Two cybersecurity bills making their way through the Georgia legislature have some First Amendment advocates uneasy over what they say would be a restriction on the public’s access to information about existing and potential cybersecurity threats.
Neither bill has received any opposition from state lawmakers.
House Bill 134, which passed 170-0 last month, would amend the state’s open meeting laws to allow government entities to close meetings to the public when discussing cybersecurity matters.
The bill was authored by state Rep. Victor Anderson, R-Cornelia, with local sponsors, including state Reps. Lee Hawkins, R-Gainesville, and Matt Dubnik, R-Gainesville.
Dubnik told The Times that the intent of HB 134 is to help municipalities, like Hall County, prepare for future cyberattacks.
“I brought this bill to the attention (of legislator) as a result of what happened to Hall County in October,” said Dubnik. “Taxpayers have enough to deal with besides some punk kid behind a computer attempting to make money off valuable information.”
Dubnik said the bill, if passed, will allow local governments to install cybersecurity measures and ward off complex cyberattacks.
In October, Hall County was the subject of a ransomware attack that disrupted county services, including the courthouse, government center, community centers, sheriff’s precincts and other facilities.
County officials provided some information about how services were affected, but outside of a press statement by Hall County officials on Oct. 30 — three weeks after the attack — information about the cause or nature of the attack has been scant. When The Times inquired about the status of an investigation into the October cyberattack, Hall County officials did not comment on the matter, citing the “sensitive nature” of the situation.
Under HB 134, the identity of cybersecurity vendors, who often work to help municipalities protect or recover sensitive information, and terms of the agreements with local governments would need to be publicized before an official vote. However, all other cybersecurity matters can be discussed during a closed meeting or executive sessions without the public.
In Georgia, governing bodies can enter into a closed session to discuss pending litigation, government personnel, and purchase, disposal or leasing of government property.
If HB 134 passes, cybersecurity would be the fourth exception to an executive session.
“Any document or plan for protection relating to the existence, nature, location, or function of cybersecurity devices, programs, or systems designed to protect the computer, information technology, or communications systems against terrorist or other attacks,” the bill states.
The bill is in the Senate and had a second reading on March 1. Dubnik said it’s “too early to tell” when asked when the Senate could vote on HB 134.
With no opposition in the Senate or House, House Bill 156, which requires government entities who are victims of a cyberattack or data breach to create a report to state and federal authorities, is heading to Gov. Brian Kemp’s desk for signature.
A provision in the bill would exempt those reports from being accessed through the state’s Open Records Act.
Sarah Brewerton-Palmer, an associate with Atlanta-based firm Caplan Cobb and a First Amendment legal specialist, told The Times that without adjustments to both bills’ language, the public might not have timely access to important information regarding cyberthreats.
“There is information that an entity may want to keep privileged until an investigation is complete, such as how the hacker got around their firewall, the setup of the server, and specific information about the hacker,” she said. “But there's also information that the public will want to know, such as the existence of a cyberthreat or if their personal data has been breached.”
If HB 134 passes without any adjustments to its language, Brewerton-Palmer said there could be some unintended consequences.
Brewerton-Palmer said the bill needs to clarify definitions on which cybersecurity discussions can be addressed in closed sessions and whether the bill will shield public access to cybersecurity documents or weaken Georgia’s Sunshine Laws.
Dubnik, who has a background in information technology, acknowledged that cyberattacks are “on the rise,” but, he said the closed meeting provision in the bill is not intended to allow government officials to withhold cybersecurity information from the public.
“I hate to say it, but cyberattacks on government entities are probably trending upward,” he said. “We want this bill to allow those entities to set up a strong cybersecurity system, but the intention of this bill is not to shield information from constituents.”
Brewerton-Palmer said the Georgia First Amendment Foundation had sent language revisions to the bill’s author, Rep. Anderson, last week.
In the First Amendment Foundation’s requested revisions, cybersecurity matters that “would compromise security against sabotage or criminal or terrorist acts” would warrant a closed session or exemption from open records.
She hopes a “less broad” bill can maintain the balance between transparency and privileged information under the Open Records Act.
“These amendments would be simple changes that would make the bill consistent with existing Georgia law and would have a big impact in terms of ensuring the public can get important information about cyberattacks and data breaches,” she said. “It can be difficult to get information about attacks even now, and we expect it would be even more difficult if HB 134 passes without these amendments.”