A bill passed by Georgia’s legislature that would have criminalized unauthorized access of computer systems and allowed companies to “hack back” in defense against breaches was vetoed on May 8 by Georgia Governor Nathan Deal. The veto came after many weeks of opposition from information security firms and professionals, as well as major technology companies—including Google and Microsoft executives, who expressed concern that the bill would actually make it more difficult to secure computer systems. Given that Georgia is the home of Fort Gordon, an Army base that serves as home to units of the Army’s Cyber Command and to parts of the National Security Agency, and that Georgia has become home to an increasing number of cybersecurity firms as a result both of the Army/NSA presence and research at Georgia’s universities, Deal realized after feedback from the industry that the bill could have resulted in inadvertent damage.
But Deal’s reasoning wasn’t necessarily what individuals in the information security research community would have hoped for. And there’s still a chance that another bill—one more acceptable to technology giants but still criminalizing some aspects of information security research—could emerge in the next legislative session and win Deal’s approval.
The bill was a direct result of the controversy that followed the discovery of major security issues in Georgia’s election systems by Georgia-based security researcher Logan Lamb. Lamb found that a flaw in a Drupal-based system at Kennesaw State University’s (KSU’s) Center for Election Systems (CES) left the personal data of 6.7 million Georgia voters exposed to the Internet—including dates of birth and Social Security Numbers. Lamb contacted CES Director Merle King with details of the exposure immediately; King told him that the misconfigured Web server would be fixed.