Laws that Red Teamers Should Know
Laws that Red Teamers Should Know
What is wiretapping, which states have two-party consent, and are burglary tools illegal without intent to use them illegally?
Laws Around Red Teaming
There is a wide array of laws that physec red teamers should be aware of. It must be noted that laws are broken by conducting unauthorized activities, and the red team is authorized. With that in mind, it is still essential to be familiar with the laws affecting our profession:
Burglary
Varies by state. Intent typically matters less than permission. If you are authorized to be there, then it is not burglary.
Trespassing
Varies by state. Intent often does not matter, but permission does.
Burglary Tools
Varies by state. Charges typically require possession and intent to use them illegally.
Check out TOOOL’s fantastic map here.
Hacking
Computer Fraud and Abuse Act [CFAA - 18 U.S.C. § 1030]: Prohibits unauthorized access to computers and networks. Even though it's primarily focused on digital access, physical actions that lead to unauthorized digital access can be covered.
Many states have versions of CFAA.
Stored Communications Act (SCA) (18 U.S.C. §§ 2701-2712): Part of the Electronic Communications Privacy Act (ECPA), it protects the privacy of stored electronic communications, prohibiting unauthorized access.
Theft
Varies by state and jurisdiction. 18 U.S.C. §§ 2314-2315 addresses movement of stolen goods across state lines.
Theft of Trade Secrets
Economic Espionage Act (18 U.S.C. §§ 1831-1839): Prohibits the theft or misappropriation of trade secrets.
Impersonation
Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028)
Makes it a federal crime to knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity.
Federal Law - Impersonating a Federal Officer (18 U.S.C. § 912)
This statute makes it a federal crime to falsely assume or pretend to be an officer or employee acting under the authority of the United States and, in such a pretended character, demand or obtain any money, paper, document, or thing of value.
Federal Law - Impersonating a Foreign Diplomat (18 U.S.C. § 915)
It's illegal to impersonate a foreign diplomat or consular officer with intent to defraud the United States or any individual.
State Laws
Each state has its own laws regarding impersonation of state and local law enforcement officers. The specifics vary by state, but generally, it's illegal to falsely represent oneself as a police officer, sheriff, state trooper, or other state or local law enforcement agent. This can include wearing a uniform, displaying a badge, or using equipment (such as flashing lights) that would give others the appearance of being a law enforcement officer.
Many states also have laws against impersonating other types of government officials, such as judges, inspectors, or other regulatory agents.
Use of Equipment or Vehicles
In many jurisdictions, it's illegal to use or possess certain equipment, vehicles, or insignia that are reserved for law enforcement or government officials. This can include police lights, sirens, badges, uniforms, and marked vehicles.
Recording of Phone Calls & Wiretapping
Federal Wiretap Act (18 U.S.C. §§ 2510-2522): Prohibits the interception of oral, wire, or electronic communications without consent.
NOTE: Some states allow one-party consent for recording a phone call or conversation while others require all party consent. Read here for the US, and here for Global laws around recording.
Interception of Information
Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510-2522): Prohibits unauthorized interception of wire, oral, or electronic communications. This includes wiretapping and eavesdropping.
State Privacy Laws
Vary by state, but many states have laws that protect the privacy of individuals, including protection against video surveillance, audio recording, and other forms of monitoring.
Drone Laws
Part 107 License for all red team flights. This means that each Red Teamer operating a drone needs to be licensed, and that each drone itself needs to be registered with the Federal Aviation Administration (FAA).
NOTE: If flying at night, at or below certain altitudes, or in restricted airspaces, additional requirements will apply.
EXAMPLE: Check out the crimes you can be charged with for flying your drone over nuclear submarines in restricted airspace without a license: This Federal Criminal Complaint from January 2024 indicted a Chinese National and University of Minnesota student who flew his drone into a tree while spying on U.S. subs.
Illegal vs. Prosecutable
Welcome to the danger zone. Any time you are exploring the difference between something being illegal and prosecutable, you may want to have a talk with your legal team. With that said, it’s always worth considering the intent of the laws listed above. The goal is to protect the public, prevent harm, promote justice, build a strong society, deter bad behavior, and protect the United States. If you are authorized to conduct assessments and your goals align with the ones listed above (protecting, preventing harm, etc.), you have little to worry about. Your goal is to emulate criminals without committing crimes, which is easy to do with authorization. Even so, having knowledge of the relevant laws will help you in your career, and will ensure that you take steps (document these steps!) to avoid violating rules, laws, regulations, or ethical considerations. A red teamer’s goal is ultimately to help protect their organization. Part of that protection is ensuring that you do not create any undue risk (physical, financial, reputational, or other) as you seek to uncover vulnerabilities, systemic issues, and gaps in the security posture.