Most of you who deal with cybersecurity or even information technology in any capacity have heard of red teams. Companies and public agencies often use these teams to test their security posture, both physical and technical. Unlike ethical hackers (which can be focused on a particular bug, vulnerability or policy), red teams will often provide the full spectrum of testing, persistence and training, if requested. Their usefulness is in behaving like the enemy, whether it be a state sponsored group, cyber-criminal organizations or other Advanced Persistent Threats. Some companies and larger government organizations have built in red teams (or red cells as they may be referred to). Most, however, rely on independent contractors to do the assessments for them.
As a lawyer who watched over some red teams in my military career, I can say it was imperative for the scope and statement of work to be made clear at the beginning of the arrangement. What does that mean? Most importantly, trusted agents must be identified and read in to the process before it starts.
Red Teaming Rules
First, all members of the red team and trusted agents should sign non-disclosure agreements, with explicit limitations as to content and duration. Then, the methodology of tactics, techniques and procedures should be spelled out to the trusted agents at least in a general sense. What is off limits to the red team? How can physical access be gained? What happens if something is inadvertently discovered outside the scope of work? What happens to data and information gained by the red team once the testing is over? These are just a few of the concerns that need to be directly addressed at the outset of the relationship or a lot of bad things, including legal action can ensue.
A few days ago, a complaint was filed in the United States District Court, by AJ Trucco Inc against Redcell Corporation. Trucco is in the business of agricultural products wholesale while Red Cell seems to offer a huge variety of IT services to include “Red Team” activities. Essentially, the lawsuit alleges under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C) (“CFAA”) unlawful access of Trucco’s server and confidential information. This was brought to Trucco’s attention during legal discovery in another court dispute with Red Cell, in which Red Cell sued Trucco for misappropriating Red Cell software, violating trade secrets. That lawsuit, in and of itself, spans over an eight year relationship and is quite complicating alleging poaching of employees and side arrangements in violation of their contract.
In other words, Trucco is alleging that despite the business relationship ending in 2020, the access to the server and holding of Trucco’s confidential materials by Red Cell continued. Most of the business relationship had nothing to do with red team activities, but was more in line with business and information system management.
While the above cases do not specifically deal with red team activities, it seems to have morphed into similar issues that red teams and their customers should resolve up front. Defining the scope of work and the statement of work along with all of it tertiary issues, such as trade secrets, data and network access, and the fuzzy nature of contractor-employee relationships, need to be spelled out and monitored during the entire relationship