Iowa hired a prominent cybersecurity company to test the digital and physical defenses of county courthouses, but when two employees succeeded, they were arrested.
In September, the state asked cybersecurity firm Coalfire to conduct a penetration test to see if its staff could gain access to sensitive data or equipment.
Two Coalfire employees found a door to the Dallas Courthouse open, and when they closed the door to see if it would lock and then attempted to open it, an alarm was set off. Following protocol, the employees waited for police to arrive and showed them their paperwork. Initially, they were told they were "good to go," Engadget reported, but moments later, a local sheriff showed up and arrested them; they spent the night in jail.
Justin Wynn, 29, of Naples, Florida, and Gary Demercurio, 43, of Seattle, were charged with third-degree burglary and possession of burglary tools after they tripped the alarm at the Dallas County Courthouse, according to the Des Moines Register. The charges still have not been dropped, according to CNBC, although they were reduced to trespassing, a misdemeanor. The men have pleaded not guilty.
"Our employees were doing the job that Coalfire was hired to do for the Iowa State Judicial Branch," Coalfire CEO Tom McAndrew said in a statement last month. "Coalfire was successful in performing security testing, which is an important component of a cyber-security program. Testing is critical to identify vulnerabilities that can be exploited by cybercriminals."
McAndrew called the charges "completely ridiculous" and urged Iowans to "push for justice and common sense" in clearing the men's names.
He said Coalfire employees are frequently stopped by law enforcement officials while doing their jobs, but this was the first of "hundreds of these types of engagements" in which the workers weren't immediately released after law enforcement saw their authorization letter.
"Frankly, this matter is unprecedented within the tight-knit security industry," McAndrew told the Register. "To our knowledge, no physical security professional has been arrested and officially charged while executing a contract."
The news comes as cities, including Baltimore and Atlanta, grapple with ransomware attacks that have cost them millions of dollars.
The Iowa incident could heighten tensions between states and testing companies in the runup to 2020. Across the country, similar companies are prepping to vet the security of hundreds of local elections ahead of 2020, amid widespread fears that Russia will try to interfere as it did in 2016, The Washington Post reported.
“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” David Kennedy, founder of Binary Defense and TrustedSec, a consulting firm that conducts penetration tests, told CNBC. “We are all watching this very closely, and we are concerned.”