Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Tom McAndrew
Tom McAndrew

Needed: A Cybersecurity Good Samaritan Law

Legislation should protect the good hackers who are helping to keep us safe, not just go after the bad.

The arrest and exoneration of two Coalfire employees caught breaking into an Iowa county courthouse in September 2019 highlight the challenges our legal system faces in addressing the fast pace of cybersecurity in an increasingly connected world. The circumstances show the dire need for collaboration among different teams to raise overall levels of security across both cyber and physical systems.

Coalfire hired these individuals as hackers to test physical security systems. They found the front door of the courthouse in Dallas County, Iowa, unlocked and set off the alarm deliberately to notify law enforcement. They were arrested, charged as criminals, jailed, and now have permanent arrest records — simply for doing their jobs.

The Iowa episode should be a warning sign to the entire security industry and a wake-up call to legislators that better protections are required for the cybersecurity community and the work they do defending our institutions against cybercrime. Today, cybersecurity testers have very little legal protection, and a Cybersecurity Good Samaritan law would protect those who perform critical investigative work to test our cyber defenses around the clock. This law should seek to provide criminal and personal liability protection for conducting cybersecurity engagements when they are:

  1. Working as an employee of a cybersecurity firm or division
  2. Under contract with the entity they are performing work
  3. Have documentation on the scope and approach of the engagement
  4. Are performing reasonable tasks related to the engagement

(Note: This would still allow clients to go after the firms they hire but would protect the individuals from being personally liable.)

"Hacker" brings to mind cybersecurity sleuths who crack codes, steal passwords, compromise devices, install ransomware, and illegally transfer funds. As the US becomes more sophisticated in protecting the digital world, physical systems are becoming a target — one with an attack surface that's relatively easy to penetrate. Gaining physical access is one of the easiest ways to hack into a network. This could include accessing paper records, installing equipment or software on the network, or simply putting in covert backdoor systems.

The concept of combining physical attacks and cyberattacks to test a system is nothing new. The term "red teaming" is used in the industry to describe a method of system testing based on thinking and acting like a bad guy. Red teams help businesses to see how break-ins and business disruptions occur, to test strength and durability of their defenses, to identify where vulnerabilities exist, and to expose weaknesses that could be considered negligent and contributing to a breach. 

The risks of conducting red teaming increase as more bad guys hide themselves in cyberspace. Law enforcement and the legal system have the power to interpret the legality of our work. In the Iowa case, the issue had nothing to do with system defenses or specific laws, but rather it came down to the authority of the state versus the authority of the local county to dictate and enforce. Consequently, the two pen testers took the heat. This nonaccountability is archaic and not keeping pace with the realities of the cyberworld where threats are escalating and system testing — be it ballot boxes or courthouse locks — is becoming the new normal for US businesses and institutions.   

The cybersecurity industry needs to do a better job of identifying and publishing best practices. The National Institute of Standards and Technology (NIST) has developed many best practices that are used as the basis for testing today, including the Common Vulnerability Scoring System (CVSS), Common Vulnerability & Exposures (CVEs), National Vulnerability Database, the adopted Security and Privacy Controls 800-53, the Cyber Security Framework, and the Penetration Testing Execution Standard (PTES).

But when it comes to service order templates and legal language to use as a best practice for red teaming, there is very little out there. The vast majority of penetration-testing companies are small, with fewer than 100 employees and limited legal or financial resources. Contract language should be publicly available and open to input.  

In addition to industry best practices, better legislation is needed to protect cybersecurity professionals working under contract. The physical addresses or virtual addresses (known as IP addresses) that are given to test the scope of work often lack specifics and turn out to be way off the mark. Penetration testers are typically able to push through and get the job done, but increasingly these testers are taking huge risks when an assignment shifts and local authorities (like those in Iowa) are taken off-guard.

We need legislation to protect the good hackers, not just go after the bad. A Cybersecurity Good Samaritan law would allow the good guys to do their jobs and foster more collaboration between private and public sector cyber defenses. This would help to drive positive change across the entire industry as information security and physical security continue to converge.  

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Tom McAndrew is the CEO of Coalfire, a security risk advisory to public and private sector organizations including government agencies and private businesses. He is recognized on the FCW Federal 100 and by ICS2 as one of the top senior security leaders in North America. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...