Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

December 2019
Two are arrested ‘for doing their job,’ says their boss, who laments the precedent.

By David Hechler
Coalfire employees Gary Demercurio, left, and Justin Wynn were arrested for breaking into this Iowa county courthouse, which they were hired to do as part of their penetration testing.
COALFIRE HAS BEEN IN THE CYBERSECURITY BUSINESS SINCE 2001. Among the services the company offers is penetration testing. Clients hire the firm, which is headquartered in Colorado, to see if its ethical hackers can break in. Coalfire “has done hundreds of these types of engagements,” CEO Tom McAndrew said in statement.
     But on September 11, of all days, something went wrong. As part of their tests, two Coalfire employees broke into an Iowa courthouse, and then they intentionally tripped the alarm to test the response. When law enforcement showed up to investigate, the men explained that they’d been hired to try to break into the courthouse—physically as well as digitally—and they showed the responding officers a letter of engagement from the Iowa State Judicial Branch. The officers seemed satisfied, and the hackers were about to leave, when the sheriff arrived. He had no knowledge of the arrangement, the sheriff said, and the state had no right to authorize anyone to break into the county courthouse.
     The two men were then arrested.
     They were initially charged with felony burglary, which was later reduced to criminal trespass. But Coalfire’s CEO wasn’t celebrating. “This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job,” McAndrew wrote.

A Profession in Demand
Ethical hackers had seemed to be gaining widespread acceptance. In September, we wrote a news brief about the U.S. Air Force sending officials to the DefCon cybersecurity conference in Las Vegas, where they asked vetted white-hat hackers to hack into an F-15 fighter jet. The hackers identified a host of vulnerabilities, and the Air Force was pleased, The Washington Post reported, because the problems could be fixed before they cost lives. It was quite a turnaround for the Air Force, which just a few years earlier wanted nothing to do with hackers. After this recent experience, however, officials said they looked forward to more penetration testing at next year’s conference.
     Demand for penetration testing seems to be growing, and ethical hackers—at least reputable ones—are not always easy to find. Daniel Pepper, a partner on BakerHostetler’s Privacy and Data Protection team, routinely recommends that companies hire them. “Your company’s own software engineers can only do so much,” he explained. They’re busy, and they’re not experts on security testing. They can’t know as much about the methods and tools that hackers use to break into networks as the people who make their living studying it. 
     “It’s definitely growing,” Pepper said of the profession. “There’s a continuing need for it.” Though there are plenty of companies that offer the service, it’s not always easy to find reliable ones, he added. Yet, he’d never heard of anything like the events in Iowa.
     “This was a real outlier,” Pepper said of the arrests. “I have not seen this sort of thing before.” But he has seen instances of miscommunication. For example, one department of a company hires hackers without informing colleagues. Then the company’s security team identifies an active hack and launches its breach response, only to learn that the attack was sanctioned. But he’s never known of an instance where law enforcement was involved.
     He wouldn’t expect local law enforcement to be familiar with ethical hackers, or to stand down just because some guy who claims to be one tells them he’s on the up-and-up. “They’re going to assume the worst, as they should,” Pepper said. It seems clear, he observed, that in Iowa more communication was needed before the test was launched.

Real Payoffs
Pepper said that before companies authorize penetration tests, there should should be lots of communication with the firm it hires. He suggests that his clients draft contracts that describe the scope of the testing and specify the individuals who will be involved. The company should run background checks on the people doing the work, since there are legal risks in granting third-party access to sensitive information. The client should then “monitor the entire process,” he noted. “That should be in the agreement.” 
     Those who think of this as just another unnecessary expense may need to think again. “There’s an argument to be made that this sort of testing is imperative, not just a nice thig to do sometimes,” Pepper said. The New York SHIELD Act and the California Consumer Privacy Act make it clear that “reasonable security” requirements include the kind of testing recommended in the CIS top 20 controls, he said. The last CIS control calls for “Penetration Tests and Red Team Exercises.”
     In Pepper’s view, the payoff is well worth the cost. He recommends that a company hire ethical hackers to attempt to penetrate its system at least annually—or any time the company makes material changes to its network, as, for example, when it launches new products. Because the experience the Air Force had is common. In the majority of cases, “there are vulnerabilities identified,” Pepper said. The job of the hackers is to break in, and they are good at it. Companies are usually left with a list of weaknesses they will need to address. That’s how cybersecurity is strengthened.
     And if everyone exercises sufficient care, it shouldn’t result in vendors landing in jail.