Coalfire CEO Tom McAndrew's Statement
The following text comprises the statement of Coalfire CEO Tom McAndrew (via the company's public relations group) detailing the company's position on the State of Iowa debacle they have found themselves in. We wish them success in dealing with the State of Iowa Bureaucracy. H/T
Westminster, CO -- October 29, 2019 -- The ongoing situation in Iowa is completely ridiculous, and I hope that the citizens of Iowa continue to push for justice and common sense. Today, we found out that charges against Justin Wynn and Gary DeMercurio, the two Coalfire employees at the center of the Dallas County Courthouse incident on September 11, 2019, have been reduced from felony accusations of Burglary in the third-degree and possession of burglary tools to criminal trespass.
I do not consider this a "win" for our employees, and Coalfire will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing. After the Iowa Supreme Court Chief Justice apologized and admitted mistakes were made, I was expecting all charges to be dropped.
As seen in the statement of work that was made public online, our employees were simply doing the job that Coalfire was hired to do for the Iowa State Judicial Branch, a job similar in nature to one we did three years ago for the Iowa State Judicial Branch and have done hundreds of times around the world for similar clients.
Active penetration testing, including physical penetration testing, is a best practice and a common engagement. We identify issues and risks before criminals find them. Oftentimes the risks are systems issues, sometimes the risks are as simple as finding a broken door that would allow a person with malicious intent to enter a secure area unnoticed. Our mission is to help our clients secure their environments and protect the people that work for them, their customers, and the confidential information they maintain. In this case, we were helping to protect the residents of Iowa.
Our work included the testing of the physical security of county courthouses and judicial buildings. The specific locations were given to us by our client, documented in our statement of work, and confirmed multiple times, through email and phone conversations.
After gaining access to the Judicial Branch Building, our employees were in communications with our client at the state level to let them know of their successful entry. They even left a business card on the desk of an employee. The following morning a state employee acknowledged the entry stating, “I guess I owe you a congratulations.” The day after the successful entry into the Judicial Branch Building, the employees walked up to the main entrance of Dallas County Courthouse around midnight. Our employees could have simply walked in through the front door since it was open - however, they chose to close and lock the door, so they could provide the state of Iowa with insights on ways that potential criminals could gain access. Our employees, being of the highest caliber and committed to delivering the best results on the project, chose to give the county the benefit of the doubt and test the courthouse as if they had found it in a secure state, which it was not.
After gaining access through the locked door, our team intentionally tripped the alarm in order to test the security response, which was an objective of the project. After setting off the alarm in the Dallas courthouse, Mr. Wynn and Mr. DeMercurio stayed at the courthouse to meet County law enforcement responding to the alarm. When the initial law enforcement arrived, there were no issues as the team explained what they were doing and presented our engagement letter along with identification. As the team waited for a deputy to verify their credentials, they then showed the remaining officers how entry was made along with some of the tools and tactics that could have been used, much to the deputies’ delight, which I believe would be evident if video of the response was made publicly available.
The team was ready to leave after one of the deputies returned the authorization letter to them and stated: “You guys should be all good to go.” It was at that point that the local sheriff, Chad Leonard, arrived at the Dallas Courthouse. Despite the authorization letter, his deputies onsite already having verified our team, and State employees urging their release, the local sheriff proceeded to arrest Mr. Wynn and Mr. DeMercurio.
Failing to de-escalate the issue and bring in State/County politics, Sheriff Leonard communicated in an email "that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in." Leonard also added that a state employee asked him not to tell other sheriffs about the incident to ensure the operation continued at other locations, but that he was going to tell every sheriff.
I don’t know why he reacted the way he did. I’ve never met or spoken to Sheriff Leonard. Perhaps he didn’t like being tested without his knowledge or that our team found major security concerns at the facilities he was protecting.
Sheriff Leonard failed to exercise common sense and good judgement and turned this engagement into a political battle between the State and the County. I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000. My priority has always been for the safety of our employees, and we immediately engaged legal support and posted a $100,000 bond to get our team out of jail and get them home. I spoke with the team immediately after their release and promised to do everything I could to get this resolved. I intend to keep my promise.
Coalfire has done hundreds of these types of engagements, typically finding open doors, unconcealed passwords, and other items that criminals can use to exploit organizations. Our teams are often stopped by law enforcement or security personnel during these tests. When this occurs, the authorization letter is presented. This is the first time that the authorization letter and verbal calls from our client have not resulted in the immediate release of our employees. Frankly this matter is unprecedented within the tight-knit security industry and to our knowledge, no physical security professional has been arrested and officially charged while executing a contract.
Mr. Wynn and Mr. DeMercurio were acting as professionals carrying out their state-authorized obligations focused on improving the security of the Judicial Branch. It is unacceptable that they are now pawns in the dispute between the state and the county related to governance of the court buildings. My concern is that common sense is not prevailing in this case. The fact that this case is still ongoing is a failure of the criminal justice system in Iowa. I am also concerned that the close working relationship between the Sheriff, District Attorney, judges, and local politics involved may have potential conflicts of interest and impede a fair trial.
If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.
Coalfire is cooperating fully in the ongoing investigation. My hope is that the officials involved in this case will appropriately consider the context in which the actions of our employees were performed and the ongoing dispute between the state and the county related to governance of the court buildings.
I have known both Gary and Justin for many years, and they are good people who have dedicated their lives to making the world a safer place. Gary and Justin, arguably our best physical pen testing team at Coalfire, choose to place themselves in harm’s way each and every physical test that they perform. They test the people who are supposed to keep citizens safe to ensure that they are doing their jobs. Yes, occasionally there are dangers associated with that as they must deal with law enforcement that may or may not understand what is happening. However, being the consummate professionals that they are, they are skilled in defusing situations and making them non-confrontational, much like they did on this engagement as no officer pulled a weapon of any sort.
I am a Navy veteran of 20 years who continues to serve in the Navy Reserves because I believe in our great country. Unfortunately, today I’m embarrassed by the way our employees have been vilified, one of which is a former Marine Corps officer, for doing the job they were paid to do. I’m ashamed that no one has had the courage to step up and do what is right. People appear to be more concerned about their own jobs or the political repercussions.
Drop the charges, purge their records. These men are unsung heroes, not criminals.
About Coalfire
Coalfire is the trusted cybersecurity advisor that helps private and public-sector organizations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout the United States and Europe.