Georgia governor vetoes controversial ‘hack back’ cybersecurity bill opposed by Silicon Valley

The governor of Georgia has vetoed a controversial computer crime bill opposed by Microsoft and Google over concerns raised by its likely implications for state and national security.

Republican Gov. Nathan Deal rejected Senate Bill 315 on Tuesday, siding with Silicon Valley stakeholders over state lawmakers in the face of an end-of-day deadline to either announce his veto, sign it into law or let it take effect without his signature.

“[W]hile intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so,”  Mr. Deal said in a statement. “After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation. The work done this session by the legislation’s sponsors and stakeholders provides a solid foundation for continued collaboration on this issue.”

Introduced in January and subsequently passed by both the state House and Senate this spring, SB 315 would have made accessing a computer network without permission a crime punishable by up to a year in jail and a $5,000 fine.

Critics said the bill was vaguely worded, however, and warned that its provisions could be interpreted to criminalize certain types of cybersecurity research and permit companies to “hack back” against attackers.

Specifically the bill would have legalized “active defense measures that are designed to prevent or detect unauthorized computer access,” prompting concerns raised in a letter sent to Mr. Deal last month from attorneys for Microsoft and Google.

“[B]efore Georgia endorses the ’hack back’ authority in ’defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” the attorneys wrote. “Provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”

“We believe that Senate Bill 315 will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” their letter said.

In his statement Tuesday, Mr. Deal said he hoped his veto would inspire lawmakers to draft a new bill taking into consideration critics’ concerns.

“It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information and continues to advance Georgia’s position as a leader in the technology industry,” he said.