Lawyers and law firms handle a great deal of confidential information every day, making them prime targets for cybercriminals. This target extends to the judiciary, which has been no stranger to cyber intrusions over the past few years. From the 2015 breach of the Office of Personnel Management affecting 221 million records to the March 2020 breach of the federal judiciary’s Case Management/Electronic Case Files system, cyber risks and vulnerabilities continue unabated. Any information stored on a vulnerable network can be interesting to criminals, whether it is sensitive or confidential data or background information useful for social engineering exploits. The “bots” that many threat actors use to find vulnerabilities on the internet are just that—small computer scripts. They are looking for open doors that will provide easy access to a potential payday. Thus, it is crucial for both the bench and the bar to adhere to cybersecurity best practices to ensure the confidentiality, integrity, and availability of the data on their networks.
August 04, 2023 Feature
Cybersecurity Threats to the Judiciary
By Claudia Rast
Understanding the Current Cyber Threats to the Judiciary
Cyber threats have become increasingly sophisticated and more difficult to discern. The rise of generative artificial intelligence, such as ChatGPT, provides threat actors with a useful tool to shape and customize their messages and methods of intrusion. Similarly, those defending against threat actors can use these same generative artificial intelligence (AI) tools to counteract and neutralize cyber intrusions. Below are examples of key methods threat actors use to steal or corrupt data:
- Ransomware. This is a form of malware (malicious software) that attempts to encrypt (scramble) your data and then extort a ransom to receive a decryption key that will unlock your data. Cybercriminals often spend days or weeks navigating the targeted firm’s network before they “drop” the ransomware executable file on their way out.
- Phishing. Cybercriminals send emails that appear to be from legitimate sources, such as clients, colleagues, or financial institutions, to trick employees into clicking on malicious links or downloading malware-infected attachments. Clicking on the links or opening the attachments can give cybercriminals access to the judiciary’s computer systems.
- Social engineering. Cybercriminals use social engineering techniques, such as impersonating a client or employee, to gain the trust of employees and trick them into revealing sensitive information or providing access to computer systems.
- Data leakage. While maintaining cybersecurity within the physical confines of a court may seem challenging, it is essential to understand in the post-pandemic hybrid work environment that security extends well beyond the office. Smartphones, laptops, and tablets have replaced the standard desktop PC. The wide availability and low cost of portable storage devices makes them a useful tool for the backup and transportation of data. Theft and misplacement of mobile devices are other ways in which threat actors obtain confidential data that can be used in their extortion schemes.
- Unsecured networks. Cybercriminals can gain access to a court’s computer systems through unsecured wireless networks, especially those that do not require a password or use weak encryption.
- Weak passwords. Cybercriminals can use brute-force attacks or password-guessing software to gain access to computer systems, especially if employees use weak or easily guessable passwords.
- Malware. Cybercriminals use various types of malware, such as viruses, trojans, and ransomware, to gain unauthorized access to court computer systems. Once installed, malware can steal data, destroy files, or provide backdoor access to cybercriminals.
- Third parties. Cybercriminals can gain access to computer systems through lawyers who communicate with the court by email and by third-party vendors or contractors that have access to the systems. If these vendors or contractors have weak security measures in place, cybercriminals can use their access to infiltrate the network.
- Insider threats. If your court employs staff (full time or as contractors) or has a steady flow of interns, as many courts do, these individuals could leak data by mistake or maliciously. The potential damage from a leak of documents cannot be underestimated.
The first step in managing cyber risk is to identify the potential sources. Court administrative personnel should conduct a risk assessment to determine court staff access to, and use of, critical and sensitive data, including court filings, internal drafts and communications, and human resources information such as personally identifiable information, personal health information, and other confidential court data. This risk assessment should determine not only who has access to such information and systems but also who or what has the capability to monitor, detect, and prevent inappropriate system access and security events. Some court systems may not have the internal expertise to conduct such assessments and should consider hiring an expert in forensic security.
Working with external forensic experts, the court’s information technology (IT) staff will be very helpful in identifying where the most critical and sensitive court data are stored and how they can be protected. Many IT departments are focused on what the IT industry describes as “break-fix” tasks: ensuring that users are connected to the network and staffing help desk support. Yet the latest and greatest technology will not protect a network if its implementation cannot be properly configured and its users are not adequately trained. Misconfiguration of otherwise secure systems and human error have been featured prominently in this author’s data breach experience over the years. Verizon noted these failings in its 2022 Data Breach Investigations Report:
Error continues to be a dominant trend and is responsible for 13% of breaches. This finding is heavily influenced by misconfigured cloud storage. While this is the second year in a row that we have seen a slight leveling out for this pattern, the fallibility of employees should not be discounted.
The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the [u]se of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.
Cybersecurity is not a one-size-fits-all environment, and many of the latest technologies require a sophisticated implementation and configuration that are beyond the skill level and experience of many IT departments. This is not to disparage or criticize IT departments—they are often overwhelmed with their day-to-day operations and user demands—but it highlights the critical importance when implementing new technologies that expertise and specialized training are often necessary.
Identify the Risks and Implement the Best Practices to Address Them
The focus when identifying risks should be on the basics. The defensive perimeter must be strong, but too often the “soft underbelly” is the users inside the perimeter who are distracted, too busy to notice, or just unaware of the risk when they share their credentials or click on malicious links. Threat actors don’t have to penetrate the secure outer walls of a company if they can get a user to open the door for them. Certain industry groups, such as law and finance, will find useful updates on threat intelligence from Information Sharing & Analysis Centers (ISACs) that are specific to their industry. Courts may find similar updates and resources from the federal agency established in 2018, the Cybersecurity & Infrastructure Security Agency (CISA). The CISA website lists a number of resources and training programs. Finally, there are a number of simple best practices that can and should be implemented as a court’s basic security framework to address both external perimeter defenses and internal operations.
For example:
- Implement multifactor authentication (threat actors thrive when MFA is not deployed).
- Mandate virtual private networks (VPNs) for remote access to court networks (critical for a dispersed and/or work-from-home workforce).
- Deploy endpoint detection and response (EDRs will detect and prevent most incidents automatically and do so 24/7/365).
- Implement incident response plans (without a plan, it can be chaos).
- Encrypt confidential and sensitive data both at rest and in transit.
- Back up data (encrypted) and secure that backup off-site (with a good backup available, no ransom payment is necessary).
- Promptly patch and update software and be aware of “zero-day” exploits (when software developers announce “fixes” to their vulnerabilities that threat actors then race to take advantage of before the fix is in).
- Turn on logging and save log files for more than 90 days (you can’t find what you can’t see, and evidence of that intrusion can be invaluable).
- Segment data across IT networks (don’t make it easy for threat actors to crawl across your network).
- Control access credentials to need-to-have individuals (threat actors target IT managers with the “keys” to the network).
- Implement mandatory and periodic training for all (training works, and it’s simple to do).
- Maintain physical security controls (lock doors, file cabinets, and access to servers and other sensitive equipment).
- Conduct periodic external and internal vulnerability scans and annual “tabletop” exercises (security requires constant vigilance).
Implement Secure Administrative Measures
Implementing the best practices from the list above is not a one-and-done deal. It requires constant monitoring of new and evolving threats and leadership that understands the serious risks courts face when they are unprepared. A successful strategy for managing security monitoring and evolving threat concerns is to retain experienced third-party forensic experts to conduct periodic security scans of network systems and staged threat enactments with court IT staff to test the court’s defenses. In addition, risk assessment experts can provide much-needed arm’s-length assessments of the court’s risk profile. It is also important not only to have a data protection officer as part of the court’s staff but also for that person to have the court leadership’s support.
Training and Tabletop Exercises Are Key
Court staff training can be simple—there are many third-party vendors that have training modules which take 5 to 10 minutes to view on a monthly basis. Judges should not be exempt from completing this training, and the training should be ongoing. Again, training—just like the implementation of security measures—is not a one-and-done deal. Threat actors change their tactics as often as we implement new protective defenses. The speed with which these threats can change is even more rapid with the rise of generative artificial intelligence. As noted in a recent article in Forbes:
If you phrase the request cleverly enough, you can also get generative AI like ChatGPT to literally write exploits and malicious code. Threat actors can also automate the development of new attack methods. For example, a generative AI model trained on a dataset of known vulnerabilities could be used to automatically generate new exploit code that can be used to target those vulnerabilities.
In addition to periodic training, conducting annual tabletop exercises involving incident response team members is very important. When a cyber incident does occur, you don’t want your team to fumble through the court’s incident response plan trying to determine what they should do. Finally, it is critical to conduct a lessons-learned session after a cyber incident where everyone can benefit from knowing what measures worked and what basic steps should be taken to correct what didn’t work.
Conclusion
Cybersecurity is just as important as physical security as we strive to keep judges, court staff, and the public safe. Implementing protective and responsive cybersecurity measures requires attention, awareness, and training and should not be limited to IT staff but should extend to judges and court staff as well. It is incumbent on everyone to defend against the constant threats posed by cybercriminals and to respond appropriately when a cyber incident occurs.