Security Professionals Settle Lawsuit Following Unauthorized Arrest During Courthouse Assessment
Two security experts, arrested in 2019 while conducting a sanctioned security evaluation of a courthouse in Iowa, have agreed to a $600,000 settlement in a lawsuit alleging wrongful arrest and defamation. Gary DeMercurio and Justin Wynn, penetration testers affiliated with Colorado’s Coalfire Labs, were authorized by the Iowa Judicial Branch to perform “red-team” exercises—simulated security breaches that replicate tactics usually employed by malicious hackers.
The goal of these assessments is to rigorously evaluate the effectiveness of security measures against potential real-world attacks. The explicit rules governing this exercise allowed for “physical attacks,” including lockpicking, provided that no substantial damage was inflicted on judicial buildings.
The incident drew significant attention within the cybersecurity and law enforcement communities. Despite their legitimate authorization, DeMercurio and Wynn faced felony charges of third-degree burglary and were incarcerated for approximately 20 hours before securing release on a $100,000 bail ($50,000 each). Charges were subsequently downgraded to misdemeanor trespassing; however, Dallas County Sheriff Chad Leonard continued to assert publicly that their actions were illegal and warranted prosecution.
The repercussions of such events can critically impact the reputations of security professionals, raising substantial concerns among penetration testers and the organizations that rely on their services. The specter of arrest for carrying out approved security assessments may deter professionals in the field, potentially jeopardizing public safety rather than enhancing it.
Wynn emphasized the broader implications of their arrest, stating that the situation conveyed a discouraging message to security experts nationwide. The notion that efforts to assist the government in identifying vulnerabilities could lead to arrest and public shame poses a significant risk to the security landscape.
The assessment at the Dallas County Courthouse on September 11, 2019, followed standard procedures. After discovering an unsecured side door just after midnight, the testers closed it to ensure it locked properly. They then fashioned a tool to manipulate the door’s locking mechanism, inadvertently triggering an alarm that alerted law enforcement.
This incident raises pertinent questions regarding the practices surrounding authorized assessments, particularly in a climate where cybersecurity threats are increasingly sophisticated. The MITRE ATT&CK framework can help illuminate the potential adversary tactics that may have been invoked during similar security assessment scenarios, such as initial access through manipulation of physical security measures and maintaining persistence by bypassing locks.
As organizational reliance on cybersecurity assessments grows, the implications of this case serve as a cautionary tale for business owners. Understanding the legal boundaries and potential risks associated with security evaluations is essential, not only for compliance but also for the broader aim of bolstering defenses against ever-evolving cyber threats. In a landscape where apprehension can overshadow innovation, ensuring clarity and security in these assessments will be crucial for ongoing public safety and trust in cybersecurity practices.
