EXECUTIVE SUMMARY:

In September, the US state of Iowa contracted with a cyber security firm to conduct pen testing, and straightforward legal agreements were signed by all relevant parties.

Per the state’s instructions, two of the security company’s pen testers tried to wrangle their way into a series of state courthouses. Upon succeeding in the designated objectives, two employees of the firm were subsequently arrested, and, surprisingly, the company was forced to bail out the duo from behind bars.

Although local news outlets have suggested that there was a miscommunication between the state of Iowa, and Dallas County’s Sherriff’s office, which was responsible for the arrest, the incident has subsequently given cyber security professionals the jitters. No one wants to be shoved into the back of a police car, and then into a jail cell simply for doing their job.

The incident has generated concern that the potential for miscommunications will dissuade companies and partners from conducting cyber security voting and election facility testing ahead of the 2020 elections.

In examining the rules of engagement, documents show that the cyber security firm’s pen testing team was encouraged to “talk…[their] way into areas,” and to bypass traditional security mechanisms by “perform[ing] lock-picking activities to attempt to gain access to locked areas.”

The pen testers were arrested with lock-picks in hand, and to the aggravation of all parties, continue to await what has been deemed an altogether frivolous hearing. For more on this story, please visit CNBC.