A civil matter

Matthew Lindholm, the Des Moines defense attorney representing the two pentesters, agreed that his clients are being unfairly swept up in a power struggle between the State of Iowa and the County of Dallas. He said Iowa statutes ensure that the state judicial branch has access to county-owned buildings and that the judicial branch can exercise authority over county court houses when it’s necessary to carry out their administrative purposes.

Whether the state had authority to authorize the pen test is “a civil matter, not a criminal matter,” Lindholm said. “You’re not going to get that answer by filing criminal charges against somebody.” He also noted that a provision in the contract required the SCA to secure all necessary permission for the execution of the contract. Lindholm continued:

But you also have political pressures from the county who want to hold somebody criminally responsible because, it’s their opinion, that there clearly was no authority for the judicial branch to do what they did. The problem with that is under the legal analysis it doesn’t matter whether my clients had actual authority or apparent authority. As long as they reasonably believed they could go in and do what they did—which the contract said they could—they are legally obligated and cannot be held criminally responsible for doing what they did.

Dallas County Attorney Charles Sinnard, who is prosecuting the case, told me that prosecutors aren’t permitted to say much publicly about cases they bring. He did say that he was familiar with the craft of penetration testing and supported that line of work in ensuring courts are secure.

“I have a relative that is in the industry, so I understand the importance of the work, and I back that type of work,” he said. “Professionals in this area would also agree that there are certain responsibilities and expectations because of the sensitive nature of this work, and if those aren’t followed, then that is a different story. What has been released is only part of the story.” He didn't elaborate.

A mea culpa of sorts

In October, Iowa Supreme Court Chief Justice Mark Cady, who oversees the state’s judicial branch including all judicial officers and court employees, apologized for the incident before the state’s Senate Government Oversight Committee, according to the Des Moines Register, which has been closely following developments in the case.

“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattacks, mistakes were made,” he said, using the passive voice that’s so common in leaders’ admissions of responsibility. “We are doing everything possible to correct those mistakes, be accountable for the mistakes and to make sure they never, ever occur again.” He declined to comment for this story.

His apology made little or no mention of the two men whose futures have been swept up in the controversy. He has remained silent even after the release early last month of an investigation report the SCA commissioned from lawyers at Faegre Baker Daniels, a global law firm with an office in Des Moines. Attorneys who led the investigation into the matter included Nick Klinefeldt and Paul Luehr, a former US attorney for the Southern District of Iowa and a former federal prosecutor and a national cybersecurity consultant, respectively.

The investigators found that neither Wynn and De Mercurio nor Iowa's SCA acted with deception or ill-intent. The report also made a strong case that the pentesters had good reason to believe that everything they did was within the scope of the agreement between the SCA and Coalfire. The Rules of Engagement, the investigators found, specifically gave the men the authority to pick locks and to “utilize physical penetration testing techniques to gain access to facilities, sensitive information, networks or systems.” (The report did find that Coalfire and the SCA failed to adequately draft the agreement. More about that later.)

The rules of engagement also state that the physical assessments were to be conducted on the Polk County Courthouse and the Judicial building—both in Des Moines—as well as the Dallas County Courthouse in Adel, Iowa. And while one section of the rules of engagement was unclear whether the 6AM to 6PM time frame applied only to systems penetration or physical assessments as well, a Scope of Testing section within that document said physical assessments “can be during the day and evening.” That authorization made no mention of any specific time of day.

The investigators also mentioned that on September 10—one day before Wynn and De Mercurio entered the Dallas County Courthouse after hours—John Hoover, the IT manager for the SCA, found Wynn’s business card on his desk when he arrived at his office at the Judicial Building that morning. Hoover immediately knew the Coalfire pentesters had successfully broken into the building, and entered his office, the night before.

“Well done,” the IT manager wrote to Wynn in an email. “I'll be interested to hear how easy it was.”

Confusing and contradictory terms

The investigators went on to criticize both the SCA and Coalfire for stringing the agreement into three separate documents that “contained some confusing and contradictory terms” describing the work to be performed.

“In terms of techniques, the Coalfire agreement often co-mingled descriptions of physical tests with other types of assessments,” investigators wrote. “In its initial Service Order, Coalfire clearly described a plan to conduct ‘Physical Attacks’ against three proposed buildings, but in later forms, Coalfire’s Red Team activities fell under the more abstract label of ‘Social Engineering,’ even though a night-time building break-in would probably not involve social interaction with any other individuals.”

The permitted time for the pentesting is another example of a lack of clarity, with one section of the rules of engagement stating it would be conducted between 6AM and 6PM—again, in Mountain Time—and another section saying it could be during the day and evening. The lack of clarity in the get-out-of-jail-free letter was also a key problem, since that was the document responding Sheriff’s officials would read first.

Making matters worse, the investigators noted that there were differences among various SCA officials about precisely what the assessment involved. The IT director of the SCA, Mark Headlee, said he was unaware that the rules of engagement permitted the same physical assessment on the Dallas and Polk County courthouses that were allowed for the Judicial Building. While Hoover—the IT manager who had congratulated Wynn for accessing the Judicial Building—was more familiar with the scope of the engagement, a serious error prevented him from speaking to deputies the night they caught the pentesters at the Dallas County Courthouse. The report explained:

According to Headlee, it was his position that Wynn and Demercurio were not supposed to access courthouse after hours and so he told the Dallas County Sheriff Deputies that Wynn and Demercurio were not working within the scope of what SCA contracted with them to do. In subsequent text messages, Headlee questioned what Wynn and Demercurio were doing in the courthouse after hours. In text messages to Hoover, Headlee pointed out that the Dallas County Sheriff’s office did not believe the Authorization applied because the courthouse was county property. Hoover replied that he was just thinking about that issue. It appears neither law enforcement, Wynn, nor Demercurio contacted Hoover directly that night, because Hoover’s number was incorrect on the Authorization form.

Ultimately, the investigators found, it’s unclear if SCA had the authority to authorize the intrusions into the two county courthouses. While there are statutes that require counties to provide “sufficient facilities” for state judicial officers, it’s not clear whether this gives the SCA autonomy when state and county resources are commingled in a single premises.

Greatest shortcoming

Ultimately, the investigators said, both the SCA and Coalfire shared responsibility for not anticipating the way the assessment would affect the counties that owned and managed the courthouses and for not alerting law enforcement officers ahead of time.

“Perhaps the greatest shortcoming we found was a failure to take into account the potential impact of the assessment on third parties, specifically the counties,” the investigators wrote. “We did not find that the SCA or Coalfire acted with deception or ill-intent. “However, we believe both the SCA and Coalfire should have foreseen a potential confrontation with law enforcement.”

McAndrew, the Coalfire CEO, said his company is already looking at ways to prevent similar incidents from playing out.

“We could always improve,” he said when I asked him about that part of the report. “Every time we have one of these scenarios, you look at what could we improve in communication and what’s written down. We have looked at that and there are some tweaks to make.”

A mark on their record

Meanwhile Dallas County Sheriff Leonard has signaled an openness to recommending more leniency from the county prosecutor. In an interview, he said he had yet to read the investigators’ report that found the SCA had authorized a physical assessment in the evening and had approved the forced entry of doors. When I told him of those findings and asked if he still believed the county should prosecute the case, he said:

“If that is true, if those guys had all that, I don’t want them to have this mark on their record. They were nice guys that night.” Still, he returned to the position that the state of Iowa had no legal authority to grant the pentesters permission to break into a county courthouse. I pressed Leonard further and asked if, in light of the investigators’ findings, he believed the pentesters had any criminal intent. Leonard answered: “I don’t want these guys to have this mark on their record if they truly were supposed to be here.”

He went on to blame McAndrew, the Coalfire CEO, for not being more proactive in defending his employees in the hours following the arrests.

“The CEO could have called and said here’s all the stuff, Sheriff,” Leonard said, referring to the contracts Coalfire signed with the SCA. “Then I would have gone to the county attorney [Charles Sinnard] and said: ‘Listen, Chuck, you need to get rid of this stuff.’ They never did any of that.”

What seems clear from all of this is that for the time being, Wynn and De Mercurio will have these charges—and possibly new ones from Polk County—hanging over their heads, even though there’s no public evidence the pentesters had any criminal intent or bad motives. The ambiguous and sometimes contradictory terms in the agreement—which comprised multiple documents—was problematic. So, too, was the lack of clarity about whether Iowa’s SCA had the legal authority to permit an intrusion on county property.

But it’s hard to see how these defects rise to the level of a criminal offense that threatens not only the future of the two pentesters, but also the increasingly important profession of pentesting itself.

“If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest?” McAndrew wrote in his statement from October. “This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job.”