I was recently interviewed about Georgia SB 315 by Mark Niesse, a governmental reporter for the AJC.
The article can be found at https://politics.myajc.com/news/state–regional-govt–politics/georgia-bill-might-limit-efforts-find-internet-security-problems/du2KMoFlP2t6UPPMdxD74O/
Mr. Niesse did a good job of capturing perspectives of all involved. I think this article does a good job of highlighting just how complex the issues surrounding this bill are, and that there really is much more to the matter than Georgia being “pro business, anti-hacking”.
The more I think about this bill, the more I keep coming back to a single, core issue – the lack of “malicious intent” as being a requirement for a crime to be committed. Georgia Attorney General Chris Carr is quoted in the article as saying that requiring such language would make the bill pointless, because such intent could not be evidenced until the data is misused. He is mostly, but not completely, correct in this belief.
However, this entire issue could be avoided if the bill was modified to carve out exemptions for certain categories of research. Those categories should include academic research, as well as research done by organizations for the purpose of working with businesses to eliminate vulnerabilities when found.
Granted, defining these exemptions in writing may be tough to do, but that does not mean we should avoid trying to do so.
As a state, we should also not ignore the realities of the world we live in. The reality is that bad actors will find these vulnerabilities, regardless of any laws on the books. As a state, we need to answer a fundamental question – do we want to create an environment where professional, well-meaning security researchers can work without fear of being branded criminals, or are we ok with punishing these people for their work.
If Georgia was truly serious about trying to improve the security posture of businesses in this state, it would explore ways to encourage companies to implement things like bug bounty programs, or develop responsible disclosure policies.
Either of these approaches would allow researchers to responsibly interact with organizations with vulnerabilities, allowing both parties to work together in good faith to resolve any findings.
Unfortunately, implementing bug bounties and/or responsible disclosure policies requires a certain level of organizational maturity, as well as committed resources in order to function properly. That means time and money, two resources that most organizations would rather put into other areas. This is where the state could step in, by offering some type of financial incentive for these organizations to move in that direction.
I’m sure I’ll probably have more thoughts on this as time passes and I consider the ideas and thoughts shared by others.
Andy Green, Ph.D. 