in the proposed law?

BlackBeret

A lot of companies are in an uproar about this law, I wonder how many have read through it? GA is putting a computer crime law on the books. They have put an exemption in it for companies that are "conducting active defense measures", which is what everyone is calling hack back. At no point does the actual law say hack back. Active defense is not defined in this bill. Additionally they're ignoring the fact that it's JUST AN EXEMPTION to the proposed new law. It's not authorizing "active defense", hack back, or the violation of any current laws.

WORST case scenario is that this exemption nullifies the law, but it still doesn't allow anyone to do anything that's already illegal.

slinuxuzer

Seems convoluted, not exactly what you would want in a law.

the_Grinch

I'm of the opinion that it should be allowed, but with a serious amount of caveats. Your questions are something that would definitely need to be addressed. When can you hack back? What type of response is allowable and would be consider proportionate? Who is responsible (i.e. DDoS uses the computer of a third party unaware and not party to the attack)? How do you deal with damages from a response?

The issue I see with the law is that it provides for an exemption with no regards for the totality of that exemption:

Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access

I have several thoughts on this exemption. First, I suspect that those who wrote it did not fully understand the concept of active defense. Not a big leap as most politicians lack a full understand of technology. Second, I would also suspect that this was a "best of intentions" situation where they wanted to shield companies for a law that could be overly broad, but in turn opened a huge hole.

Best course of action, in my opinion, would be to veto and either strike that line or debate and write comprehensive legislation to allow for active defense.

the_Grinch

At issue is this provides a defense, at least for a company, for hacking. I'm company A in Georgia and I get scanned from company B. I in turn decide to attack and break into their systems. This law, in it's current form, would allow for me to do this.

It appears they've decided to change what they termed as "Computer Trespass" to "Unauthorized Access". My analysis of this change is it was done due to the Computer Trespass requiring that something be changed or taken. Thus you had to delete, remove, or prevent access for that section to be applied (sort of defeats the purpose of trespass because one can trespass onto property without damaging it and/or removing something). But in turn, the old section of the law did not provide any sort of exemptions (which one might argue they should have left out of the new portions of the law). So as previously stated, they've broaden their hacking law and in turn added a defense for it (I'd argue unintentionally).

It's very stand your groundish in my humble opinion.

They do still have a computer theft law on the books so you couldn't break in and take data, but could still cause damage.

ITHokie

It's a dumb bill, the issue being that it criminalizes security research. The impetus for the bill was the embarrassment generated when voter data was found by a security researcher to be publicly available on university (Kennesaw State) servers. Predictably, they (GA) also screwed up the response.

This is bad for security researchers, bad for companies that reside in GA, bad for the state economy, and especially bad for consumers of services that are hosted there.

I've got no comment on the active defense piece - it's a bolt-on to the above issue.

the_Grinch

ITHokie wrote: »

It's a dumb bill, the issue being that is criminalizes security research. The impetus for the bill was the embarrassment generated when voter data was found by a security researcher to be publicly available on university (Kennesaw State) servers. Predictably, they (GA) also screwed up the response.

This is bad for security researchers, bad for companies that reside in GA, bad for the state economy, and especially bad for consumers of services that are hosted there.

I've got no comment on the active defense piece - it's a bolt-on to the above issue.

Nice to have some background and this change in law would definitely backup what you are saying. They had no criminal legal remedy for what the security researcher accomplished, now they do.

TechGromit

I question the usefulness of this bill, so my network is under attack, I "hack back" which is perfectly legal in Georgia, but unknown to me, my attacker is in Idaho, which has no such exception. So will I be criminally and civilly liable now? The worst this should be a federal law, at best an UN resolution. If they are really serious about it, it should be an international law, counties that don't support the law, will be isolated (cut off) from the rest of the internet.

the_Grinch

An argument made, which I found interesting, was treating the Internet much like maritime law. I've not had any experience with maritime law, but from the pieces I've seen there are definitely some parallels. My argument has been making a Federal law to account for it, which as you stated would solve the issue.

Attribution is the biggest hiccup and honestly if I were a company in Georgia I wouldn't utilize this exemption without seriously knowing that an attack had come from a source within the state. Even then, I'd be hesitant because one zealous FBI agent or Federal prosecutor will jam you up big time.

But I will point out that I posted the topic with a headline which in hindsight is incorrect (FAKE NEWS!!). What Georgia did was change their hacking law and in turn added an exemption allowing "hacking back". The likely scenario is some outside influence pushed with this exemption because my experience in government has shown that few in power have "hacking back" on their radar and I highly doubt they've employed any one on their team who does.

yoba222

I might be painting a vision that may never happen but, let's say:
1)Company A has some web servers that are vulnerable to reflected DDoS attacks. This isn't that uncommon.
2)Rival company B discovers this.
3)Rival company B pays some group some money under the table in Southeast Asia/Eastern Europe.
4)In a "coincidence", rival company B's logs start getting filled with (half-baked) DDoS attempts with a good percentage coming from company A.
5)Rival company B is now free to reciprocate. Trade secrets get stolen, data breaches happen, etc.

There are enough Martin Shkreli's in the world that haven't gotten caught to make this vision be true.

BlackBeret

I'll still say, that just because you're exempt from the law in GA, doesn't mean you're exempt from CFAA or any other federal laws, or the laws of the other states.

the_Grinch

Just to provide an update, the Governor of Georgia vetoed the law.

ITHokie

the_Grinch wrote: »

Just to provide an update, the Governor of Georgia vetoed the law.

"After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cybersecurity legislation." -Governor of Georgia

It's always great when idiots don't prevail (in this case, criminalizing standard security research).