Federal Courts Said to Suffer Hack Similar to Earlier Breach (2)

The federal judiciary has suffered a cyberattack that targeted similar vulnerabilities exploited in another hack five years ago, according to a person familiar with the situation.

The Senate Judiciary Committee has been briefed on the recent breach, which is related to the weaknesses involved in the 2020 intrusion into the federal courts system during the SolarWinds attack, which targeted the courts’ electronic case systems, according to the person.

In a Thursday statement, the judiciary said it “is taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system.”

The news release didn’t provide details on the timing or scope of the recent cyberattacks, and a spokesperson for the federal court system’s administrative arm declined to comment further.

Politico first reported on the hack.

The federal courts’ electronic case filing system includes Case Management/Electronic Case Files (CM/ECF), used to upload court papers, and PACER, which allows the public to access some court documents.

Some filings contain confidential information and are filed under seal. These documents “can be targets of interest to a range of threat actors,” and federal courts “have been implementing more rigorous procedures to restrict access to sensitive documents under carefully controlled and monitored circumstances,” according to the judiciary’s release.

The type of potentially vulnerable confidential information contained within the court system could include the names of confidential informants and people who are subject of sealed indictments related to espionage, said Matthew Ferraro, partner at Crowell & Moring and former Department of Homeland Security official who worked on cybersecurity.

While the majority of information in the court system is public, a portion is kept private “for serious reasons, reasons of legitimate concern over privacy or safety or security,” he said.

Other congressional committees have also been briefed on the matter, including the House Judiciary panel as well as representatives from congressional spending panels and the Senate Judiciary Committee’s federal courts panel, according to a Senate Judiciary Committee spokesperson. The committees have asked for a classified follow-up briefing to be held next month, according to the spokesperson.

Rep. Dave Joyce (R-Ohio), who chairs the panel that handles the judiciary’s budget, “is aware of the issue and is continuing to work with the Federal Judiciary on the matter,” according to his spokesperson.

Rep. Jamie Raskin (D-Md.), the top Democrat on the House Judiciary Committee, called on Congress to give the judiciary the funding it requested “so they can modernize their infrastructure and protect the integrity of our legal system.”

“Judges and other experts have long warned Congress that the federal judiciary’s outdated electronic systems are vulnerable to exactly this kind of breach,” Raskin said in a statement.

The Administrative Office of the US Courts in January 2021 said the judiciary had suffered an “apparent compromise” during the SolarWinds hack, which impacted several federal agencies.

Courts then instructed attorneys to file “highly sensitive documents” through paper or a secure electronic device, but individual courts adopted different definitions of what kind of documents qualified as needing additional security.

Judge Michael Scudder, who chairs the judiciary’s information technology committee, said at a Judiciary Committee hearing in June that after the judiciary’s prior breach, the court system’s then-director established an IT security task force which made recommendations to Scudder’s committee. That committee has since been “hard at work” implementing them and developing an IT modernization and cybersecurity strategy, he said

“We’re three years into implementing that strategy and are making sound progress,” Scudder said.

The judiciary’s IT committee said at a March meeting of the Judicial Conference—the judiciary’s policymaking body—that it “urged expediting” the modernization of the court’s CM/ECF system, according to a report of the meeting’s proceedings.

The committee said it had also gotten an update on plans to set up a Judiciary Cybersecurity Protection Profile (JCPP) project, “which aims to further the judiciary’s ability to effectively measure the cybersecurity posture of individual courts and business units in an automated manner,” the report said.

Judiciary officials have also asked Congress for more funding to shore up its technology infrastructure. Judge Robert Conrad, director of the court system’s administrative office, described a “sharp increase in the number and sophistication of cyberattacks on the judiciary IT systems” at a May hearing before a House spending panel.

House Republicans have proposed allocating $74 million next fiscal year for the court system’s multiyear cybersecurity modernization plan.

“Judiciary is a high value target for cyber criminals,” Conrad told lawmakers. “We do require ongoing resources to secure and modernize our systems.”

Scudder also said at the June congressional hearing that cyber risk “is very real for the federal judiciary.”

“We expect the threats will only increase in their persistence and their sophistication in the coming years,” he said.

He also said the judiciary has offered regular classified briefings with various congressional panels, including one in May.