Georgia State Capitol building (Photo: John Disney/ALM)

Cybersecurity researcher Logan Lamb breached Georgia's highly sensitive election data by accident.

Inspired by national headlines about voter system integrity after the 2016 U.S. presidential election, Lamb, who works for Bastille Networks, began poking around Kennesaw State University's (KSU) Center for Election Systems, the organization responsible for programming voting machines for the entire state of Georgia. Unwittingly, Lamb managed to download nearly 15 GB of Georgia voter information, among them registration records for 6.7 million Georgia voters and login credentials for pollworkers to use on Election Day. Although the center had placed the files behind a firewall, it also left its root directory unsecured, allowing Lamb to download it all.

Lamb and a second security researcher passed along their findings to Andrew Green, an information security and assurance lecturer at KSU, who verified that the vulnerabilities they'd found and passed them along to the university's chief information security officer. University officials notified state officials, and headlines broke that millions of Georgia voters may have had their data exposed.

When state Sen. Bruce Thompson (R-White) introduced SB 315 to the Senate this year, he told fellow senators that the proposed legislation was prompted by the “hack that happened at KSU.” Yet bill he proposed, which was voted through General Assembly last week, could leave cybersecurity researchers like Lamb, Grayson and Green who identified the vulnerability at risk of prosecution.  

Senators voted on March 29, the last day of the legislative session, to approve the bill in a 42-7 vote. The bill criminalizes unauthorized access to computers or networks, and makes such breaches punishable as a misdemeanor by a $5,000 fine and up to one year in jail.

The bill seems intended to protect organizations and consumer data, but some in the cybersecurity community fear that the bill could leave well-intentioned cybersecurity researchers open to criminal charges.

The bill, which now awaits Gov. Nathan Deal's signature, includes exceptions for members of the same household, access for a “legitimate business activity,” defensive measures “designed to prevent or detect unauthorized computer access” and terms of service violations.

Closing Doors or Opening Vulnerabilities?

Thompson told legislators upon introducing the bill that he worked closely with Georgia Attorney General Chris Carr's office in drafting the legislation. Carr released a statement endorsing the passage of the bill, saying, “In a world where hackers—whether they are state-sponsored actors, organized criminal enterprises, loose confederations or lone wolves—attempt every single second of every single day to gain unauthorized access to our computers and computer networks, this common sense solution will close a window of opportunity for those who wish us harm,” he said.

Digital rights advocacy group Electronic Frontier Foundation (EFF) has opposed the legislation as written, and intends to ask Deal to veto the bill as written. “We feel it will chill security research, particularly the type of research conducted by independent contractors and students,” David Maass, senior investigative researcher for EFF, told Daily Report.

“This term of unauthorized access is fairly vague and ill-defined. They do have this exemption for legitimate business purposes, but even that is vague as well. What makes something a 'legitimate' business thing? Does someone have to be profiting from doing the cybersecurity research?” Maass noted.

Green thinks the seeming spirit of the bill has significant merits, but leaves good-faith cybersecurity researchers at significant risk as written.

“In the abstract, I agree with it. I believe that there's some key language missing. I believe that unauthorized access to a computer or computer network should be a criminal offense when it is done with malicious intent, and that's really the key piece that's missing right now,” Green said.

Sen. Jen Jordan (D-Atlanta) proposed an amendment to include language around malicious intent, but senators voted against it. “They'd tell you it's too hard,” Green said of the potential difficulties in enforcing intentionality language. “To a point, I agree philosophically with their concern, which is how do you manifest intent? It's really hard to know what intent is until that data has actually been put on the market and sold.”

Without language around intent, however, Green sees far too much risk for “white hat” cybersecurity researchers who test systems for potential vulnerabilities and report them to host organizations: “They're effectively handcuffing the good actors who find these problems.” 

Baker Donelson corporate shareholder and founder of the firm's cybersecurity accelerator Justin Daniels said the bill noted that the explicit language of the law, even with the carve-outs for some legitimate practices, does leave uncertainty for cybersecurity researchers.

“Is it a fair point that these researchers and other folks could potentially be unfairly targeted? If you read the letter of the law, the answer is yes,” Daniels said. “The question is, are they really going to do it?”

White Hat Disagreement

Although white hat hacking is a fairly well-respected practice in the U.S., prosecutors don't always see eye to eye with security researchers on who wears the white hat, notably where student researchers are concerned. A British student attempting to point out security flaws in Facebook's infrastructure was sentenced to eight months' prison time in 2012, while an MIT student who developed a prototype program to mine for Bitcoin as a replacement for digital advertising faced prosecution from the state of New Jersey.

The suicide of “humanist hacker” 26-year-old Aaron Swartz, who faced steep charges for scraping millions of articles from online archive JSTOR prior to his death, is often invoked as evidence of prosecutorial overzealousness in this space. Although Georgia's bill does not explicitly discuss data-scraping, Green pointed out that, under the broad language in Georgia's proposed law, some data-scraping or site-crawling practices could be held as unauthorized system access.

Although a great deal of white-hat hacking is purely altruistic, some cybersecurity companies have used it as a sales tactic, a strategy that can feel invasive to companies. Daniels pointed out that these tactics can introduce some gray area around what constitutes a good-faith actor within cybersecurity. “Is it extortion, or is it them demonstrating that they can help you? Reasonable people can differ on that,” he said.

Maass also noted that the bill shifts responsibility for securing data away from organizations themselves, an especially significant move after a string of high-profile data breaches at companies like Uber, Yahoo and Atlanta-based Equifax drew fire to companies for exposing consumers' personal data.

“It's really important to hold the people responsible who are storing the data, particularly government agencies,” Maass said, adding that government agencies often store far more personally-identifying data than they need to provide services. “It doesn't make sense to blame the messenger for pointing out a vulnerability.”

Sen. Thompson and AG Carr have both noted that Georgia is only one of three states without similar laws on the books, but Maass said that EFF has not been able to substantiate the three-state claim. Daniels, meanwhile, said there appears to be at least some other states with similar laws in place to the newly passed bill.

Although some, including Green, have pointed to the potential economic loss Georgia could suffer, especially as the state tries to establish itself as a global hub of innovation around cyberdefense and cybersecurity, Daniels said it's likely too early to speculate on that.

“Honestly, I think it's a little to early to tell because you have the Computer Fraud and Abuse Act that has the same issue,” Daniels said, adding that the federal act includes similarly broad language. “I get it, once the private sectors sees regulation, there's an inherent concern about that. Understandably so. But I think what we're battling is what the right balance of companies being able to compete in the marketplace versus some level of regulation,” he said.

Deal has 40 days from General Assembly's adjournment to sign, veto or allow legislation to pass without approval.