Cybersecurity breaches happen so often that most are no longer considered front-page news. Many observers default to viewing the victims of these incidents as irresponsible because of poor security practices.
The SolarWinds breach and recent Microsoft Exchange vulnerabilities illustrate that quite often the opposite is true. Behind all this is the fact that risks for organizations required to adhere to stringent security protections and compliance—especially the legal industry—continue to grow.
The breach of IT networks of U.S. federal and state courts demonstrates the vulnerability of legacy IT systems used by the judiciary system. There is a constant threat to highly sensitive information—documents filed under seal, confidential witness identities, the names of victims of domestic abuse.
Indefensible Once Breached
Each time a major federal or enterprise system is successfully breached, industry acknowledges that ensuring secrecy and privacy is unlikely if we rely on the foundation of compromised systems. Regardless of the type of attack or which databases are breached across government or industry, providing security to the most critical information remains a challenge.
Most systems are impossible to defend once an attacker has gained entry due to self-granted elevated network privileges. In more extreme situations, such as the compromise of federal court’s IT systems, the recourse is to go back in time—reverting to paper records and transferring sensitive information with USB drives. This is a poor substitute, particularly with the shift to remote work and the increased need to rely on digital information during Covid-19.
Securing paper records brings its own problems, as they are often scanned to digital. USB drives, unless protected well and controlled, become a security nightmare when their loss or theft results in a data breach.
Like most essential government systems, federal and state courts require a more secure solution. Building and implementing a secure infrastructure requires a new mindset, as the only realistic approach will be to integrate end-to-end encryption (E2EE) in a “zero trust” environment.
Zero trust allows a sophisticated organization to operate assuming that its networks are already compromised, and it can only expect to detect a fraction of network intrusions.
‘Top Hat’ Solutions
In the 1980s, the Soviet Union infiltrated a new U.S. embassy building in Moscow by compromising the building construction supply chain. Upon discovery, the U.S. government built a more secure “top hat” section to the embassy intended to be secure from outside actors. Rather than destroy the structure altogether, the whole building became an untrusted network—only the new secure areas allowed for confidential work.
Many legal organizations, including federal and state courts, operate with complex and often aged networks that are expensive and difficult to scrap or renew with existing resources.
In many cases, the courts’ work is public and government decision-makers don’t want to invest additional resources to make these systems more secure. Rather, these entities should follow the Moscow embassy “Top Hat” model and adopt a network that provides a secure enclave for the most critical information.
In a modern network, this can be accomplished through a segmented architecture, building electronic walls, or creating separate physical networks. However, these approaches often fail because the network segmentation, including air gaps, are often compromised by accident or by smart hackers.
Most domain controls are software-based, and are the first place hackers stop to compromise a network. The cost of new IT is also often high.
The Zero-Trust Concept and E2EE
Another approach that offers federal and state courts more security is adopting the concept of zero trust—the idea that there is nothing inherently trustworthy about any part of the network or any devices, making every device outside the security perimeter compromised.
Zero trust relies on E2EE to remove the weakness of central key management and authentication from the calculation. This technology is now widely available thanks to the powerful computing capabilities of mobile devices.
It can be implemented within most enterprise networks, enabling the protection of confidential communications inside and outside the network. E2EE works because it ensures that every message, including file transfers and video conferencing, is always encrypted between the sender and recipient, securing it even from attackers who compromise the inner network.
E2EE can enhance security in other ways also. By enabling strong cryptographic authentication of users, the risk of hackers bypassing security to send phishing messages, or “Zoom bombing” court hearings are reduced.
As recently noted in an academic paper, unauthorized access to video or audio conferences most often impacts insiders, not outsiders, making passwords to secure online meetings obsolete. E2EE also allows for information governance with a cryptographic element—ephemeral data—that ensures that data, once obsolete or no longer needed, can be “flushed” out to mitigate the risk of old content being compromised.
The Sedona Conference has been studying the use of such technologies in the context of e-discovery in an effort to build common ground for their use and their potential for enhancing security and privacy. (Note: In the interest of disclosure, one of the authors, Guillermo Christensen, is a member of the drafting group for the Sedona Conference.) This dialogue is crucial and timely.
To date, the courts and legal profession have approached E2EE cautiously—in part due to warnings from law enforcement. This must be overcome with increased understanding of the technology and its use in fully functional, enterprise-grade products. The threat posed to our information systems—public and private—has never been greater, and we can’t afford to wait.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Guillermo Christensen, managing partner of Ice Miller’s Washington, D.C., office, combines his experience as a former CIA intelligence officer, a diplomat with the U.S. Department of State, and an attorney in the private sector to shape and inform the advice he provides to clients on various enterprise risks involving cybersecurity, national security (CFIUS) and complex international investigations (FCPA/OFAC).
Chris Howell is Wickr’s co-founder, co-author of patents for Wickr’s underlying technology, and CTO for technical strategy, security architecture and product design. He spent nearly a decade with the New Jersey Office of the Attorney General/Division of Criminal Justice specializing in computer crime investigation and forensics.