Hacktivists, Tech Giants Protest Georgia's 'Hack-Back' Bill

lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."

Kinda want to see it

[argumentsockpuppet]

Someone willing to break the law can knock innocent businesses and individuals off of the internet with practically zero fear of getting caught or stopped. That's the state of the internet right now. Truly fixing that situation is impossible without a degree of frightening fascism that would be the end of the internet as we know it. I'd love to see a world where there weren't millions of stupidly insecure devices connected to the internet, not to mention the hundreds of thousands of devices with reasonable security still managing to have vulnerabilities that haven't been patched yet. Without a single country controlling what is allowed to connect to the internet (a bad idea,) it's not a solvable problem.

People think that securing your own systems is sufficient to protect your company, but it isn't. In order to protect your business from malicious activity you need control of the fabric outside of your company. A typical small company can't protect the ISP routers that connect them to the internet, and so can't protect themselves against a DDOS. How many hops are between your customer and your website? Unless you're running your website through CloudFront, Azure, or Google; you won't have the resources to absorb the attack without losing business. I remember watching Microsoft get DDOS'd off of the internet, and Google. Even Amazon has had outages, so no matter what you do, your website isn't bulletproof.

The internet gives freedom, enormous freedom, to people, but it's disproportionate. Malicious attackers who don't have to follow the law have more power than people and companies required to do things legally. Bringing balance to that equation, by allowing victims to fight back, could have huge repercussions. They could be great or terrible, but I believe most organizations and people would do less harm than the current law breakers, if they had the freedom to fight back.

I understand the arguments against legalizing fighting back, but honestly the "innocent" people likely to be harmed are the people who were negligent in securing their own equipment. I have a hard time feeling bad for those people.

Some ISP is going to have routers with insecure firmware. Those routers are going to be roped into a DDOS attack that takes some sleezy spamming company's website down and the spammer company is going to kill thousands of innocent consumer routers, who couldn't have secured their routers even if they'd been interested in security and knowledgeable of their options. But what's the result of that?

It's evolution. The free market can solve this problem, but not if the government is so focused on protecting innocents that they protect the law breakers at the expense of those who have to follow the law. The criminals have freedom. I am in favor of giving law abiding people a limited subset of that freedom.

I can argue either side of this argument, but I choose this side to represent. See my user ID.

Weirdly Written

[rtb61]

The law itself looks as strange as. I did not know it could be considered a criminal offence to disclose a password, seriously, what twit put that in there. Freedom of speech means, you are fully entitled to release passwords not necessarily keep your job but certainly claims of a criminal offence are insane. Also you can only access a computer for business purposes, like WTF, social media not allowed, workers social contacts a criminal offence. Let alone an empty 'active defence measures' without defining what an active defence measure are and what are acceptable and what are not and clearly the law is tied to one state. No matter how nuts they try to get with location of the crime, tying it to the residence of the business, regardless of the location of the attack, apparently anywhere in the world or the source of the attack anywhere in the world but it only refers to counties and not states or nations.

You can claim legal what ever you want in what ever crazy state of the US but it will get interesting when it affects other states and countries and whose law applies when, regardless of silly claims about the residence of the owner of the network and ignoring location of the network under attack and or the location of the attacking network.

Re: Self defense isn't a 'wrong'.

[Calydor]

This bill is essentially having you walk through a crowded square, blindfolded, and if someone grabs your butt you're allowed to pull out a pair of uzis and start firing at random.

Yes, I feel that is an accurate description of hacking back against a network of zombie machines owned, often unwittingly, by innocent people around the world.