[Update 05/09/18: Georgia Governor Deal vetoed SB 315. In a thoughtful veto statement, the Governor noted that the legislation raised "concerns regarding national security implications and other potential ramifications," and that "SB 315 may inadvertently hinder the ability of government and private industries" to protect against breaches. The statement expressed interest in working with the cybersecurity and law enforcement communities on a new policy.]
The Georgia state legislature recently passed a bill - SB 315 - to create a new crime of accessing a computer without authorization. This will become law unless Governor Nathan Deal vetoes the bill by May 8th. Prior to SB 315, Georgia did not have a specific crime for accessing computers without authorization unless you damaged, modified, or took something. SB 315 does not require these elements, just accessing a computer with knowledge that the access is not authorized.
The new crime created by SB 315 would have an exception for "active defense." This is Rapid7's foremost concern with the bill, and we urge a veto or clarifying legislation on these grounds. At minimum, to avoid undermining cybersecurity, we recommend carefully defining the term "active defense" and the boundaries of acceptable behavior the provision would allow.
There are a couple positive elements in the bill. The new crime would have explicit exceptions for terms of service violations and "legitimate business activity," which should protect some (but not all) forms of security research and prevent this law from being used to enforce contracts and user agreements. These particular exceptions are not perfect but, in our view, are improvements on the Computer Fraud and Abuse Act (CFAA), which has long drawn criticism for overbreadth and use to litigate against terms of service violations. However, we view the "active defense" provision in SB 315 as potentially dangerous.
"Active defense" can mean several things, but has become a loaded term for retaliatory "hacking back" in federal policymaking, in part due to the Active Cyber Defense Certainty (ACDC) Act, sponsored by Rep. Tom Graves - also of Georgia. The ACDC Act was repeatedly referenced favorably as state legislators considered SB. 315, though the ACDC Act is a a long way from passing Congress and becoming federal law.
Rapid7 has opposed hack back as dangerous for cybersecurity, and accordingly we oppose the ACDC Act. (We provided our feedback to Graves' staff, and they were cordial and receptive.) But at least the ACDC Act defines "active cyber defense measure," limits its use to defending attacks on one's own network, and would install some government oversight over the practice. SB 315 lacks any of these modest safeguards.
Instead, SB 315's active defense provision seems to explicitly authorize an individual or organization to access another person's computer, knowing that the access is unauthorized, for the purpose of preemptively preventing the other person from unauthorized access. (Note, the wording seems to allow an active defender to prevent unauthorized access to anyone else, so the use of active defense measures are not limited to defending one’s own network.) What sort of scenarios could this encompass? Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access.
Are there some legitimately beneficial activities that could be covered by this active defense provision? Yes, it's broad enough to cover many scenarios, good and bad. During the GA House hearing, some legislators indicated that the active defense provision could actually protect independent security research – which is typically not how "active defense" is conceived and further indicates legislators' intent to construe the term broadly. The goal of protecting researchers could be accomplished with something much more clearly defined. The sponsors of SB 315 worried (not unreasonably) that a broad security researcher carve-out could be abused by bad actors, but this vague active defense provision actually seems to run a greater risk.
Obviously hacking back off your own network remains illegal at the federal level under CFAA, so federal law enforcement could still prosecute such behavior, though SB 315 would prevent Georgia from using its resources to do so. In addition, any hacking back authorized under SB 315 would be limited to unauthorized access only – activity that involved damage or theft would still be illegal under Georgia's other computer crime laws. It is also true that, since this is an exception to the creation of a new crime, Georgia state law may not have prevented hacking back prior to SB 315, and a veto of SB 315 would maintain the status quo.
Nonetheless, SB 315 would affirmatively authorize hack back behavior in Georgia, becoming the first state to do so, with the side effect of giving a normalizing boost to the federal legislation. We think ultimately this precedent would be bad for cybersecurity and risks harming innocent users, and that – at minimum – the legislation should be rejected until "active defense" is defined much more clearly and narrowly.