Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Tom McAndrew
Tom McAndrew

Needed: A Cybersecurity Good Samaritan Law

Legislation should protect the good hackers who are helping to keep us safe, not just go after the bad.

The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.

Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.

The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:

  1. Working as an employee of a cybersecurity firm or division
  2. Under contract with the entity they are performing work
  3. Have documentation on the scope and approach of the engagement
  4. Are performing reasonable tasks related to the engagement

(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)

"Hacker" brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that's relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.

The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term "red teaming" is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach. 

The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.   

The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability & Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).

But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.  

In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.

We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...