Governor Deal, veto SB 315 because white hat security researchers should be thanked not jailed!

Friday, April 13, 2018

Governor Nathan Deal

Office of the Governor

206 Washington Street

111 State Capitol

Atlanta, Georgia 30334



Dear Governor Deal:

I am writing you today on behalf of my Georgia-based security firm, asking that you veto SB 315. I am a long term Georgia resident, raised in the Atlanta area, and earned a B.S. in Computer Science and an M.S. in Information Security at Georgia Tech. My wife Danielle is a Mercer University alumna, and we are both conservative Christians who voted for you. My interests in computer security started early after I founded AtlantaWebHost.com eighteen years ago and started to see first hand how websites and servers were under continuous attack by malicious hackers. This first hand experience was the catalyst for pursuing a career dedicated to protecting websites and web applications from attackers.

My security firm Rietta.com is in the business of defensive security. Our business is built around the realization that security cannot be bolted on at the end of a development process, and thus if you want to build web applications capable of withstanding constant attack from hackers and those who would cause users harm, you have to build security into the development process itself. This has become even more critical with the rise of cloud-based computing and the proliferation of mobile iPhone and Android applications that communicate constantly with publicly accessible web-based API servers to function. In our industry, the security perimeter is no longer defined as a network firewall, but is instead wherever your servers make an authentication decision. This means ultimately all security depends on software security.

I have not been silent throughout the legislative process. From the time I learned that SB 315 had passed the Senate and had a chance to read it for myself, I have been actively communicating with the legislature about my concerns. I traveled to the State Capitol on several days, losing billable client work, to speak at three House committee hearings. As a computer security professional, SB 315 is exceedingly dangerous in its deceptive simplicity. It seeks to create a new law of unauthorized access without authority in sweeping terms. SB 315 is based on ideas that do not match up with the realities of Internet security, especially four myths.

Myth 1: All intentional unauthorized access to a computer or computer network requires some sort of hacking or other tricky means to bypass security.

The reality is that many websites inadvertently publish sensitive information and documents publicly on the Internet in a way not protected by any firewall or technical security control. Often sensitive documents that are published by mistake are indexed by public search engines such as Google and easily discoverable through ordinary search. Just because a company regrets the decision to publish, should never mean that someone who does a Google search or requests a web page from a public web server could face criminal charges. Companies should be responsible for their security decisions and should not prosecute a website visitor.

Myth 2: All legitimate security research is conducted by parties in a business relationship with the owner of the system being researched.

During the public discussion, an analogy has been suggested by others that it is never right for a white hat security researcher, no matter how well intentioned, to enter a private digital home without permission of the owner. This analogy does not match reality. This is not about digital homes, but about digital public places of business on the public Internet. A better analogy is a physical security expert is visiting a business open to the public during normal business hours and sees a public safety problem that puts all customers at risk. Such an expert should be able, without fear of prosecution, to freely bring the problem to the attention of management or whoever can fix the issue.

Recent history is full of stories about companies who were quietly warned about major security problems and yet did nothing about the problems until after it became publicly known, or worse, there was a major breach of private customer data.

Myth 3: Hackers are painstakingly breaking into networks by hand and then lying in wait in time frames where they may be “caught in the act.”

While that may be true at times for extremely high value companies targeted by sophisticated hackers, most attacks are automated crimes of opportunity. This means that automated programs scour the Internet for every vulnerable system and automatically exploit the holes to gain access. From start to finish, the automated hacking could take place in literally seconds or minutes at most. The only defense is to discover and patch security issues beforehand, requiring either sophisticated security teams or continuing to allow good Samaritan white hat researchers to notice issues on publicly accessible systems and bring the problems to the attention of whoever who can fix them.

Of the Forbes 2000 largest companies, 94% have no published means to contact them about a security hole. This statistic points to the public being at risk of having their data compromised with little recourse. These are some of the largest companies in the world. The story is even worse with smaller firms.

Myth 4: When a security incident or data breach occurs, the company or organization whose computer system was compromised is the primary victim.

The reality is that companies and public organizations maintain massive databases of the personal private information of millions of people. When a data breach occurs, millions of people are directly harmed with loss of privacy, risk of identity theft, or worse. And yet, the law and businesses treat these true victims as mere externalities rather than as people whose private data was violated. Sadly, big companies are purchasing cyber insurance to cover financial losses instead of fixing fundamental security issues that put their customers at risk.

Equifax, headquartered in Atlanta, was recently breached by a malicious party who obtained personal financial data on 148 million people via a security flaw that Equifax was warned about by security researchers months in advance and did nothing (Equifax Was Warned, motherboard.org). After the breach became public knowledge, it was apparent that the substantial lack basic computer security processes, such as keeping their employee portals off the Internet and not allowing a username of admin and a password of admin to be used in production systems.

After the breach, Equifax’s stock declined for a short time, some senior executives retired, and the CEO tried to blame the issue on just some IT personnel not doing their job. This is not right, and the American public knows it is not right. The security problems at Equifax are a failure of leadership as much as any particular IT process, and it starts with a business model that does not value the sanctity of people’s private information in the first place.

In conclusion, the State of Georgia is a world leader in the cybersecurity arena with a $4.7 billion industry that employs tens of thousands of people. While the State may consider legislation appropriate to prosecute true cybercriminals, SB 315 is not the way forward. Any appropriate legislation must comprehensively address the real issues that cause millions of people to be harmed in data breaches, instead of outlawing good Samaritans who try to bring Internet safety issues into the daylight so that the issues are fixed and the public is protected.

I am asking you to veto SB 315 because white hat security researchers, the good Samaritans of cybersecurity, should be thanked not prosecuted.

Sincerely,

Frank S. Rietta, M.S. Information Security

Web Application Security Architect

Rietta, Inc, a Georgia-based corporation.

This is the copy of the official letter from Rietta, Inc., to Georgia Governor Nathan Deal that was transmitted to his office last Friday. The only changes have been formatting for publication on this website and the removal of my personal e-mail and cell phone number.