Jiggling door handles without consent is a defacto criminal act. It's no different if I tried to pick your wallet as you walked down the street and said, "better me than a criminal..." then flashed my badge.
CISA will jiggle your door handles for free, if you ask and consent first. Web server operators who aren't asking for vuln assessments aren't apt to keep them regularly patched to begin with.
> Jiggling door handles without consent is a defacto criminal act.
Connecting to a webserver using HTTP is not a criminal act, under any colour of the law. If you have a listening port open to the internet, you are inviting connections.
Picking pockets is stealing; this is more like saying "Hello!" to someone who is standing in their own open doorway, and observing their response.
I don't think there's anything in the article about this programme providing server operators with reports. They're not trying to save operators from themselves.
Opt-in is generally more fair than opt-out, but in this instance it makes sense - they are not checking personal property, they are checking publicly facing webservers. They are not doing it for the server owners benefit, they are doing it to help keep people secure. Servers that aren't being patched properly are exactly the servers that are a security issue waiting to happen, that such a security force should be identifying and telling to buck their ideas up.
I suppose the differences in how those two equivalent departments approach this, likely come from national mindset differences, and the political differences they cause. At least it seems reasonable to me: that in Washington people might all agree that the right to decide if you are tested is more important than finding insecure webservers, whilst in London people might well all agree on the opposite.
CISA will jiggle your door handles for free, if you ask and consent first. Web server operators who aren't asking for vuln assessments aren't apt to keep them regularly patched to begin with.