Two employees of a well-known Westminster-based cybersecurity firm have been arrested for ostensibly doing their jobs, prompting questions about new risks for the information-security industry.
In early September, Justin Wynn and Gary DeMercurio — two employees of Westminster-based Coalfire — were arrested during the early morning hours of Sept. 11 while performing physical tests of the security of Iowa county courthouses. Coalfire was hired by the office of State Court Administration (SCA) to run a cybersecurity assessment of several court buildings. A rising best-practice in cybersecurity testing is not just to test the network, but to also physically test the buildings where the network is housed. The logic is that a secure network isn't truly secure if a person can easily break into the building. Cybersecurity firms that are hired to run simulations on a client’s network will often send employees to run “penetration testing” or “pen testing” and physically try entering the building where a network is stored or an IT Team is housed. This process can also be called “red-teaming” or “social engineering.”
“The intent of red-teaming is to simulate what an attacker might do,” Coalfire CEO Tom McAndrew told Denver Business Journal in a recent interview. He said that he’s done it personally and that Coalfire is, to his knowledge, the largest red-teaming company in the U.S. “with hundreds if not thousands, of these engagements.”
The law firm of Faegre Baker Daniels LLP, hired by the Iowa Supreme Court to investigate and review the Coalfire case and issue a report, found that while there could have been some confusion and misunderstanding as to the terminology, the SCA did hire Coalfire to red-team some Iowa courthouses. According to the FaegreBD report, the signed contract for the work said that Coalfire would do a “physical assessment” and “attempt to gain physical documentation” and could do so “during the day or evening.” Coalfire employees were also authorized to talk their way into an area and leave behind malicious devices. Additionally, they were authorized to perform lock-picking. They were, however, limited to what floors they could go to and were warned that there were some armed guards at some of the buildings.
“I don’t think anyone anticipated that there might be questions if we were authorized to do it,” McAndrew said. “We were working for the judicial branch and they’re telling us to go into judicial places where people go.”
The extent of that authorization did, however, become an issue.
The incident
The series of events reported here are based on the information contained in the FaegreBD report. On the night of September 9, Wynn and DeMercurio tested the Judicial Building and even left their business card on the desk of one of the IT managers. The State Court Administration employees showed interest as to how the Coalfire got through, but they did not express concerns over the methodology. The Coalfire employees were even congratulated by one of the IT managers who hired them for succeeding, according to the report.
McAndrew said that if there were any concerns about Coalfire doing testing at night, he expected the day of Sept. 10, after the business card was found, would have been the point where displeasure was vocalized. That didn’t happen, he said.
The trouble happened the next night, when Wynn and DeMercurio were testing two local county courthouse buildings. The employees had a “get-out-of-jail free” letter to explain what was going on in the event of running into law enforcement. Coalfire CEO Tom McAndrew said in a public statement he authored on Oct. 29, following the arrests, that in most cases the “get-out-of jail-free” authorization letter is enough, should there ever be a problem. In his statement he also said that his employees were showing the law enforcement officials who were there the tools and walked them through what they were doing. (The FaegreBD report does not include these details.)
McAndrew said that when the sheriff arrived on the scene, he arrested Wynn and DeMercurio despite the authorization letter. The FaegreBD report does not specify who did the arresting but says that the Coalfire employees were arrested inside the Dallas County courthouse in Iowa. The report said that it was this point that the SCA officials who were called after the arrest had mixed reactions. Some thought that the testing was covered, while others were surprised that that Wynn and DeMercurio were testing the county courthouses at night. The FaegreBD report later chalks up this misunderstanding to lack of communication within the SCA team.
Both Wynn and DeMercurio were charged with felonies with bail for the two set at $100,000, which Coalfire paid. The charges have been reduced to misdemeanors, but have not yet been dropped.
The dispute
There seem to be two main disputes in the case. The first point of disagreement has to do with possible ambiguities in the contract between Coalfire and the SCA. The second dispute is whether the SCA even had the authority to order testing for local courthouses.
McAndrew contends that his employees were basically caught in a political argument over who has authority over local courthouses: the local municipalities and counties or the State Court Administrator.
The FaegreBD report also looks at the question of whether the SCA had authority to not only test the Judicial Building but the local county buildings. The report doesn’t make a decision as to whether it did or not, only saying that the statutes on the books in Iowa could be interpreted either way.
The other dispute, and the one that ties in most directly with the business of cybersecurity, is the contract. The Faegre report concludes that the SCA likely misunderstood what red-team testing really meant. The report said part of that could be down to how much information-security jargon was in the contract.
To that point, McAndrew said that the language of contracts can be adjusted any way a client needs and that the contracts were reviewed and approved by the SCA.
The report also said that there could have been more communication between the parties, although the report indicates that much of the responsibility on communicating was on the shoulders of the SCA to more clearly say what the office were looking for. The report says they needed to communicate if they had any problems with what was happening and to more clearly communicate what was happening with these tests up the chain of command. That didn't happen, which is what led to confusion regarding the terms of Coalfire's engagement after the employees were arrested.
For his part, McAndrew said that his employees followed the company’s best practices for communicating with the client during its testing. What is more, he said communication is usually driven by the customer: If the client wants 15-minute updates, for example, that’s what his employees will provide.
“[Wynn and DeMercurio] were being appropriate in communicating,” he said. “Nobody was saying you’re missing meetings or we want to talk more…. We will communicate as much as the client dictates and if we find something critical we will communicate that quickly.”
The Iowa Judicial Branch has issued an apology over the circumstances and said it plans to rebuild trust.
“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made,” Chief Justice Mark Cady of the Iowa Supreme Court said in a statement to the Senate Government Oversight Committee on Oct. 4. “We are doing everything possible to correct those mistakes, be accountable for the mistakes, and to make sure they never, ever occur again.”
The reaction
The unusual circumstances of the Coalfire case — that employees were arrested and are still being charged, that they were arrested even when they provided their authorization letter to authorities, and that they were arrested doing a routine security test — is causing ripples through the information-security industry.
"I don’t think it was on anybody’s radar that two individuals could be charged as individuals for work they were doing for their employer for a customer,” Coalfire's McAndrew said.
He said that it would be one thing if Wynn and DeMercurio were going into different buildings than what they were assigned or doing things outside of the contract. He said if the SCA wasn’t authorized to hire Coalfire to test the county courthouses, that was on the client to know, not Coalfire. He added that Coalfire is a large company that had resources to pay the $100,000 in bail, but that not every cybersecurity firm is in that position.
Other information security firms are concerned about what the Coalfire case could mean.
“The whole thing could set a really dangerous precedent,” said Brad Hayes, chief technology officer at Circadence, a Boulder-based cybersecurity firm. His firm doesn’t do pen testing, but he still has concerns about what this could mean for his industry.
One solution he sees is companies being all the more careful about contracts and that the client knows exactly what they’re asking of the firm.
“It underscores the need to explicitly articulate the capacities you’re contracting from security companies,” Hayes said. “But I’m not sure I would have thought to alert the sheriff’s office [to warn them about the work being done]. Given that the contract was in place, I would think the host company would do that. Goes to show you really need to cover all your bases.”
Other companies are viewing this with a more hardline approach.
“There is clear disagreement around the scope of work Coalfire was authorized to perform,” Tyler Moffitt, senior threat research analyst at Webroot, told DBJ in an emailed statement. “With regard to cybersecurity, it’s a professional’s job to ensure users are secure at all access points and educated on best practices, and that includes physical security through pen testing. It’s important that industry protocols like pen testing are better understood by businesses, governments and other authorities to help limit such significant misunderstandings in the future, and keep the goal focused on preventing and protecting against risk.”
McAndrew said Coalfire will continue to support Wynn and DeMercurio as this case proceeds and do whatever it can to make sure the arrest does not jeopardize their future.
As to the company, he said that Coalfire is used to working in a world of risks. Because of that, he said the company is familiar with making mistakes and moving forward from them. In the case of the incident, he said Coalfire is working on being even more clear in its communication with clients and will take the lead on educating its clients on the information security world.
“As hackers, so many of us focus on the technical side, many don’t look at the operational support. As a company, it's lucky this happened to us because we have the resources for it. If it happened to many small companies, there would be different outcomes.”
