Latest in Gear

Image credit: AriasPhotos via Getty Images

Iowa asked researchers to break into a courthouse, then it arrested them

Security experts fear this could have industry-wide ramifications.
628 Shares
Share
Tweet
Share
Save

Sponsored Links

AriasPhotos via Getty Images

Ransomware attacks have cost cities like Atlanta and Baltimore millions of dollars and made it clear that state and municipal governments need to protect themselves against cyberthreats. With that in mind, the state of Iowa hired cybersecurity firm Coalfire to conduct a penetration test. The state asked the company to try to break into servers and physical buildings to see if it could gain access to sensitive data or equipment. When two Coalfire employees successfully broke into one Iowa courthouse, they were arrested, and the charges have not yet been dropped.

The incident occurred in September. The Coalfire employees found a door to the Dallas Courthouse open. They closed the door to see if it would lock and then attempted to open it, setting off an alarm. Following protocol, they waited for police to arrive, and showed them their paperwork. The first deputies to respond told the employees they were "good to go." But moments later, a local sheriff showed up and arrested them.

The Coalfire employees spent the night in jail, and as if that weren't bad enough, they were charged with felony accusations of burglary in the third-degree and possession of burglary tools. Their bail was set to $100,000. Coalfire expected the issue to be resolved quickly and the charges dropped, as the company had a contract with the state and had completed penetrations tests (also known as pen tests) at other Iowa courthouses. Instead, the charges were simply reduced to criminal trespass. The charges still stand more than two months later.

"The ongoing situation in Iowa is completely ridiculous," Coalfire CEO Tom McAndrew said in a statement. "... Our mission is to help our clients secure their environments and protect the people that work for them, their customers, and the confidential information they maintain. In this case, we were helping to protect the residents of Iowa."

Security experts fear that this could have ramifications beyond the state. Pen testing is a common practice, and security firms assume they will be protected by contracts with their clients. As the Coalfire-Iowa incident shows, that might not always be the case. Some fear this will discourage security researchers from testing state and municipal systems, as well as election and voting facilities that may be vulnerable in the 2020 election. At the very least, this is proof that we need a better way to handle cybersecurity vulnerabilities and a reminder of how clueless governments can be.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
628 Shares
Share
Tweet
Share
Save

Popular on Engadget

Instagram removes the IGTV button you weren't using

Instagram removes the IGTV button you weren't using

View
Lexus imagines space vehicles for humans on the Moon

Lexus imagines space vehicles for humans on the Moon

View
Boeing finds another software flaw that might delay 737 Max's return

Boeing finds another software flaw that might delay 737 Max's return

View
Law enforcement is using a facial recognition app with huge privacy issues

Law enforcement is using a facial recognition app with huge privacy issues

View
Microsoft will fix an Internet Explorer security flaw under active attack

Microsoft will fix an Internet Explorer security flaw under active attack

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr