Iowa asked researchers to break into a courthouse, then it arrested them

Security experts fear this could have industry-wide ramifications.

Ransomware attacks have cost cities like Atlanta and Baltimore millions of dollars and made it clear that state and municipal governments need to protect themselves against cyberthreats. With that in mind, the state of Iowa hired cybersecurity firm Coalfire to conduct a penetration test. The state asked the company to try to break into servers and physical buildings to see if it could gain access to sensitive data or equipment. When two Coalfire employees successfully broke into one Iowa courthouse, they were arrested, and the charges have not yet been dropped.

The incident occurred in September. The Coalfire employees found a door to the Dallas Courthouse open. They closed the door to see if it would lock and then attempted to open it, setting off an alarm. Following protocol, they waited for police to arrive, and showed them their paperwork. The first deputies to respond told the employees they were "good to go." But moments later, a local sheriff showed up and arrested them.

The Coalfire employees spent the night in jail, and as if that weren't bad enough, they were charged with felony accusations of burglary in the third-degree and possession of burglary tools. Their bail was set to $100,000. Coalfire expected the issue to be resolved quickly and the charges dropped, as the company had a contract with the state and had completed penetrations tests (also known as pen tests) at other Iowa courthouses. Instead, the charges were simply reduced to criminal trespass. The charges still stand more than two months later.

"The ongoing situation in Iowa is completely ridiculous," Coalfire CEO Tom McAndrew said in a statement. "... Our mission is to help our clients secure their environments and protect the people that work for them, their customers, and the confidential information they maintain. In this case, we were helping to protect the residents of Iowa."

Security experts fear that this could have ramifications beyond the state. Pen testing is a common practice, and security firms assume they will be protected by contracts with their clients. As the Coalfire-Iowa incident shows, that might not always be the case. Some fear this will discourage security researchers from testing state and municipal systems, as well as election and voting facilities that may be vulnerable in the 2020 election. At the very least, this is proof that we need a better way to handle cybersecurity vulnerabilities and a reminder of how clueless governments can be.