Over the years, members of Critical Path Security have engaged wholeheartedly in the practice of responsible disclosure of vulnerabilities. This was highlighted in findings related to Apple, Cisco, and Websense in which our researchers provided vendors with ample time and path of communication to validate findings, develop remediation plans, prior to notifying the public of the flaws.
However, despite the objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers, such as Critical Path Security staff who identify vulnerabilities in computer systems, to prosecution and up to a year in jail.
Patrick Kelley, CTO of Critical Path Security, shared the following.
“Over the last two decades, I’ve found numerous vulnerabilities in various platforms, many of them used by government agencies and healthcare. In the beginning, when my initial finding of WiredRed was released, I found it necessary to release the finding under a pseudonym. I was young and the laws weren’t well established or communicated. In my recent finding regarding Apple, I felt free to share that finding under my real identity without fear of legal ramifications. I found the vulnerabilities using my own hardware and performed responsible disclosure. The ramifications of this bill will require individuals, such as myself, to either halt all disclosures to vendors or return to the methods used in the early 90’s.”
EFF quotes Georgia’s Scott Jones as stating, “Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.”
Critical Path Security currently has knowledge of several vulnerabilities in products deployed in multiple environments and will effectively pause any release for the time being.
As far back as our founder’s time at Georgia Tech’s ATDC, Georgia has strived to become a center for cybersecurity research. Universities such as Clark Atlanta, Columbus State, Georgia Tech, Kennesaw State University, and University of North Georgia have heavily invested into programs designed to expand the state’s cybersecurity training complex. Unfortunately, it seems those same universities are halting research projects to prevent opening students up to legal ramifications.
Andy Green, a lecturer in information security and assurance at Kennesaw State University is quoted as stating, “I’m putting research on hold with college undergrad students because it may open them up to criminal penalties. It’s definitely giving me pause right now.”
Critical Path Security understands that the State of Georgia has suffered some significant blows with the breach of data at Kennesaw State University, the ransomware attack on Atlanta, and many of the engagements that Critical Path Security has directly engaged in with other local municipalities, just to name a few, and are anxious to prevent further incidents. However, this piece of legislation will NOT solve those problems.
As Chris Roberts stated, “Dear Georgia, I totally get the logic to prosecute the criminals who are maliciously attacking you, but your actions should not be punitive against those of us trying to help.” At Critical Path Security, we completely agree. Legislation should take place to better protect Georgia-based individuals and organizations, but it has to be done in a way that embraces researchers and fosters a model of growth.
A two-page document (SB 315) will not sufficiently address this complicated issue. It’s going to require more complex thought and significant advisement from active members of the Information Security community.