The Iowa Supreme Court’s chief justice has set new guidelines for testing the court system’s data security.
The order comes after an independent investigation concluded there are “disagreements and confusion” about the contracts court officials signed with a cybersecurity firm. Two of that firm’s employees face burglary charges in Dallas County.
Employees for a company called Coalfire conduct remote and in-person security tests around the globe. The firm was hired to try to gain unauthorized access to computer systems inside the Iowa Judicial Building in Des Moines as well as two county courthouses. Two of the firm’s employees were arrested after breaking into the Dallas County Courthouse after hours.
Two former federal prosecutors conducted an independent investigation. They found there are differing accounts from the state court officials and from Coalfire staff about exactly when the break-ins were to occur — plus the agreement was never reviewed by an attorney from the courts.
Chief Justice Mark Cady has ordered that contracts for future testing be reviewed by a lawyer. In addition, the chief justice said cybersecurity tests at county courthouses must occur during regular business hours and “physical break-ins” during such testing are prohibited.
The cybersecurity employees who did the break-ins did have what was called a “get out of jail free” letter. Dallas County officials have said the letter is not valid because the courthouse is owned by the county, not the state. The two former federal prosecutors who conducted the investigation say it’s unclear whether state court officials have authority to grant after-hours access to county courthouses.
Finally, the special investigation released today said court officials and the cybersecurity firm overlooked the risks of keeping local law enforcement in the dark about the late-night break-ins. The former federal prosecutors also questioned the wisdom of conducting one of the break-ins on the anniversary of the 9/11 attacks.