To learn more about this topic, visit AL.Law
Mike Papantonio: The governor of Georgia vetoed a controversial cyber security bill that recently passed in the state’s general assembly. This was done after the governor received immense pressure from Microsoft, Google and other tech companies to reject the bill on grounds that it would empower hackers instead of stopping them.
Joining me to talk about this is Mollye Barrows, Legal Journalist for The Trial Lawyer magazine. Molly, why do these tech companies believe the bill would’ve worked against cyber security? Explain that.
Mollye Barrows: There are a couple of reasons that they feel this way, Pap, but before I get into it I’ll explain to you a little bit about how the bill would work and it’ll explain more why their concerns or why they were concerned about it. SB315, that was the name of the bill that Georgia legislatures had wanted to pass, and essentially they were trying to close some loopholes, if you will, where folks could target, they were targeting what’s called online snoopers. People that weren’t necessarily disrupting or stealing data right away, but they were probing systems to see where there’s vulnerabilities are.
That was what the bill was targeted to do, however, there was a group of more than 50 researchers, whether they were cyber security researchers, independent or associated with companies like Microsoft or Google, they jumped into the debate. They asked the governor, Nathan Deal, not to sign it basically because they said, “If you do this than you’re also penalizing those good guy hackers,” if you will, those that are just on their own time looking for security holes and breaches and when they find them they report them.
The other part that was concerning to them is some language within the bill that talked about defense measures taken against that it freed up people in Georgia to take defensive measures without being specific against anyone who they felt was hacking their system. In other words, without defining what those defensive measures could be they could potentially enabling people to hack back, which would create this tit for tat hacking problem.
That was part of the reason Microsoft and Google got involved, along with these other cyber security researchers. They were saying, “Hey, this isn’t a bad bill, but it’s not perfect and it could potentially create more problems than it helps. You guys need to go back to the drawing board.”
Mike Papantonio: What prompted the state government to get involved with passing this law to begin with? What was that all about?
Mollye Barrows: It turns out that an independent cyber security researcher, one of the good guys that supposedly that they felt like was going to be inadvertently harmed by this bill, had exposed a vulnerability in the computer system that handled the state of Georgia’s elections. What they found was that 6.7 million registered voters that their personal data was exposed online on this system. They immediately jumped to address it when this independent researcher brought it to their attention and they addressed it within days of a lawsuit that had been filed against the state of Georgia saying, “Hey, we’re not so sure that your voting system in the computer program, the computer system supporting it, isn’t vulnerable.”
It turned out that it was this big deal, made national headlines, that this big, all this data breach … It wasn’t a data breach, but that all this data had been exposed and that there potentially could’ve been a breach but they managed to erase it and protect all that data. That’s what spawned this bill to begin with. They saw that there was a need for it and they went to address it and then in addressing it they found these other holes as well.
Mike Papantonio: One of the arguments against this law, as you pointed out, is it’s going to target white hat hackers. To explain why that is, you’ve got every week we see that some major bank has been hacked and all the accounts are gone, that some major technology entity has been hacked and all of your personal information is gone, your Social Security, your birth date, your card numbers, virtually everything. The white hat hackers, they actually do serve a purpose in trying to make sure that maybe that doesn’t go on. Explain that just a little bit. How does that work?
Mollye Barrows: It’s interesting, and even the term white hat hackers sort of calls to mind the days of the wild west when you had good guys and bad guys in this sort of lawless land. Cyber security, it’s almost like that. These people, technology laws are having trouble, as you know, keeping up with technology, so these white hat hackers are guys like the independent researcher that found the potential vulnerability or the vulnerability, that data exposure in the voting machine system for Georgia.
These white hat hackers, they go in, they probe vulnerabilities, they find them, they alert companies or states like Georgia of the problems so that they can fix the, but if Georgia were to pass a law like this it would basically, it would deter these guys from reporting it.
Mike Papantonio: My quick take is that corporate America needs to be more responsible in what they do with our information to begin with, but that’s another story for another day. Mollye, thank you for joining me, okay.