The House Homeland Security Committee held its first hearings this week on the devastating SolarWinds attack that gave Russian hackers months-long access to critical US government departments. But Senators are now demanding more information about the attacker’s infiltration of the US court system, which has already been forced to make changes in how documents are filed as a result of the attack.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Last month, director of the Administrative Office of the U.S. Courts James Duff sent a letter addressed to “All United States Judges” that admitted the Case Management/Electronic Case Filing system, which holds some of the most sensitive documents held by the government, had been breached. He said the hack risked “compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings.”
“Certain sealed filings in CM/ECF, however, contain sensitive non-public information that, if obtained without authorization and improperly released, could cause harm to the United States, the Federal Judiciary, litigants, and others. Your immediate action is needed to mitigate this apparent compromise and reduce the risk of future compromises of confidential court filings,” Duff wrote, asking all courts to “issue a standing or general order or adopt some other equivalent procedure requiring that highly sensitive documents (HSDs) will be accepted for filing only in paper form or via a secure electronic device.”
“Highly sensitive documents should be stored in a secure paper filing system or a secure standalone computer system that is not connected to any network, particularly the internet. The AO will provide courts with model language for a standing or general order as well as advice and guidance on how to establish and securely maintain a standalone computer system if a court chooses that option.”
Duff added that sealed court orders and any other sealed documents generated by the court should not be uploaded into CM/ECF or the Public Access to Court Electronic Records (PACER) system or into any other system connected to a network or the internet, “but must instead be transmitted to parties by a secure means specified by the court.”
Senators demand more information
The alarming letter caused shockwaves and concern in the legal community about the massive changes to how documents are filed.
Senators Richard Blumnenthal, Dianne Feinstein, Patrick Leahy, Dick Durbin, Sheldon Whitehouse, Amy Klobuchar, Chris Coons, Mazie Hirono, and Cory Booker all signed on to a letter to the chief information officer at the Department of Justice and associate director of the administrative office of the U.S. Courts on Jan. 20 demanding a hearing on the changes and the potential access of court documents by the hackers.
“We are alarmed at the potential large-scale breach of sensitive and confident records and communications held by the DOJ and AO, and write to urgently request information about the impact and the steps being taken to mitigate the threat of this intrusion,” the senators wrote.
SEE: COVID-19 workplace policy (TechRepublic Premium)
“The DOJ and AO have acknowledged that they were among the federal agencies breached by Russian hackers, providing troubling accounts of the breadth and depth of the compromise.”
The letter adds that the Office of the Chief Information Officer found that the number of potentially accessed Microsoft 365 mailboxes appears limited to around 3%, “which, given that DOJ has over 115,000 positions, could amount to thousands of email accounts within an agency tasked with profoundly sensitive law enforcement and national security missions.”
The senators sent along multiple questions about the documents accessed and what the DOJ knows about the attack.
The Associated Press reported that officials believe the Russian hackers were able to access thousands of documents related to whistleblowers, warrants, trade secrets and espionage. Some even intimated that the attack may be ongoing, and that the hackers may still have access to the filing system.
Court employees told the news outlet that while criminal, civil and bankruptcy filings were most likely accessed by the hackers, the Foreign Intelligence Surveillance Court system was not.
A number of courthouses are now uploading documents to a single computer that is physically at the courthouse and not connected to the internet at all, limiting the access lawyers may have to certain documents.
All 13 of the country’s federal circuit courts have separate measures and rules they take to protect the security of documents filed, but now everything may need to change due to the attack. Not all of the courts previously encrypted their documents.
Jamil Jaffer, a former associate counsel to the White House and senior advisor to the United States Senate Committee on Foreign Relations, said the hackers may have even accessed sensitive information about ongoing national security investigations “with a foreign nexus.”
“The changes by particular courts implemented in response to this Russian government hacking effort could help protect highly sensitive materials, but when combined with both COVID-related procedures may also result in potential delays in critically important investigations,” said Jaffer, who served on the leadership team of the Justice Department’s National Security Division in the Bush Administration and helped draft the Cyber Intelligence Sharing and Protection Act.
“This aggressive and successful collection effort by the Russian government has almost certainly resulted in significant national security damage to the United States and highlights the need for stronger collective defense efforts by the federal government, including with the private sector and state and local governments.”
“Rigid” court IT systems
Alicia Dietzen, lawyer and general counsel for security company KnowBe4, said that from sensitive patents to confidential informants, there is no telling how much information was revealed to the hackers.
Dietzen noted that lawyers work around the clock to ensure the interests of clients are protected, whether it be their clients’ identities or their clients’ financial well-being. She also understood that while the court was taking drastic actions, it was necessary to keep files protected.
“It is impossible to tell what pieces of data may ultimately be used, or how it will be used, by these hackers. For the time being, the courts have implemented a drastic, but necessary, stopgap measure: If it’s online, it’s at risk. The irony is that by going back to the old way of doing things, the courts have improved their modern security,” Dietzen said.
“Of course, this cannot be the solution forever. Remote filing and interfacing over the internet, especially during COVID, have become critical to the practice of our profession that was long overdue. The days of simply making sure your antivirus software is up to date, however, are long gone. Hackers have become increasingly sophisticated and, with that, our strategies to combat them must also evolve.”
Other experts echoed that sentiment, noting that the federal court system has long needed to modernize its IT infrastructure. Brian Hajost, president at SteelCloud, questioned whether all legal documents really need web access.
He said the court needs to think about whether the benefits of providing ubiquitous access to sensitive documents outweigh the risks. He also explained that the root of the SolarWinds problem was not any internal system but vulnerabilities in third-party technology providers.
“Ongoing governmental secure supply chain initiatives, such as the DoD’s CMMC program, will most likely be expanded to cover additional critical supply chains,” he said.
Cyber security compliance expert Karen Walsh added that government IT systems are “notoriously inconsistent” and said the courts are no exception.
Like other experts, she highlighted how COVID-19 forced many law firms and courts to switch to using digital technology.
“They’re also notoriously rigid, in other words consisting of legacy technology that’s difficult to modernize. All of this creates additional security and privacy issues. Moving to the cloud, especially in response to COVID, was something new for the legal industry. Teleconference hearings were a seismic shift to the industry. The infrastructure just hasn’t really been in place, and where it has been, it’s not being deployed consistently,” the Allegro Solutions CEO said.
“Looking at the Butterfly Effect here, law firms really need to be looking at the potential impact to their infrastructure. Were the hackers able to move from the court’s networks into the firm’s infrastructure? For larger firms, this might not be an issue, but the small and mid-size firms are more likely to be less cyber-mature. If the hackers were able to move into these private systems, then that changes the risk assessment these firms have been relying on. That changes the entire game for them because now they need to think about their own liability to their clients.”
Brandon Hoffman, chief information security officer at cybersecurity firm Netenrich, joked that cybersecurity experts have long joked about “moving back to paper” due to an urban myth about Russian officials only using paper because spies have forgotten how to steal physical documents.
“The recent spate of attacks brings this joke closer to reality, as we see with the US Court System. In the age of digital transformation it is prudent to consider, and always has been, what is the riskiest data you have and whether or not it should truly be digitized,” he said.
“The move to paper documents for highly sensitive documents in the court system could prove to be the tip of the spear for a broader move of implementing more traditional controls for this type of information.”