Coalfire Labs, a company that provides cyber risk management
and compliance services for public and private companies, was contracted by The
Iowa State Judicial System to perform security penetration testing of the
Dallas Iowa Judicial Branch. Coalfire employees Justin Wynn and Gary Demercurio
were tasked with the physical assessment and were subsequently arrested. Both
were arrested following the alarm going off after attempting to enter the court
to conduct their assigned evaluation.
Let’s start from the beginning
The Iowa State Judicial System contracted Coalfire Labs to
perform penetration security tests on the Dallas County Court System. The
master agreement that got the assessment started was signed on January 14,
2015. This document defines all the terms and conditions that both parties
would abide by. It did not, however, mention anything that pertained to the
actual assessment. The agreement only addressed the main legal and monetary
items. The agreement was silent on the exact security penetration techniques to
be used. Between May and July 2019, the rest of the documents start to come
into fruition. May 28, 2019, the service order was signed by the IT Director of
the Iowa Court System, Mark Headlee. This document defined the key deliverables,
the engagement scope, and the pricing. It was listed in the scope that there
would be physical attacks against the courthouse (unauthorized entries) and
that they can happen at any time during the day or night. July 30, 2019, the
rules of engagement are sent to Andrew Shirley (Information Security Officer
for Iowa Judicial Branch). Here the rules of how Coalfire was to engage are
outlined, the locations, testing dates, and how information was to be handled
internally within Coalfire. The document addresses concerns with client
information, as well as any relevant information concerning the network, the
locations, wireless networks, any applications, and any cloud infrastructure.
August 9, 2019, the Social Engineering Authorization document was signed by John
Hoover (Infrastructure Manager), Andrew Shirley (Information Security Officer),
and Mark Headlee (IT Director). This document outlined what physical social
engineering methods could and could not be used to access facilities.
The Event that led to the arrest
Both Justin Wynn and Gary Demercurio were arrested when they were discovered attempting to conduct their assigned physical assessment at 12:30 am at the Dallas County Courthouse. Two days prior they successfully made entry into the Polk County Courthouse. As they began to enter into the Dallas Courthouse, they set off the alarm system prompting a police response. They were arrested with their preliminary hearing set for September 23, 2019.
Iowa’s Senate steps in
Iowa’s Senate Government Oversight Committee is
investigating these so-called break-ins. This investigation is going to look
into how this physical assessment would have improved the Judicial Branch’s
ability to perform its services. Senator Tony Bisignano(D) said that he is
concerned with the fact that the state took this upon themselves to do this.
“We need to know as quickly as possible what truly happened, what the
contract says, how many contracts are out there and who was going to be liable
in case of a mishap, an injury, an altercation.” He says that this is going to be a burglary
case, not a contract case. The Judicial Branch Administrators, after releasing
the contract, stated: “They did not intend, or anticipate, those efforts
to include the forced entry into a building.” Bisignano agrees that
testing security is something important. He thinks that it “could have
been accomplished in a less covert way other than a CIA-type action.”
What is the question here?
I see the big question that this case will address is, do
state governments have the power to have private companies perform assessments
of any kind on county/town systems? The answer to this question will decide
whether Justin and Gary of Coalfire go free or if they go to jail.
My Thoughts on the matter
I think that the administration should have anticipated
this. The rules of engagement clearly state that they would attempt to make a
physical entry at three locations, and they could do this at any time of the
day. The two Coalfire employees that were arrested had no nefarious or criminal
intent. Criminal intent (Mens Rea) has to be proven to convict a person of a
criminal act. Justin Wynn and Gary Demercurio were conducting a contracted work
assignment, not a criminal act. Also, I don’t agree with Senator Tony
Bisignano’s statement of this could have been accomplished less covertly, which
is laughable. Most criminals try to be as covert as possible to avoid detection
and arrest. His comments hold no actual reasoning or legal basis and are
seemingly only political grandstanding.
Penetration testing done correctly many times has to be done covertly.
Covert testing pushes the existing defenses that are in place to their limits.
They are essential to detect deficiencies and blind spots and are without any
extraordinary countermeasures being put in place that ordinarily would not be
present. My take on the question as to
state governments having the power to contract companies to perform assessments
of any kind on the county/town systems; I believe that they do. Most courts
hold protected state and federal documents, including arrest and conviction
records. The storage, dissemination, and maintenance of these documents are
regulated by state and federal law giving the state the authority to inspect
and or test that these laws are being followed. The only caveat I have is with
how this assessment took place is someone should have been informed at the
courthouses. If just one or two people were notified to establish a point of
contact at each courthouse, it would have changed the way that this case is
All Quotes and information have been derived from