Federal Courts Investigate 'Apparent Compromise' of SystemMeanwhile, Courts Suspend Use of SolarWinds, Adopt New Document Security Measures
The U.S. federal court system is investigating an "apparent compromise" of a confidential electronic filing system used for sensitive legal documents, according to the Administrative Office of the U.S. Courts. The courts also have suspended their use of the hacked SolarWinds Orion network monitoring platform.
In addition, the courts are immediately changing their security procedures, temporarily accepting sensitive legal documents only on paper or via secure devices, such as thumb drives, rather than through the network.
The administrative office says it’s working with the U.S. Department of Homeland Security to investigate whether the court system's case management and electronic case files system, or CM/ECF, was, indeed, compromised.
The CM/ECF issue came to light following the disclosure of the SolarWinds breach, which has affected several federal agencies, including the Justice, Treasury, Homeland Security, Commerce and Energy departments, as well as parts of the Pentagon (see: Severe SolarWinds Hacking: 250 Organizations Affected?).
"An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities [in CM/ECF] currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing," James Duff, the secretary of the Judicial Conference of the United States, the judiciary’s national policy-making body, noted in the report sent to all federal courts.
Under new guidelines that are being immediately implemented, the federal court system will only accept highly sensitive court documents either in paper form or through a secure electronic device, such as a thumb drive, and then will store these documents in a secure, stand-alone computer system and not upload them to the CM/ECF system. That policy will be in place as an audit continues, according to the notice.
"This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not available to the public," Duff notes.
Also, the court's administrative office has suspended all use of SolarWinds' Orion network monitoring platform. Last year, hackers compromised the platform, installing a backdoor in a version obtained by about 18,000 of the company's customers during an automated software update (see: SolarWinds Orion: Fixes Aim to Block Sunburst and Supernova).
Wealth of Data
If the court's CM/ECF system was compromised, hackers potentially could access a wealth of data on possibly millions of people, according to some security experts. The highly sensitive documents could include wiretap applications, national security documents and trade secrets and other intellectual property.
"A breach of the courts system, depending on what was accessed, could have significant implications having to do with the integrity of the data," says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"If an actor can access data, that actor may be able to change it, which means a loss of integrity," says Hamilton, now the CISO with security firm CI Security. "That means that from this point forward, anyone who is the subject of a federal investigation that has been remanded to the courts can argue that the information - which likely includes descriptions of evidence - cannot be trusted."
Brandon Hoffman, CISO for security firm Netenrich, notes that while filing court documents either in physical form, such as paper, or through a secure electronic device might be inconvenient and time-consuming, it's also the only way to ensure the integrity of judiciary proceedings until the full security audit is complete.
"The potential impact of this decision beyond the here and now is the delay that will be introduced to the timing of trials ongoing and in the future," Hoffman says. "People in the queue to have cases tried or decisions made with highly sensitive data may find themselves in a delay that causes more issues related to their case. Additionally, reconciling these records once a consolidated system is again available may prove challenging, and gaps are almost sure to occur, impacting what would be considered historical records for future investigation."
U.S. government investigators as well as private companies are still scrambling to understand the full scope of the SolarWinds breach. In the past week, the agencies investigating the attack issued a statement saying it was likely a Russian group conducted the hack for espionage (see: SolarWinds Attack: Pointing a Finger at Russia ).
On Thursday, SolarWinds hired Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, and former Facebook CSO Alex Stamos as consultants (see: SolarWinds Hires Chris Krebs to Reboot Its Cybersecurity).
Managing Editor Scott Ferguson contributed to this report.