DES MOINES, Iowa — Chief Justice of the Iowa Supreme Court Mark Cady apologized to state lawmakers on Friday for the alleged break-ins at county courthouses that were ordered by judicial branch officials as part of a cybersecurity test.
Cady, who is the head of the Iowa Judicial Branch, addressed the Senate Oversight Committee during fact-finding hearing at the statehouse that lasted over four hours. Lawmakers sought information from law enforcement, county leaders and judicial branch officials about the break-ins at the Dallas and Polk County courthouses in September by two men employed by Coalfire, a cybersecurity firm contracted by the Iowa Judicial Branch to check security vulnerabilities. They were arrested and charged with third-degree burglary following the September 11 breach of the Dallas County Courthouse in Adel.
Cady apologized for "diminishing public trust and confidence in the court system," saying he takes "full responsibility" for the damages.
"In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made," Cady said.
A panel of lawmakers questioned why the judicial branch authorized the "penetration testers" to make unauthorized entry into county-owned courthouses over which the branch of state government has no authority. Law enforcement officials from Dallas and Polk County testified that they were not made aware that any security tests and said there could've been more grave consequences.
"To have tests like this conducted, without even a notification that at some point you may be subject to--even without any specific details---is just an affront to the jobs that they do locally," Sen. Amy Sinclair, R-Allerton, chair of the oversight committee, told reporters after the meeting.
Sen. Tony Bisignano, D-Des Moines, called it a "covert stupid operation," that put people's lives at risk, adding that the courts should pay for the entire "fiasco."
"I don't think you gave consideration to people. You had this concept of what you wanted to accomplish and you insulted a lot of professionals," Bisignano said. "You owe them an apology."
Some judicial branch IT employees directly linked to the documents contracting the cybersecurity firm told lawmakers they believe there was confusion about the scope of the agreement with the two Coalfire employees.
“In the context of contract language, reasonable minds can look at the same phrase and disagree. Probably that’s the biggest lesson we’ve learned from this: we need to re-examine contract review within the IT area," said Elaine Newell, legal counsel to the state court administrator."
Lawmakers didn't get all of the information they were seeking during their probe on Friday as officials could not speak to the ongoing criminal investigation. The Iowa Judicial Branch is conducting its own independent investigation into the matter.
Sinclair said there needs to "processes in place" related to state contracts to prevent similar situations from happening.
"Clearly every single branch of government should have internal controls on the way they issue contracts and on the contracts that they hold. Is it going to take legislative action? I don't know yet," Sinclair told reporters.