CybersecurityGeorgia passes anti-cyber whistleblower bill

Published 2 April 2018

Despite the vigorous objections of the cybersecurity community, the Georgia legislature has passed a bill which would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail. Critics of the bill say that Georgia has positioned itself as a hub for cybersecurity research, but the bill would make cybersecurity firms think twice about relocating to Georgia.

Despite the vigorous objections of the cybersecurity community, the Georgia legislature has passed a bill which would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail.

The Electronic Frontier Foundation (EFF) has called on Georgia Governor Nathan Deal to veto S.B. 315 as soon as it lands on his desk.

For months, advocates such as Electronic Frontiers Georgia (EF Georgia)have been coming to the state capital to oppose S.B. 315, which would create a new crime of “unauthorized access” to computer systems. In a blog post on the website of the EFF, Dave Maass writes that while lawmakers did make a major concession by exempting terms of service violations under the measure—an exception he critics of the bill have been asking Congress for years to carve out of the federal Computer Fraud & Abuse Act (CFAA)—the bill still falls short of ensuring that researchers are not targeted by overzealous prosecutors. This has too often been the case under CFAA.

“Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law,” EF Georgia’s Scott Jones told EF Georgia in February.

Andy Green, a lecturer in information security and assurance at Kennesaw State University concurred.

“I’m putting research on hold with college undergrad students because it may open them up to criminal penalties,” Green told The Parallax. “It’s definitely giving me pause right now.” 

Maass writes that up until last week, Georgia has positioned itself as a hub for cybersecurity research, with well-regarded university departments developing future experts and the state investing $35 million to expand the state’s cybersecurity training complex. “That is one reason it’s so unfortunate that lawmakers would pass a bill that would deliberately chill workers in the field. Cybersecurity firms—and other tech companies—considering relocations to Georgia will likely think twice about moving to a state that is so hostile and short-sighted when it comes to security research,” Maass says.

He concludes: “S.B. 315 is a dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems. It’s time for Governor Deal to step in and listen to the cybersecurity experts who keep our data safe, rather than lawmakers looking to score political points.”