Georgia Gov. Nathan Deal (R) on Tuesday vetoed controversial cybersecurity legislation that critics argued would clear the way for private businesses in the state to hack into other networks in the name of protecting their own.
Deal, who faced mounting pressure from technology firms and cybersecurity researchers to veto the bill, said in a statement that the legislation raised “concerns regarding national security implications and other potential ramifications” that needed more discussion before enacting it.
Senate Bill 315, which was approved by Georgia’s General Assembly last month, would have amended current state law governing computer crimes to define the crime of “unauthorized computer access.” It would have carved out an exemption for individuals who engage in “active defense measures that are designed to prevent or detect unauthorized computer access.”
{mosads}
Executives from Google and Microsoft wrote the governor last month warning that the provision “broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity.”
“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” they wrote.
“Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”
Some in the security community have also expressed concerns with a provision of the bill that would create an exemption for “legitimate business activity.” They argued that the vague language could potentially chill security research that hinges on experts hunting for vulnerabilities in networks.
Deal faced a Tuesday deadline to act on the legislation.
“While intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so,” Deal said in announcing his veto.
“After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation,” he continued.
Deal added that he hopes state legislators will “work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry.”
The legislation in Georgia has triggered broader debate about the concept of “active cyber defense,” a phrase commonly used to describe a spectrum of proactive measures that companies and others can take to prevent and respond to cyberattacks. These activities range from using beaconing technology to leaving one’s network and entering another in order to track down stolen information.
Proponents of the concept argue that these activities would allow companies to better protect themselves from evolving and growing threats in cyberspace. Still, critics say that allowing companies to “hack back” could have damaging and unforeseen implications.
U.S. lawmakers have introduced legislation in the House that would allow companies and private citizens to engage in a limited range of “active defense measures.”
Rep. Tom Graves (R-Ga.), one of the bill’s sponsors, said in a recent statement to The Hill that his bill would “give our citizens and businesses more tools to protect themselves from online criminals.”
“American citizens, companies and government entities are routinely falling victim to cyber attacks,” Graves said. “The status quo is unacceptable.”