Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:

State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.

The case is an example of the legal risks faced by security testing firms, particularly when the scope of such tests is vague. Even the most basic electronic security tests, when done outside of the bounds of a contractual agreement, could land the testers in trouble, as Ars reported when Gizmodo reporters attempted to phish Trump administration and campaign figures in 2017.

Josh Rosenblatt, a Maryland attorney who teaches at the University of Baltimore and is a legal instructor for the Baltimore Police Department, noted the legal complications of penetration testing in a presentation at BSides Charm. "If you have a full black-box assessment," Rosenblatt said—meaning a security assessment with no scope set and only vague definitions of how the security is to be checked—"you might run into issues." That's particularly the case when the organization issuing the assignment doesn't own the infrastructure being tested.

"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."

Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.