Some time soon, likely in the next week or so, the governor of Georgia will decide whether to sign a bill that would make it legal for companies to conduct their own offensive cyber operations. If it becomes law, the bill could serve as a template for legislation in other states as lawmakers move farther down the path of trying to regulate information security.
The language that would grant companies the power to go on the offensive is contained in Georgia S.B. 315, a measure that mainly is written with the intent of restricting some types of security research. The clause that relates to hacking back is non-specific and vague, but protects from prosecution people who employ “Cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access”.
The use of active countermeasures is seen as highly problematic in the security community, especially if the people employing those measures aren’t trained to do so. Offensive cybersecurity operations typically are the domain of highly specialized teams in the intelligence community, the armed forces, or law enforcement agencies. Putting that kind of power in the hands of teams that are trained for defense rather than offense could cause serious and unforeseen problems.
One of the keys to running those kinds of operations is knowing your target. For typical offensive operations, that’s doable, if not easy. Law enforcement agencies usually know exactly who they’re going after, as do intelligence agencies in most cases. But a private organization that is trying to retaliate against an attacker who has compromised its network first needs to identify the attacker, a notably difficult task. Then comes the hard part: executing the operation. There’s no central repository of statistics on offensive operations, but if there were, it would probably show that even the best teams fail more often than they succeed.
Technology companies and digital rights groups have urged Georgia Gov. Nathan Deal to veto S.B. 315, pointing to the potential for bad outcomes from the active defense clause. In a letter to Deal, representatives from Google and Microsoft said the bill could cause serious problems.
“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy. Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes,” the letter says.
Likewise, the EFF said the measure could “end up harming researchers and targeting users who are already victims of malware.”
Much of the attention on the Georgia bill has centered on the provision that would outlaw a good portion of what security researchers do on a daily basis. The language in the bill would make it illegal for anyone to access a system or network without authority.
“Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” the bill reads.
Opponents of the bill have met with Deal’s representatives to discuss their concerns with the bill, but there’s no indication whether the governor plans to sign or veto the bill.