The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.
Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.
The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:
- Working as an employee of a cybersecurity firm or division
- Under contract with the entity they are performing work
- Have documentation on the scope and approach of the engagement
- Are performing reasonable tasks related to the engagement
(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)
“Hacker” brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that’s relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.
The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term “red teaming” is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach.
The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.
The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability & Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).
But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.
In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.
We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.
Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. … View Full Bio