Inappropriate charge
It seems to be the norm in the US to go for maximum sentences or the most serious charge available to pressurise defendants to take a plea. This looks like a case of applying anti-hacking legislation to a case of criminal damage, presumably on the basis that it carries a higher tariff. It deserves to get knocked down for over-reach.
"If he is found to have acted without authorization, the question then becomes: does that make other sysadmins criminally liable for mistakes they might make unless they get explicit permission beforehand? That would create a hell of a problem."
Really? I thought getting permission in advance was called Change Control. I'd certainly be required to follow that process for any of the changes he made.