Blog‎ > ‎

Utah House Bill 225

posted Feb 3, 2016, 9:05 AM by Jer Cox   [ updated Feb 8, 2016, 12:15 PM ]
I have serious concerns with Utah House Bill 225. Currently as written, the bill makes standard IT procedures punishable by law. Let me explain.

A standard security practice mentioned in security models is something called Penetration Testing, also known as Red Team Exercises. Please see the SANS Critical Security Controls number 20 ( Penetration Testing is essentially hacking into a system with authorization to prove wether or not it is vulnerable. These tests intentionally cause non permanent damage to systems in a controlled environment. These methods are used to identify and eliminate risks. Penetration Testing is normal, and Washington County School District and other state entities use it to identify problems before outside data can be compromised by other actors.

HB 225's language makes these practices punishable by law. In the following section

102 (1) A person who with or without authorization gains or attempts to gain access to any
103 computer and unlawfully alters, damages, destroys, discloses, or modifies any computer,
104 computer network, computer property, computer system, computer program, or computer data
105 or software, and [thereby] as a result causes economic or property damage, or both, to another
106 person or entity, or obtains money, property, information, or a benefit for any person without
107 legal right, is guilty of:

The "with or without authorization" is where the problem is.

HB 225 addresses the use of these methods as an "affirmative defense".

146 [(5)] (6) It is an affirmative defense to Subsections (1) and (2) that a person obtained
147 access or attempted to obtain access in response to, and for the purpose of protecting against or
148 investigating, a prior attempted or successful breach of security of a computer, computer
149 network, computer property, computer system whose security the person is authorized or
150 entitled to protect, and the access attempted or obtained was no greater than reasonably
151 necessary for that purpose.

But as written I would have to defend myself after every security assessment. Any other individual with knowledge of the assessment would be required to report it. As stated in the following section:

154 Every person, except [those] a person to whom a statutory or common law privilege
155 applies, who has reason to believe that [the provisions] any provision of Section 76-6-703 [are]
156 is being or [have] has been violated shall report the suspected violation to:

I would have an "affirmative defense", but it would come at great cost to me and my employer.

I understand that the writer is concerned with disgruntled employee's who intentionally and maliciously damage systems and currently have access and authorization to use said systems.  I appreciate and applaud a law that protects organizations from disgruntled employees. But if you read the current definition of authorization it states:

44 (2) "Authorization" means having the express or implied consent or permission of the
45 owner, or of the person authorized by the owner to give consent or permission to access a
46 computer, computer system, or computer network in a manner not exceeding the consent or
47 permission.

So exceeding authorization is equivalent to having no authorization. Since such employee's have affirmatively exceeded their authorization, I dont believe this bill accomplishes anything other than creating a extremely broad legislation that can easily be twisted and used to prosecute routine IT tasks.

In addition the same "with or without authorization" language is used in the following section and also could be extremely problematic.

140 (4) A person who intentionally or knowingly, and with or without authorization,
141 interferes with or interrupts computer services to another authorized to receive the services is
142 guilty of a class A misdemeanor.

The next section is even more problematic.

143 (5) A person who by means of a computer, computer network, computer property,
144 computer system, computer program, computer data or software intentionally or knowingly
145 interferes with or interrupts critical infrastructure is guilty of a third degree felony.

Intentional interruption of services on a critical network is something that we do frequently under authorization. More often than not these interruptions are done by means of a computer, which would make me and many others guilty of a third degree felony. The interruptions Im referring to are network outages.

I have tried to work with the author of this bill, and he was somewhat responsive last week. However, I am still extremely concerned that if this bill should pass as written it would become an entrapment for myself and other network / IT security personnel.

And thats just the tip of the iceberg...

The Washington Post explains more issues here: