May 8, 2018 at 5:00 am ET
The state of Georgia has been at the center of some the most underreported controversies related to the compromise and possible hacking of voter databases across this country. A recent incident and how the state legislature handles it may have implications for election security that lasts for years to come.
In the wake of a 2016 national election that has continually been scrutinized over concerns of foreign meddling, cybersecurity researcher Logan Lamb breached Georgia’s supposedly secured election data by accident. Out of a curiosity inspired by stories regarding Russian election interference, Lamb, who is currently employed by Bastille Networks, began looking into Kennesaw State University’s Center for Election Systems. This entity is responsible for the programming of voting machines across the state of Georgia.
As a result of his unsolicited research, Lamb managed to download nearly 15 GB of Georgia voter information, including registration records for 6.7 million voters. Even more alarming is the fact that he was also able to access the login credentials designated for poll workers to use on Election Day.
This wasn’t a foreign intrusion. It wasn’t executed by an international hacking cooperative with a political agenda. The operation was not funded and carried out by anti-American actors, the voter information was instead stumbled upon innocently by a white hat hacker. Shockingly, it was carried out rather easily despite the presence of a firewall, because KSU left its root directory unsecured.
The response to this information from lawmakers was the proposal of SB 315 in the Georgia state Senate. This bill would criminalize unauthorized access to computers or networks and makes such breaches punishable as a misdemeanor that carries a $5,000 fine and up to one year in jail.
Although this bill is intended to protect consumer, business and voter data, it raises concerns from some in the cybersecurity community that the bill could possibly subject well-intentioned IT researchers to criminal charges in the course of their normal duties.
While there are questionable aspects of the bill, it couldn’t come at a better time, as we face the looming threat of our personal data being exposed by social media networks like Facebook. To add insult to injury, hackers are continually perpetuating aggressive malware threats, with many of latest among the most destructive in history.
Will the integrity of the upcoming midterm elections now be compromised that white hat hacking operations may potentially carry criminal penalties? The controversial bill also has the potential to set off a wave of similar legislation across the country as hacking concerns are once again highlighted in the wake of the Democratic National Committee’s federal lawsuit against the Trump campaign, WikiLeaks and Russian entities.
Georgia Attorney General Chris Carr released a statement endorsing the passage of the bill: “In a world where hackers — whether they are state-sponsored actors, organized criminal enterprises, loose confederations or lone wolves — attempt every single second of every single day to gain unauthorized access to our computers and computer networks, this common-sense solution will close a window of opportunity for those who wish us harm.”
Even worse, the bill may wind up giving prosecutors the ability to charge internet users with a crime for merely violating the terms of service on a website or app, Georgia Rep. Jennifer Jordan (D) said on the Senate floor. She proposed an amendment that would have defined unauthorized computer access as bypassing a password or other technical barrier with malicious intent. It failed with by a 33-20 vote.
As the cybersecurity and IT worlds wait to see whether this new “Unauthorized Criminal Access” bill is signed into law by Gov. Nathan Deal, some, like Casey Ellis, founder and CTO of Bugcrowd, think the bill is problematic because it does not differentiate between the good guys (Infection researchers and IT professionals) and bad guys (for-profit hackers and foreign election meddlers).
“The internet is more secure today because of the efforts of good-faith hackers – many of whom live in Georgia – and their efforts to help will now be chilled by this bill, he said.
“While bug bounty programs started as a niche Silicon Valley tech thing, you’d now be hard pressed to find an industry that isn’t using this solution. Soon these programs will be the norm – it will be weird if your organization isn’t running some sort of vulnerability disclosure or bug bounty program. And the federal sector is no exception – it’s been great to watch this concept begin to take hold within the government,” Ellis told SC Magazine.
While on this surface this bill may merely seem like an example of government overreach, the reality is that it could have wide-reaching implications for our nation’s cybersecurity. With a critical midterm election mere months away, one thing that is for certain, we should be doing all we can to encourage better security across our critical networks and discouraging white hat hacking operations would run contrary to that mission.
Julio Rivera is the founder and president of J & MYR Consulting and a columnist that writes extensively on cybersecurity issues.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.