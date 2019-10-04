DES MOINES -- A state lawmaker called it “a covert, stupid operation.”
A local sheriff said the incident “could have ended poorly.”
And the Iowa Supreme Court’s chief justice offered an effusive apology for the whole thing.
The Iowa Senate’s government oversight committee on Friday heard testimony from myriad public officials regarding the state judicial branch’s recent security tests in multiple central Iowa government buildings after two men were arrested in the early morning hours of Sept. 11 for breaking into the Dallas County courthouse.
State lawmakers on a government oversight panel described it as an overreach that created a potentially dangerous situation.
State judicial branch officials who planned for the tests characterized the issue as a misunderstanding between the government and a contractor.
“I want to begin with an apology, to you and to everyone for diminishing public trust and confidence in the court system,” Iowa Supreme Court chief justice Mark Cady said in a prepared statement to the oversight panel. “As the leader of the judicial branch, I take full responsibility, just as I take responsibility to repair the damage and rebuild trust.
“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made. We are doing everything possible to correct those mistakes, be accountable for the mistakes, and to make sure they never, ever occur again.”
The state judicial department contracted with Coalfire, a Colorado-based cybersecurity company, to attempt to gain access to state judicial records housed in central Iowa government buildings. The exercise was designed to test the buildings’ security systems to determine whether Iowans’ records and sensitive information were properly stored and protected.
Coalfire’s men were arrested just after midnight on Sept. 11 in the Dallas County courthouse. The Polk County courthouse and state judicial building also were targeted in the exercise, according to testimony at Friday’s hearing.
State lawmakers on the oversight panel chided judicial branch representatives for conducting operations in county-owned buildings without notifying local officials. Some lawmakers said they view the exercises as overreach by the state judicial branch into county government, even though judicial branch officials insisted they were attempting to test only systems and employees under the state’s purview.
The judicial branch representatives said the late-night break-in was never their intention, that they believed Coalfire would send its workers into the central Iowa government buildings during normal business hours to attempt to gain access to areas under the state judicial branch’s purview.
Judicial branch officials said they are not sure why the contracted men were conducting the exercise in the Dallas County courthouse after midnight, and that the judicial branch is conducting an independent investigation to determine that and also what conversations took place between Coalfire and judicial branch officials.
Judicial branch officials testified that in 2015 similar tests were conducted using Coalfire, and in those tests the company’s workers conducted their exercises during business hours and only in state judicial branch offices in government buildings in Polk, Story, Tama and Marshall counties.
“Reasonable minds can look at the same phrase and disagree. That’s probably the biggest lesson we’ve learned from this, is we need to re-examine contract review within the IT area,” Elaine Newell, legal counsel to the state court administrator, told the oversight panel. “That’s part of what we anticipate will be coming out of the independent review.”
State lawmakers on the oversight panel said local government and law enforcement officials have expressed anger and frustration that they were not consulted in advance of the operations. Lawmakers highlighted the testimony of law enforcement officials who said the break-in created a potentially hazardous situation since they were unaware of the tests and responded to the Dallas County courthouse break-in as if it was a legitimate crime in progress.
“This could have ended poorly,” Dallas County Sheriff Chad Leonard said. “It could have ended a lot worse.”
Judicial branch officials said they did not alert local officials about the tests because in addition to believing the tests would take place during business hours, they did not expect the Coalfire workers to interact with county or city staff.
Tony Bisignano, a state senator from Des Moines and oversight panel member, said despite those expectations, the state judicial branch should have notified local officials about the tests, which Bisignano described as “such a covert, stupid operation.”
“There’s no reason this couldn’t have been done in a cooperative fashion,” Bisignano said.
Bisignano also said the state judicial branch owes local government officials an apology, that someone in the judicial branch “should be held responsible,” and that the judicial branch should reimburse Polk and Dallas counties for expenses they have incurred related to the security tests.