Cyber attacks have hit prominent courts across the globe in recent months, from state courts in the U.S. and Australia to the International Criminal Court in Italy.
While all state and local governments wrestle with cyber challenges, the judicial branch faces some specific obstacles. But a series of new cyber resiliency summits for courts is launching later this year, complete with an array of free resources to help in this increasingly important fight.
The threats specific to courts include distributed denial of service (DDoS) and ransomware attacks that disrupt access to things like case-important information. Also, hackers might breach sensitive court data, potentially putting at risk personal information. And knowing a hacker accessed data raises questions about how much the data can be trusted.
“You have to make sure that the courts are operating off of legitimate information,” said Randy Rose, senior director of security operations and intelligence at the Center for Internet Security (CIS). “Could you in essence … manipulate records so that it looks like a person committed a crime or the records are altered in a way that it looks like a person didn’t commit a crime that they did in fact commit?”
Bad actors have also been known to target and dox officials when angered by rulings, targeting judges, clerks and others, Rose said.
Courts trying to improve cyber defenses, however, face hurdles. For one, they’re not always in full control of their IT.
Unified state courts have a central state court administrator’s office or other office that provides technology and cyber services for all courts within their system, but non-unified courts rely on their counties, said Shay Cleary, managing director of the National Center for State Courts Court Consulting Services division.
County IT departments may not be “intimately familiar with the court system’s unique needs” and specific software, Rose said. Courts that receive county tech services without also having their own court IT person may find themselves in a situation where no one is specifically responsible for making sure legacy software gets updated, he said.
Customized legacy software can also be difficult to modernize, both for courts and other local government agencies. Newer versions of operating systems continuously update with security fixes, but agencies cannot always adopt them without risking disruption to specialized legacy systems, including taking away the ability to read court records, Rose said.
Other challenges have emerged for courts relying on local government IT as well, Rose said. Hackers hitting any part of the local government can spread to other parts, too, including the courts.
“Maybe they weren’t even going after the courts at all — that wasn’t their intention — but they get onto a municipal website, and they go, ‘Hey, I could jump right over to this court system, that’s interesting,’” Rose said.
Choosing to segment courts from the rest of the municipal network is more secure, although Rose said it could also make it more difficult for the central IT support to ensure the system is up to date.
State and local governments tend to be doing well on certain aspects of cybersecurity practices, though, such as awareness and training, Rose said. Where they most often struggle is getting a full inventory of systems, data and software so they can better manage cyber risks. Another frequent challenge is recovering from incidents.
But this series of forthcoming cybersecurity summits aims to help.
The National Center for State Courts and Joint Technology Committee — in partnership with the CIS and fueled by a State Justice Institute grant — are launching the summits across the country, with the first summit expected later this year, Cleary said. The summits will include a mix of online training and on-site tabletop exercises to help courts prepare for and recover from cyber disasters.
The summits are intended for high-ranking judicial officers, court administrators, IT staff and, potentially, public information officers. Cleary also recommended including county or court emergency management specialists, if available.
In addition, groups like CIS are offering free tools.
“The goal is they will be able to leave that summit after this education with essentially a template, relationships and the ability to more quickly respond,” Cleary said.
And experts are hopeful that a little bit of prep will go a long way. Rose said some simpler core measures can thwart plenty of attacks.
“A lot of the stuff that we have seen hitting courts is not particularly sophisticated,” Rose said. “… unless somebody’s really, really determined to get into your network, you can mitigate the bulk of your risk with some very basic defense in-depth approach and techniques.”