In March, the Georgia State General Assembly passed a bill that would make it illegal to access a computer or network "without authority." Georgia Governor Nathan Deal has until Tuesday to decide whether to sign it into law or veto it. The 40-day limbo has morphed from a bureaucratic formality, though, into a heated debate with national implications. In just 43 lines, the bill raises fundamental questions about how to establish boundaries in cyberspace without hindering vital security research and, crucially, the ethics of "hacking back," in which institutions that have been attacked can digitally pursue the hackers and even potentially retaliate.
Georgia Senate Bill 315 emerged in part out of an embarrassing and troubling incident in which a massive trove of sensitive election and voter data sat exposed for months in Georgia's unified election center at Kennesaw State University. Frustrated that it wasn't illegal for people to access the data when it was accidentally publicly available, lawmakers set out to limit the legality of unauthorized computer access. But critics say that the resulting legislation as written is too vague, and threatens to outlaw certain types of digital forensic research while exempting—and therefore potentially condoning—dangerous "cybersecurity active defense measures."
"I don't think this legislation actually solves a problem," says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. "Information put in a publicly accessible location can and will be downloaded by unintended parties. Making that illegal brings into question so many other issues, like what is 'authorized' use? Is violating terms of service illegal?"
Hackers calling themselves SB315, meanwhile, have apparently launched attacks against a church, the City of Augusta, two restaurants, and Georgia Southern University in protest. The group claimed in a message on Calvary Baptist Church of Augusta's website, according to the Augusta Chronicle, that they couldn't report the vulnerability they exploited to infiltrate the site, because the legislation would make it illegal. In their various hacks, the group leaked what it claimed was compromised login credentials and other personal information, but the data from the City of Augusta and Georgia Southern University could also have been cobbled together from publicly accessible records.
"Protests resorting to hacking and threats of retaliation will do nothing but scare these particular legislators further and strengthen their resolve for the need for this sort of bill," says Williams.
Beyond the stunt hacks, prominent digital rights organizations and even large tech firms have taken a hard stand against the bill. The Electronic Frontier Foundation said in April that the law would, "severely chill independent researchers’ ability to shine light on computer vulnerabilities," describing it as "misguided." Security researchers often find flaws and weaknesses in organizations' networks incidentally, or through proactive probing. The Georgia bill would likely make this type of work illegal, because it would be considered "unauthorized computer access." It would discourage people who find problems in digital systems from disclosing them so they could be fixed—a situation that hurts everyone by reducing collective security.
The proposed legislation in Georgia is far from the first time this tension has surfaced. The federal Computer Fraud and Abuse Act, which has similar provisions about computer and network access, has caused controversy for decades.
The stakes are higher than ever to agree on a path forward, though, as cyberaggression ramps up domestically and around the world. "Georgia codifying this concept in its criminal code is potentially a grave step that has some known and many unknown ramifications," representatives of Google and Microsoft wrote in a joint letter to Governor Deal in April urging him to veto the legislation. "Network operators should indeed have the right and permission to defend themselves from attack, but ... provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes."
One of the primary issues raised by "hacking back" is the simple question of whether victims can accurately identify their aggressors, trace the correct source, and retaliate against the right entity. Attribution is notoriously challenging in digital forensics, and traffic or commands that appear to originate from one source may actually have come from elsewhere. Additionally, attackers often hide behind third-party computers that they have compromised with malware to do their bidding. In the Wild West of hacking back, victims could easily end up doubling down on bystander devices that are already the target of malware campaigns.
Georgia's not alone in exploring hacking back; Congress has considered it as well. Reacting to numerous digital threats the United States currently faces, particularly from Russian hackers, representative Tom Graves of Georgia and Kyrsten Sinema of Arizona introduced a federal bill in the fall, the Active Cyber Defense Certainty Act, that would give hacking victims leeway to penetrate attackers' networks. But while security experts have long-warned about that dangers and potential escalation involved in allowing unchecked retaliation, the idea of turning it into a state-by-state issue is even more unwieldy and murky.
With only a few days left before the deadline for a decision, Jen Talaber Ryan, deputy chief of staff for communications in Governor Deal's office, told WIRED that, "the governor is carefully reviewing the bill, including the input received from stakeholders on all sides." But regardless of the outcome, the uproar over the Georgia bill reflects broader uncertainty and fear over how to handle digital threats. And the concept of hacking back is stubbornly appealing when lawmakers at all levels of government struggle to feel in control of an opaque problem.
- Letting companies "hack back" is a terrible idea
- That's in no small part because attribution remains one of the trickiest aspects of cybersecurity
- The Computer Fraud and Abuse Act has also made it harder for security researchers to do their jobs
