Georgia Governor Nathan Deal vetoed a cybersecurity bill this week that would have criminalized unauthorized computer...
access but granted exceptions for "hacking back."
Senate Bill 315 was passed Georgia's General Assembly in April, and it received the attention of critics who said the cybersecurity bill would enable private companies to hack into other networks. Executives from Google and Microsoft also expressed opposition to the bill because a provision would grant exceptions for "active defense measures" that would make it more difficult to secure enterprise systems.
"Georgia codifying this concept in its criminal code is potentially a grave step that has some known and many unknown ramifications for technology companies, the tech community at large, and any company with a computer network," Google's Ron Barnes and Microsoft's Ryan Harkins wrote in a letter to Deal opposing the bill.
The executives argued the provision would give companies and individuals the right to "hack back."
"Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy," Barnes and Harkins wrote. "Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes."
Following the feedback from industry experts, Deal vetoed Senate Bill 315.
"After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation," Deal said in a statement on May 8 -- the deadline to pass or veto the cybersecurity bill."[W]hile intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so."
Senate Bill 315 was drafted to update the existing laws in Georgia. It would have charged anyone who knowingly accessed a computer or computer network without authorization with a misdemeanor.
In other news
- IBM has banned its employees from using portable storage devices. According to a report from The Register, IBM's global chief information security officer Shamla Naidoo issued an advisory to the staff that said the company is "expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." IBM reportedly has this practice in place in parts of the organization, but now it's being rolled out worldwide to avoid potential misplaced or misused devices, which could leak to sensitive data being exposed. Similar bans have been issued in sectors of the U.S. government and organizations with varying levels of success. It's unclear why IBM is implementing this ban now, though the company has implemented its own secure file transfer system for employees to use instead of removable storage devices.
- The full extent of the 2017 Equifax data breach has been finally revealed. This week, executives from the credit reporting bureau submitted a statement for the record to the U.S. Securities and Exchange Commission (SEC) that listed the details of the data breach last year. Total numbers of affected individuals had been released earlier, but the SEC document breaks down the totals by the type of information. For instance, of the 146.6 million individuals affected by the breach, 145.5 million had their Social Security numbers exposed, 99 million had their addresses exposed, and 20.3 million had their phone numbers exposed. Other data included gender, driver's license information, email addresses, credit card numbers and tax identification numbers. Equifax also said that the "dispute documents" that were stolen were images uploaded to the company and included the images of driver's licenses, Social Security numbers, taxpayer ID cards, passports, military and state IDs, and other documents. The document also noted that the stolen data didn't just come from one compromised database but from a collection of databases. This contributed to Equifax's inability to immediately report the exact number of affected consumers and the types of data stolen.
- The Trump Administration's national security team may eliminate the White House cybersecurity position. According to a report from Politico, John Bolton, the new national security advisor to the president, is pushing to eliminate the role of special assistant to the president and cybersecurity coordinator. Rob Joyce took over that position in 2016, but has announced that he is leaving it to return to his work at the National Security Agency. Bolton has previously advocated using a more aggressive cyber strategy against foreign adversaries but may hand over the cyber duties to another staff member, such as his deputy Mira Ricardel, according to Politico. The report from Politico also notes that some officials have raised concerns about the potential move, saying it would send the wrong message about how the U.S. prioritizes cybersecurity and would undo the work already done.