Iowa Hires Hackers To Test Courthouse Security, Sheriff Arrests Them After They Get In
A security company says that local officials in Iowa have gone too far by charging two of its employees who demonstrated how vulnerable one county courthouse truly was.
According to the Des Moines Register, employees of the state-hired cybersecurity firm Coalfire were testing the security of both computer servers and physical buildings operated by the state’s judicial branch.
Early in the morning of Sept. 11, two employees tripped an alarm at the Dallas County courthouse in Adel, the Register reported.
According to the technology website Endgadget, the men entered the courthouse through an open door. When they closed it and then opened it again, they set off an alarm, according to the website.
After sheriff’s deputies arrived, the Coalfire employees showed their paperwork proving they were working at the state’s behest, but instead of being allowed to go, they were clapped in jail and charged with third-degree burglary and possession of burglary tools, both felonies, Endgadget reported. Bail was set at $100,000.
Last month, Justin Wynn, 29, of Naples, Florida, and Gary Demercurio, 43, of Seattle, had their charges reduced to trespassing, which is a misdemeanor, according to the Register.
Instead of taking a plea, the men are demanding a jury trial as the company makes waves about the incident.
“Our employees were doing the job that Coalfire was hired to do for the Iowa State Judicial Branch,” Coalfire CEO Tom McAndrew said in a statement. “Coalfire was successful in performing security testing, which is an important component of a cyber-security program. Testing is critical to identify vulnerabilities that can be exploited by cybercriminals.”
“The ongoing situation in Iowa is completely ridiculous, and I hope that the citizens of Iowa continue to push for justice and common sense,” he wrote, adding that, “Coalfire will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing. After the Iowa Supreme Court Chief Justice apologized and admitted mistakes were made, I was expecting all charges to be dropped.”
The statement said that Dallas County Sheriff Chad Leonard refused to allow the men to leave in what amounted to a turf war.
“Sheriff Leonard communicated in an email ‘that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in.’ Leonard also added that a state employee asked him not to tell other sheriffs about the incident to ensure the operation continued at other locations, but that he was going to tell every sheriff,” McAndrew said in his statement.
McAndrew said an incident like this has never faced his company before.
“Coalfire has done hundreds of these types of engagements, typically finding open doors, unconcealed passwords, and other items that criminals can use to exploit organizations. Our teams are often stopped by law enforcement or security personnel during these tests. When this occurs, the authorization letter is presented. This is the first time that the authorization letter and verbal calls from our client have not resulted in the immediate release of our employees. Frankly, this matter is unprecedented within the tight-knit security industry and to our knowledge, no physical security professional has been arrested and officially charged while executing a contract,” he wrote in the statement.
McAndrew said the incident should come to a close.
“My concern is that common sense is not prevailing in this case. The fact that this case is still ongoing is a failure of the criminal justice system in Iowa. I am also concerned that the close working relationship between the Sheriff, District Attorney, judges, and local politics involved may have potential conflicts of interest and impede a fair trial,” he wrote.
When law enforcement authorities turn upon those trying to protect the public, McAndrew wrote, the public emerges as the loser.
“If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit,” he wrote.
Others agreed. Computer security concerns are a major concern, especially as local governments prepare for the 2020 elections.
David Kennedy, founder and CEO of Binary Defense and Trusted Sec, told CNBC that other companies in the cyber sector “are kind of freaking out about this.”
“We are all watching this very closely, and we are concerned,” Kennedy said.
In an interview with the Register, Dallas County Attorney Charles Sinnard would not comment directly on McAndrew’s statement, but said, “[I]f Mr. McAndrew certainly wants to make this a case about professionalism, we are ready to meet that argument in court.”
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.