Security researchers are extremely worried by the Senate Bill 315, also known as the Computer Intrusion Bill, which threatens to criminalize security researchers. The bill would expand the state’s current computer law to create what it calls the “new” crime of unauthorized computer access. It would include penalties for accessing a system without permission even if no information was taken or damaged. This could be detrimental to Georgia’s cybersecurity industry as the bill, if passed, could result in security researchers being penalized for necessary tasks like uncovering system bugs.
The bill was drawn up by Georgia state senator Bruce Thompson and was approved by the states senate. However, progress on the bill was halted and effectively dead in its current form on Monday but has since been revived since a substitute bill could not be offered. Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team commented below.
Craig Young, Computer Security Researcher at Tripwire:
“Security researchers are the first defenders against data breaches. Ethical hackers find vulnerabilities in systems and expose them to product vendors so they can be patched before they are exploited maliciously. Finding and exposing these vulnerabilities is not a criminal act, it is done with the intent of making the products safer for consumer use.
Criminalizing “ethical hacking” activities is a very bad idea as it will ultimately expose consumers to new risks, and it will also hurt Georgia’s flourishing cybersecurity industry.
The bill must consider what constitutes unauthorized criminal access. Anyone who is finding, but not exploiting vulnerabilities (beyond what is necessary to confirm their presence and communicate the issue), must be excluded from prosecution.
Only actions with malicious intent or perhaps also reckless abandon should be considered criminal. If this bill passes, I myself will have to seriously consider relocating to make sure that I can continue to contribute to the security community.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.