Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa’s judicial arm.
The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass.
The case cast a menacing cloud over an age-old practice that’s crucial to securing buildings and the computers and networks inside of them. Penetration testers are hired to hack or break into sensitive systems or premises and then disclose the vulnerabilities and techniques that made the breaches possible. Owners and operators then use the information to improve security.
“I’m very glad to hear this,” said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). “Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals.”
Attempts to reach Dallas County Attorney Charles Sinnard after hours were unsuccessful.
Get out of jail free
DeMercurio and Wynn were arrested in the early hours of September 11 after a dispatcher with the Dallas County sheriff’s department observed the men wandering through the closed county courthouse with dark backpacks. When sheriff’s deputies confronted the men shortly afterward, they produced a letter—known as a get-out-of-jail-free card in pentesting parlance—that said they had been hired by Iowa’s State Court Administration to assess the security of its physical and network security. Deputies were friendly and interested as DeMercurio and Wynn explained how they used a lock-picking device to bypass a locked front door.
When Sheriff Chad Leonard arrived on the scene, things took a decidedly more adversarial tone. Leonard said he was unaware of any such arrangement and, furthermore, he said the State Court Administration lacked the authority to permit the after-hour entry of county property. The pentesters spent more than 12 hours in the county jail until they were released on $100,000 bail ($50,000 for each). In the days to follow officials discovered that the pentesters had also performed physical penetration tests on the Polk County Courthouse and Judicial Building.
The turf war between Dallas County and state officials was only one of the things complicating the case. The other issue was the legal agreement Coalfire signed with the State Court Administration. The full agreement was broken into three separate documents that contained confusing and contradictory terms describing the work to be performed. An initial service order outlined a plan to conduct “Physical Attacks” against the Dallas County courthouse and two other buildings, but in later forms, the pentesting activities were described as “Social Engineering.” There was also conflicting language about whether the pentesters were authorized to use lock-picking gear and whether they were permitted to test physical security after hours.
After learning of the pentesting contract, Dallas County Attorney Charles Sinnard reduced the charges, but despite there being no support for criminal intent, he continued to prosecute the two men. In a statement Coalfire issued on Thursday, officials wrote:
Following discussions between representatives of Coalfire, the Dallas County Sheriff and the Dallas County Attorney, it was the decision of the Dallas County Attorney to dismiss trespass charges against the Coalfire employees. It is clear that on September 11, 2019 it was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with State Court Administration.
Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges. Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing. It is the hope of Dallas County and Coalfire that the Judicial Branch will work with them so that any issues carrying out such vital testing can be avoided in the future.
Coalfire CEO Tom McAndrew added, “With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience.”