Georgia Gov. Nathan Deal announced on Tuesday that he would veto a controversial bill, Senate Bill 315, criminalizing “unauthorized computer access,” citing the bill's potential to hinder, rather than help, organizations' ability to secure their computer systems as a reason for his decision.

Deal noted in a statement that “certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.”

Legislators voted to approve the bill, sponsored by Sen. Bruce Thompson, R-White, on the last day of the legislative session, March 29, with a 42-7 vote in the Senate. Thompson proposed the legislation as a response to the “hack that happened” at Kennesaw State University, a reference to a breach of Georgia's voter and election data through the university identified by a cybersecurity researcher in March 2017.

The bill provided exemptions for members of the same household, access to networks for a “legitimate business activity,” defensive measures “designed to prevent or detect unauthorized computer access” and terms of service violations. Unauthorized computer access outside of those exemptions, under the language of the bill, would be punishable by up to one year in jail and a $5,000 fine.

Thompson and state Attorney General Chris Carr have said that Georgia is one of only three states without legislation to outlaw unauthorized computer access. However, cybersecurity researchers in the state have spoken out against the bill, citing fear of prosecution for many common cybersecurity research practices, including penetration testing. David Maass, senior investigative researcher for digital rights advocacy group Electronic Frontier Foundation, previously told the Daily Report that the bill as written was likely to “chill security research, particularly the kind of research conducted by independent contractors and students.”

Other protesters have taken more aggressive measures. The Augusta Chronicle last week reported that a group of hackers calling themselves SB 315 hacked into computer systems operated by two Augusta-area restaurants, saying the breaches are in protest of the bill's potential impact on “white hat” or ethical hacking by users looking to research potential security vulnerabilities in a computer system. The group claimed to have extracted user credentials from systems operated by Georgia Southern University and the city of Augusta, but officials from both have denied that their networks had been breached.

Prosecuting Attorneys' Council executive director Pete Skandalakis said prosecutors in the state “have no interest in catching researchers or white hat cybersecurity personnel.”

“We have no interest in prosecuting those individuals. We understand what the intent of the Georgia legislature is and was when that statute was written, and we would enforce it in that manner,” Skandalakis told the Daily Report of the bill.

The legislators' intent, according to Skandalakis, would have prosecutors focus their efforts on “people who illegally gain access to a person's computer and lurk around,” adding that “lurking,” a term used a great deal during the legislative session, refers most likely to cyberattackers with “no real intent to benefit the system for the person whose computer it is.”

Representatives from Google and Microsoft urged Deal to veto the bill in a letter dated April 16, citing potential concerns about the defensive, or “hacking back,” measures enabled by the bill exemptions. “Provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes,” the letter said. Thompson told the Senate floor upon introducing the bill that he had consulted a consortium of technology companies, including Google and Comcast, in drafting the bill.

“We believe that Senate Bill 315 will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” the letter noted.

In his statement, Deal noted that Georgia has amassed a sizable cybertechnology and national security presence in recent years, pointing to the U.S. Army Cyber Command base and training center located in Augusta and the state's private sector technology and cybersecurity research institutions.

Deal urged legislators to work with the cybersecurity and law enforcement groups “to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia's position as a leader in the technology industry” in coming legislative sessions.