Several years ago, then-Attorney General Merrick B. Garland invited a group of federal judges to the Justice Department’s headquarters. Once inside a secure room used for handling classified information, the judges were given a grave warning: The nationwide computer system that held court documents, including sealed records about wiretaps, cooperating witnesses and investigative targets, was vulnerable to hackers.
The judiciary should take steps to improve its cybersecurity, and it should do so immediately, the judges were told.
Mr. Garland’s warning turned out to be prescient. This summer, hackers once again penetrated the courts’ system, potentially exposing sealed filings to foreign adversaries. As with an earlier breach in 2020, former officials have told The Times, evidence points to Russia as one of the perpetrators.
The classified briefing has not been previously reported. It took place in late 2020 or early 2021, according to people with direct knowledge of the gathering. It was one of a number of attempts by Mr. Garland and others to sound an alarm after the 2020 breach. A former senior official familiar with the outreach said that Mr. Garland, who served as an appellate judge, was seeking to warn his former colleagues on the bench about the risks.
Lawmakers had made their own attempts to raise concerns about the security of the courts’ Case Management/Electronic Case Files system, known as CM/ECF. In 2020 and again in 2021, they introduced legislation that would have mandated an overhaul.
But the administrative office of the federal judiciary told Congress in a letter that it had “serious concerns” with the proposal, and urged against “further action on the bill until we can work together on an equitable and viable alternative.” Neither bill passed.
Despite the repeated warnings, the courts have been slow to build a secure system that can protect sealed court filings from cyberattacks. Experts, lawmakers and users of the system said that as a result, sensitive documents have continued to be stored on the decades-old case-management system that the judiciary’s own consultants flagged in 2021 as “outdated” and “not sustainable.”
Building a new system would be expensive — $260 million over 10 years, according to a 2022 Congressional Budget Office estimate.
Beyond the cost, lawmakers and technologists who have worked with the courts say that changes have been impeded by a combination of technical and cultural factors.
Each of the 94 federal district courts and 13 appellate courts has its own customized version of the case-management software. That means important updates and security patches can take weeks or months to put into effect systemwide. The unique culture of the judiciary, which can tilt toward tradition over innovation, has also led it to move more slowly than a private company or other branches of government might in fixing the system.
The Administrative Office of the U.S. Courts, the node that handles the judiciary’s day-to-day management, lacks the broad authority to impose binding policies. That power lies mainly with the Judicial Conference of the United States, a group of judges that meets twice a year.
“The decentralization has really been a headache with respect to security,” said Jeremy Fogel, a retired federal judge. “You have 94 district courts with 94 clerks’ offices, each acting with their own policies. And the judiciary’s decision-making process tends to be slow, inclusive and deliberate. People want to get it right. But sometimes, you have to move quickly.”
A spokesman for the administrative office said in a statement that the judiciary “has been working steadily to modernize this large and complex case management system.” That task, he wrote, “requires reimagining the system from the ground up.”
In the meantime, the statement said, the courts have added “significant cybersecurity protections and safeguards” to protect against “evolving cybersecurity threats.”
Through a spokeswoman for the law firm where he now works, Mr. Garland declined to comment about his warnings, which were described by former officials speaking on condition of anonymity to describe the confidential deliberations.
Some of the most sensitive court records dealing with national security matters have long been stored outside of the regular case-management system on a separate, classified system. But the potential risks of breaches to the unclassified system are serious.
The system’s sealed court filings contain search warrant applications that specify phone numbers, email accounts and internet domains, all of which are relevant to ongoing investigations. They can point to the identities of cooperating witnesses, whose lives can be at risk from drug cartels and other criminal organizations. Indictments filed under seal can contain the names of foreign suspects who can learn that they face U.S. charges and avoid traveling to places where they could face arrest and extradition.
The judiciary’s approach to information technology “is a severe threat to our national security,” Senator Ron Wyden, Democrat of Oregon, wrote late last month in a letter to Chief Justice John G. Roberts Jr. “This status quo cannot continue.”
Waiting on a New System
When the system was rolled out across the country in the mid-1990s and early 2000s, it was considered a marvel. No longer would attorneys have to dash to the courthouse to get their paper filings on the docket before a judge’s deadline. Now, lawyers could log in from anywhere, upload a brief and know that a judge would receive a notification the moment it was filed.
Journalists and scholars could instantly track developments in important cases using PACER, the system’s public-facing portal. The system also quickly became an important source of revenue — PACER charges users 10 cents per page to access documents, and generates roughly $140 million for the judiciary each year.
The system’s convenience and 24-hour availability were immediately popular. Today, according to the administrative office, the system holds 1.7 billion docket entries spanning 65 million cases. Prosecutors in some districts began to use it to transmit sealed filings, which were once hand-delivered and secreted away in clerks’ offices.
Some prosecutors, including those in the U.S. attorney’s office in Manhattan, have stuck to an all-paper system for some especially sensitive documents, like applications for search warrants.
The potential for security breaches has been a longstanding concern. In 2017, Michael Lissner, the head of the nonprofit Free Law Project, which seeks to make court data more accessible to the public, discovered what he called a flaw in the system. Cookies, used to track users between browsing sessions, could potentially be used surreptitiously by administrators of other websites to access accounts or even to file documents, according to Mr. Lissner.
“It was a minor bug and a severe vulnerability,” he said, adding that it took the judiciary almost six months to fix the flaw.
The 2020 hacking prompted some change. On the day it was made public, the Judicial Conference said that each court would issue a new policy around “highly sensitive documents,” which would be stored on paper or in a separate system. But exactly what fell under the policy was left up to individual districts and judges.
There was also a growing consensus that an overhaul was needed.
In 2021, while Congress was still debating legislation, the judiciary’s administrative office began working with 18F, a consultancy within the General Services Administration that helped government agencies improve their technology. (It has since been eliminated by the Trump administration.)
According to 18F’s reports, its team interviewed more than 100 judiciary staff members, including judges. In three reports released between 2021 and 2022, the consultants recommended that the courts immediately build a new case-management system, one that would address not only security, but broader issues like user experience and the complexity of software changes made by individual courts. The last report urged the courts to “start small.”
“The most important step to take is the first one, and the A.O. should take it immediately,” 18F’s final report, from March 2022, concluded.
18F employees believed that the judiciary was resistant to adopting their approach, and eventually decided to stop working with the administrative office, according to three people involved in the work. The administrative office did not respond to a question about how the work with 18F ended.
For the next three years, the courts continued to approach modernization and cybersecurity on their own terms, and on their own timeline.
In mid-2022, the administrative office awarded a five-year, $298 million contract to General Dynamics Information Technology. A spokesman for the company said that the contract was for performing “sustainment work to the legacy system,” but that the company was not providing cybersecurity services.
The courts in 2022 also began using two-factor authentication for judges and their staff, meaning they had to access an app to verify their identities before logging in. And as of last year, judges could no longer directly access internal court systems while traveling overseas.
The courts have not yet said how this summer’s breach occurred, nor whether more precautions might have prevented it. In August, after the hacking, Judge Robert J. Conrad, the head of the administrative office, sent an urgent letter to chief judges of district courts. “I am requesting that you take immediate action to enhance safeguards and protections of certain sealed documents,” he wrote, asking that all sealed documents related to active criminal investigations be removed from the system.
Judge Conrad’s letter coincided with a wave of general orders from chief judges of district courts requiring that sealed filings be submitted on paper only.
Other efforts to make the system more secure are ongoing. In May, the administrative office announced that by the end of the year, attorneys with filing privileges would be required to use multi-factor authentication to log in. (The executive branch has been required by law to have multi-factor authentication for some users and systems since 2015, and the Biden administration broadened that requirement in 2021.)
Judge Fogel said that there was now “a real sense of urgency” inside the judiciary about cybersecurity.
But others point to the repeated hackings as a sign that Congress should take a more assertive stance. “Separation of powers is a valuable principle,” said Gabe Roth of Fix the Court, a nonprofit advocacy group. “But on some issues, like cybersecurity, that is not the way to go.”
In a congressional hearing this summer before reports surfaced about the latest hacking, Judge Michael Y. Scudder Jr., the chair of the Judicial Conference’s Committee on Information Technology, said that cyberattacks were “hard to stay ahead of.”
In his written testimony, he said that replacing the case-management system was the judiciary’s “top IT priority.” During the hearing, he asked that Congress help “hold us accountable to what we’re representing we’re going to get done, along what timelines.”
But the timeline for a new system remains vague. “At this point in our planning, we hope to incrementally deliver the modernized case management system to pilot courts in the coming fiscal years,” Judge Scudder wrote in the testimony.
The post Federal Courts Slow to Fix Vulnerable System After Repeated Hacking appeared first on New York Times.
