Iowa chief justice apologizes for courthouse break-ins
DES MOINES, Iowa (AP) — The chief justice of the Iowa Supreme Court apologized Friday to a legislative committee investigating the break-ins at courthouses and the court system’s own state-owned building as part of a cybersecurity vulnerability test.
Mark Cady told the Senate Government Oversight Committee that he takes full responsibility and apologizes for diminishing the public’s trust and confidence in the court system.
“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made. We are doing everything possible to correct those mistakes, be accountable for the mistakes, and to make sure they never, ever occur again,” he said.
The hearing came as the judicial branch conducts its own independent investigation of what led to two cybersecurity workers breaking in to the Dallas County Courthouse after midnight on Sept. 11, where they were arrested after an alarm was triggered.
The men are charged with third-degree burglary and possession of burglary tools.
Senators questioned Dallas County Sheriff Chad Leonard about the danger presented to officers responding to two men caught in the courthouse in the middle of the night.
“It’s Sept. 11, you know and two unknown people in a courthouse,” he said. “It could have ended very poorly. We could have ended up with five deputies off on leave getting investigated for potentially killing two people at a courthouse.”
The two men gave officers contract documents signed by state court officials and claimed they were hired to check courthouse vulnerabilities.
Senators on the committee criticized several judicial branch administrators appearing before them for developing and signing contracts that were not properly vetted by a lawyer for inconsistencies or errors. They also expressed concerns that local officials were not first notified that a security test was planned.
Sen. Tony Bisignano called it a “covert stupid operation” that put law enforcement officers and the men involved in the break-ins at risk of harm.
“You chose to take it upon yourselves, two or three of you, and create this operation years ago that you’re going to subvert everybody’s system, a gotcha plan,” he said.
Information technology employees at the judicial branch said they entered contracts with the Colorado-based cybersecurity company Coalfire to conduct tests on buildings and computer systems at county courthouses, which are owned and protected by counties but provide space for the state-run court system. They said they believe the men exceeded the boundaries of the contract, which was intended to test security of electronic access to court records, not forced entry into a building.
Officials later found out the men had also entered the Polk County Courthouse and the state judicial branch building housing the Iowa Supreme Court without being detected.
Committee Chairwoman Amy Sinclair said the investigation will continue but that the committee likely will wait to see the results of the judiciary’s own independent investigation and the conclusion of the criminal cases against the cybersecurity employees before reaching any conclusions.
She said one concern is whether judicial system officials stepped outside the bounds of their branch of government.
“It is outside the scope of the judicial branch to authorize individuals to illegally break into facilities that they neither own nor provide security for,” she said.