Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Tom McAndrew
Tom McAndrew

Needed: A Cybersecurity Good Samaritan Law

Legislation should protect the good hackers who are helping to keep us safe, not just go after the bad.

The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.

Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.

The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:

  1. Working as an employee of a cybersecurity firm or division
  2. Under contract with the entity they are performing work
  3. Have documentation on the scope and approach of the engagement
  4. Are performing reasonable tasks related to the engagement

(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)

"Hacker" brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that's relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.

The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term "red teaming" is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach. 

The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.   

The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability & Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).

But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.  

In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.

We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.