Tuesday afternoon, Georgia Governor Nathan Deal announced he had vetoed SB 315.
If you have not read the governor’s veto statement, I recommend you take a few minutes and do so. It is thoughtful, well-written, and seems to support the main concerns many groups had with the final version of the bill that reached the Governor’s desk for consideration. Ultimately, the Governor felt that the bill needed further discussion, and asked for legislators to engage in further collaboration with the cybersecurity community:
After careful review and consideration of this legislation, including feedback from other stakeholders, I have concluded more discussion is required before enacting this cyber security legislation. The work done this session by the legislation’s sponsors and stakeholders provides a solid foundation for continued collaboration on this issue.
It is my hope that legislators will work with the cyber security and law enforcement communities moving forward to develop a comprehensive policy that promotes national security, protects online information, and continues to advance Georgia’s position as a leader in the technology industry.
While it may seem appropriate to “celebrate” this veto, I would caution against doing so.
Going forward, we will need to work in a collaborative manner with the Attorney General’s office, law enforcement agencies, and state legislators in order to ensure that a better version of this bill is drafted and ready for the next legislative session.
This effort will be difficult enough, without having to work with people who view us as “taking a victory lap” or otherwise be seen as enjoying this veto at their expense.
There are some who believe that SB 315 was drafted, at least in part, due to state officials being embarrassed on a national level after two incidents at the now-closed KSU Center for Election Systems last year.
I don’t pretend to know the motivations of those who drafted SB 315. But, I do know enough about human nature to understand that it’s easier to work towards a common goal when there is no animosity or antagonism between parties.
I believe we have the best opportunity we’ve had in a while, to get a seat at the table and bring forward legitimate cybersecurity concerns for consideration. However, we must do so in a responsible, deliberate manner.
We cannot do what we seem to do in the cybersecurity community all too often, when faced with communicating these issues to those who may not understand them as clearly as we do. Namely, we cannot talk down to them, or refer to them in pejorative terms like “normies” or “stupid users”. These are people who have expertise in other areas, just not necessarily cybersecurity. It would be a serious mistake to treat elected officials in any manner that could be viewed as dismissive or condescending, just because they may not necessarily understand, or (gasp) dare to disagree and/or ask questions.
So, my plea to everyone going forward is simple: be nice, show some empathy, understand that security is not the only concern to be addressed in this legislation, and be ready to negotiate in good faith. We will never get everything we want, and we must learn to accept “good enough” when dealing with these matters.
Legislation of cybersecurity-related issues is only going to become more important moving forward. Now is the time for us to extend our collective hands, in an effort to help elected officials understand the issues to be considered when drafting new legislation. Only in this way can we hope to avoid a repeat of the problems seen with SB 315.
Andy Green, Ph.D. 