Written by Ryan Johnston

Craig Young makes his living by fixing problems that people don’t even know they have.

Young is a Georgia-based gray-hat hacker, which means that he points out vulnerabilities in products and security systems to manufacturers and web developers. A new computer crime bill, though, has him and his colleagues concerned about the future of security research in their state.

“It just makes it that it’s not worth it for a security researcher to do things in the public interest anymore,” Young said. “The only people looking for vulnerabilities at that point will be criminals and spies.”

The law isn’t quite on the books yet, but Gov. Nathan Deal is expected to sign it sometime this month, placing it into effect on July 1. The legislation is just two pages long, but it has the potential to effectively outlaw the majority of cybersecurity research in the state. Experts like Young, who rely on finding and reporting previously unknown vulnerabilities, are concerned that it would reclassify legitimate work as criminal activity.

The legislation would establish a “misdemeanor of a high and aggravated nature” for persons who gain “unauthorized” access to a computer or computer network, with a maximum $5,000 fine and yearlong jail sentence. SB 315 specifically defines unauthorized computer access as “any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” a misdemeanor of high and aggravated assault.

The problem for security researchers, though, is that accessing computer networks is the very definition of their job.

To Georgia’s some 10,000 IT security professionals, the bill represents an ever-growing chasm between the lawmakers who set policy and the researchers who want to see their public service remain legal. Information security professionals who rely on gaining “unauthorized access” are concerned that it will enable prosecutors and corporations to pick and choose whom they want to target with the new law, placing researchers under the constant threat of prosecution.

Security research has been critical to Georgia’s economy for decades. Internet Security Systems (ISS), one of the first and largest information security companies in the nation, was founded in Atlanta in 1994 and set the stage for the city and state as a hotbed for IT security research.

Georgia ranks third in the nation in Information Security and generates more than $4.7 billion in annual revenue through the 115 information security companies headquartered in the state. Georgia is also home to 130,000 software developers and the security arms of global technology companies, like IBM security services (formerly ISS), Dell Secureworks and Cisco Lancope Stealthwatch.

This burgeoning local industry has thrived without an update to Georgia’s computer security law since 1993. Georgia is just one of three states in the nation without an “unauthorized access” clause in their penal code — but SB 315 would be one of the most sweeping laws on the books anywhere. “Unauthorized access” laws in the 47 other states have additional carve-outs and protections for independent security research and white-hat and gray-hat hacking. Both California and North Carolina, for example, require proof that unauthorized access was gained to “devise or execute a scheme or artifice to defraud, deceive, or extort” to prove guilt. Meanwhile, Alabama avoids broad language by outlining eight specific cases that constitute access without authority as a crime.

And while Georgia lawmakers say the legislation is a critical update that brings the state up to speed with the rest of the nation, some researchers fear it could displace an intelligence community that state government has worked hard to nurture and support. Chris Risley, CEO of California-based security company Bastille, says with the passage of SB 315, Silicon Valley is “salivating” at the chance to poach Georgia-based security researchers who don’t feel comfortable working in their own state anymore.

Intentionally broad

White-hat and gray-hat hackers in Georgia play important roles in exposing data breaches. Before Equifax’s 148 million-user data breach, a security researcher warned the Atlanta-based company of the bug that allowed the data to be publicly accessible. After reporting the vulnerability, the researcher was told it would be fixed immediately, but it wasn’t addressed for months, and the result was one of the largest data breaches in history. Equifax didn’t take advantage of the advanced warning it received, but SB 315 could discourage researchers in the state from from reporting those kinds of vulnerabilities if they find them, eliminating any possibility of an advanced warning for similar incidents in the future.

“The only people who will be prosecuted will be those who try to report [vulnerabilities] — which means people won’t report,” said Frank Rietta, a Georgia-based security researcher. “The criminal hackers who are actually stealing data and taking it to the dark web will still do that. They’re already breaking felony laws, so what do they care about a misdemeanor law?”

There are four exceptions where unauthorized access is legal under the bill: if access is gained between members of the same household, for “legitimate business activity,” for “active defense measures” and in “violations of terms of service or user agreements.”

Researchers say this wording is too broad, but Rep. Ed Setzler, chairman of the House Science and Technology Committee, said in a March 27 hearing that this is by design.

“‘Legitimate business activity’ is an extremely broad term, and it was broad intentionally. If there’s any business activity that someone can demonstrate — whether they’re sharing information through a file sharing service, whether they have access for payment purposes to get on a network to complete a financial transaction, whether they’re employee in the scope of what they do, all of these things are legitimate business activity,” Setzler said.

House Majority Whip Christian Coomer defended the wording of the exceptions on the House floor last week, saying that researchers would be covered.

“I think any legitimate activity that anybody wants to undertake, whether that’s in an academic setting, a business setting or frankly they’re just a freelance person trying to do some public good, would be within the exceptions,” Coomer said. “A person that is engaged in an activity that is designed to expose the particular weakness in a system is engaged in an activity that would fall within one of these two exceptions.”

The bill’s biggest supporter outside of the Senate has been Georgia Attorney General Chris Carr, along with the Georgia Chamber of Commerce and the research institutions across the state. Carr pointed out that Georgia is one of the final states to update its laws, and in a statement provided to StateScoop, the chamber’s senior vice president of public affairs, David Raynor, said that the bill would “support the development of policies that encourage and facilitate the growth of entrepreneurship and innovation.”

Despite these assurances, concern has continued to come from researchers and online civil liberties groups, like the Electronic Frontiers Foundation, who recently called for Gov. Deal to veto the bill.

Researchers say the law will be used against them and end their work as they know it today. Kurt Opsahl, general counsel for the Electronic Frontiers Foundation told StateScoop that if the state wants to continue recruiting the help of its research community, the bill is “just not very well put together.”

An honest effort

Some security researchers believe that the impetus for the bill was a gray-hat researcher’s attempt to see if the Georgia Election Center had secured the state election data adequately. Logan Lamb, a Georgia-based security researcher now employed by Bastille, heard about an FBI report in August 2016 that state elections were being targeted by malicious hackers.

Lamb, working independently, ran a script on the Georgia Election Center’s website to collect documents and PDFs publicly available on the site, he told Politico, but came back to his computer after lunch to find that he had combed 15 gigabytes worth of personally identifiable information. The data included 6.7 million voter registration records, software files for the state’s voter registration devices and databases for the state’s vote tabulation systems. The information was supposed to be behind a password-protected firewall, but as Lamb found out, the server was misconfigured and anybody could access it using Google if they knew where to look.

Lamb notified Merle King, the director of the center about the vulnerability and was told that the issue would be fixed, but that if he talked, “the people downtown, the politicians … would crush” Lamb.

In March of 2017, another freelance researcher, Chris Grayson, found an even simpler way to access the election center’s voter database, just by changing “https” to “http” in the browser address bar. The FBI was called in to investigate Lamb and Grayson’s actions, but didn’t find any wrongdoing from either party. Neither of the security researchers had gained “illegal entry,” because the data they accessed was already indexed by Google.

Soon after Lamb shared his story with the media, a group of election reform advocates sued the state to overturn the Georgia special election based on the publicly-accessible data Lamb found and its potential to sway the outcome of the election. The suit was filed July 3 — technicians at the Center for Election Systems, the state’s election center, destroyed a server containing the state’s election data that would have been crucial to the lawsuit on July 7. It’s not clear who ordered the server wipe, according to the Associated Press.

“They sincerely want to update their cybersecurity bill, and I think that’s an honest effort,” Risley told StateScoop. “I think they broadened it extraordinarily wide without realizing what they’d done, because they were convinced, for instance, that Logan had some evil reason to be on the election site — which he didn’t — and that he used some tricky method to hack the site — which he didn’t. What he used was Google search.”

Researchers say that lawmakers are tipping the balance of power strongly in favor of private companies.

“Rather than making requirements that companies need to take actions that companies need to lock down their systems,” Young said, “they’re potentially giving a tool to organizations to silence the researchers.”

Malicious intent

SB 315, researchers say, isn’t in place to protect the general public from having their information made publicly accessible, like the data Lamb found, or even to clarify what constitutes cybercrime for the benefit of the infosec community. It’s too broad for that — researchers say it’s in place to give corporations and prosecutors license to use selective enforcement.

“They refused to put anything in the bill about malicious intent — that makes any access of any system that isn’t authorized technically a crime,” Risley said. “One of the things that that means is when I visit a website in Georgia, I’ve committed this crime, because I didn’t get any authorization in advance and there I am.”

Currently, 94 percent of Fortune 2000 companies worldwide lack a responsible disclosure process for cybersecurity vulnerabilities — the process by which a researcher is able to inform a party of potentially exploitable weaknesses without fear of legal recourse. A malicious intent provision, submitted by Democratic Rep. Jonathan Wallace during the legislative process, was denied and does not appear in the final version of the bill.

“I spoke to the attorney general’s office about including an exemption for responsible disclosure. They weren’t ready for that because there wasn’t quite enough time to address it,” Wallace said. “I think it’s important that we implement a law that doesn’t have unintended consequences.”

The problem, Risley said, is that there is no possible way to know who can “authorize” computer or computer network access for the entire internet, making SB 315 a rule that virtually every Georgia citizen or user interacting with a computer or network located in Georgia will violate every time they go to a new website they haven’t received “authorization” to access and which doesn’t fall under one of the four exceptions.

“They wanted to give prosecutors and judges discretion,” Risley said. “So what they did was create a crime that will happen five million times a day. People will visit websites in Georgia. Some very small percentage of those will get charged. Their point is ‘You’ll get a fair trial.’ Nobody wants a fair trial. Nobody wants a trial at all — they don’t want to commit crimes.”

Even though the crime may be committed by everyone, researchers caution that it isn’t a license for mass incarceration as much as it is a scare tactic to limit security research.

“There’s a worldview here that the only legitimate security research is either a directly contracted penetration test or official law enforcement action,” Rietta said. “That fails when you have an expert in security like [Young] who says every website he visits, he sees security problems. [These problems] aren’t visible to your untrained eye or even to mine … but he sees stuff that people don’t see, not because he is hacking or looking for it, but because it is plainly evident from what’s on the webpages he’s visiting that they have fundamental design problems that are exploitable.”

Because of SB 315 though, researchers like Young will be placing themselves at risk if they choose to report their findings.

“There’s an assumption in the bill that if these guys didn’t find these vulnerabilities or didn’t talk about them, then they would go undiscovered,” Young said. “But everyday, the Chinese, the North Koreans, the Iranians and the Russians are poking all these systems looking for vulnerabilities. Our defense historically has been threat researchers, especially threat researchers around Atlanta, who are finding these vulnerabilities before the bad guys act on them.”

Researchers won’t be able to responsibly disclose vulnerabilities without admitting their discovery process, and simultaneously their violation of SB 315, Risley said.

“Here’s how this bill is going to be used,” Risley said. “When you come to a company and you say you have a vulnerability and you’re going to announce it in 90 days, they’re not going to charge you then — they’re going to say if you make a public announcement, then we’re going to charge you in violation of SB 315.”

Editor’s Note: An earlier version of this story reported that the Equifax breach affected 198 million people. The story was updated to reflect the accurate number of 148 million affected people.