When IT systems of federal and state agencies are tested, it turns out that those actually doing the testing, the cybersecurity firms themselves are at risk from a legal perspective if the proper authorization are not in place. Coalfire, a well-established IT firm focused on cybersecurity, was engaged by the state of Iowa and as part of its assignment was tasked with testing municipal courthouse systems.
Purportedly within the scope of its assignment two security worked conducted penetration tests and in the process of doing so were detected and charged with felonies. Such charges have since been lessened to misdemeanors, but that’s still not ok with Coalfire.
According to CEO Tom McAndrew, Coalfire will "continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing."
Other cybersecurity professionals have spoken about their increased concern given the incident. David Kennedy, founder and CEO of Binary Defense and Trusted Sec states, “I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this.” He continues, “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”