Confidentiality, Integrity, or Availability: The Cyber Threats to Our Judicial System

In 2017, a University of Kansas student attending a freshman math class plugged a keystroke logger into the back of a lecture hall computer and was eventually able to log into the grading system using the information the device recorded changing his F grades to A grades.[1] The student was ultimately expelled from the school for changing his grades.[2] This was not an isolated incident. In an article published on December 1, 2017, it was reported that a New Jersey student had been accused of hacking into his elite high school’s computer system to change his grades in hopes of getting into an Ivy League college.[3] “The student even went as far as sending out college applications with the altered transcripts.”[4] Now think of the use of this technique which results in wholesale deletions of motions, appellate arguments, or even evidence. These are the types of incidents which could prove catastrophic. The judicial system is a sector which relies on the veracity of the information it holds in order to make just and equitable decisions.

When discussing a cybersecurity incident, we are referring to an attack on any of three cyber based pillars: confidentiality, integrity, or availability. This is commonly known as the C-I-A triad. The CIA triad is a well-respected model which informs security policy development within an organization because these three pillars are considered the most critical elements of information security. Confidentiality is roughly equivalent to privacy and ultimately focuses on the protection of information from unauthorized access, including unauthorized access from within the organization. Some prominent examples include the attacks on Equifax, the OPM breach, and the Sony hacks, which impacted the confidentiality of each organization’s respective data.

Integrity involves maintaining the accuracy and trustworthiness of the data and requires protecting it from improper and unauthorized modification or destruction. We have also observed, though to a lesser degree, attacks against the integrity of information.[5] On December 1, 2017, Konrads Voits, an Ann Arbor, Michigan man plead guilty to damaging a protected computer.[6] In this case, “Voits executed a classic ’phishing‘ scheme – where Voits used both email and phone calls to Washtenaw County employees – to ultimately gain access to and control of the computer network. Upon gaining access, Voits entered the jail [court] records, altering the electronic files of at least one inmate in an effort to get that inmate released early.”[7] The good news is that Washtenaw County personnel noticed something was wrong and worked with the Federal Bureau of Investigation’s Detroit Office to ensure that no inmates were released early. The bad news is that this incident cost the county in excess of $235,000 dollars in responding to and investigating the breach.[8]

The final pillar, availability, ensures appropriate and consistent access to, and use of, the information. The attacks on Dyn DNS, al Jazeera, Le Monde, and Le Figaro targeted the availability of information using a Distributed Denial of Service (DDoS) attack. Saudi Aramco was attacked by a virus which partially wiped out or totally destroyed both the data and equipment of approximately 35,000 computers on their networks, hence compromising the availability of its data.

The judicial branch is as vulnerable, as all other sectors, to be the subject of targeted attacks focused on the confidentiality, integrity, and availability of its information and networks. There are numerous examples of DDoS and ransomware attacks against the courts targeting the availability. In 2014, a group calling itself the European Cyber Army claimed responsibility for “nuking” the federal court system and bringing several government websites to a halt.[9] PACER – the site for accessing the electronic court filing database – as well as uscourts.gov and various other web sites belonging to federal courts around the country, were affected by the outage and aggrieved lawyers and other observers complained about the outage, which kept many from meeting filing deadlines and retrieving records.[10] Such events have a range of negative impacts on the overall judicial system. These attacks can cause filing delays as a result of the inability to access PACER and can alter the courts’ calendars, forcing the rescheduling of cases, which in turn causes further disruption and delay to the system. Furthermore, the inability to access a court’s website prevents counsel from being able to accomplish many tasks; such as paying fines on behalf of clients, accessing case records, or simply downloading legal forms.

These concerns are significant and require the court’s focused thoughtfulness in developing a security framework designed to prevent, and in cases of a breach, respond to cyber security incidents. To do so, courts should undertake an information-centric analysis to identify essential data sets within their control and those under the control of third party vendors who are acting on behalf of the court. Moreover, this analysis should extend beyond the typical Personally Identifiable Information (PII) like dates of birth and social security numbers because the courts hold sensitive and valuable data outside of PII, including grand jury testimony, judge’s orders, motions, testimony of witnesses, the identity of jurors, and many other facts and particulars that are digitally stored. Consider, for example, the potential repercussions if grand jury testimony was leaked to a drug cartel or sealed records in an organized crime investigation were compromised. A cyber-attack on the court system could quite literally result in the loss of human life.

During its information-centric analysis, one goal is for the courts to identify their critical information sets. Once the value of the information has been determined, the competent group charged with addressing these security issues can prioritize objectives and effectively direct available resources to attend to the more significant data sets first. If deleted data were not able to be recovered, irrespective of when the breach is detected, civil litigants face the potential of crippling financial loss. Even more disturbing is a scenario in which data involving criminal prosecutions is lost. At best, the data may be recovered but subject to scrutiny following a breach. At worst, criminal defendants’ lives or prosecutors’ cases may hang in the balance.

Unlike hacks that result in the theft of information or information being held hostage, hacks in which data is manipulated below the level of scrutiny are harder to detect. The real danger would come from a malicious actor infiltrating a system and manipulating information without anyone taking notice. The key for this actor is to operate undetected for as long as possible and silently attack the integrity of the data. Take for example, if Konrads Voits had been successful. If a defendant has his sentence altered from 5 years to 2 years or time served, no one would really know except the defendant who has been freed from the physical confines of the prison. Theoretically, no one in law enforcement would know until the individual committed another crime and was caught. This thought process extends beyond the criminal realm. Take for example an anti-trust litigation matter or corporate merger where a data compromise could allow access to trade secrets or financial documents, known only to the company or the Department of Justice. If these records were altered, it might result in an erroneous ruling or market impact allowing for illegal gains. Once again, any change of critical information that does not garner attention could have huge (and hidden) impacts on the respective matter.

Generally, information technology security has focused on preventing unauthorized access and theft of information from computer networks. Security has also focused on being prepared to address threats; such as DDoS attacks or computer viruses which destroy information and equipment and which target the availability of the networks and the information which resides on them. As bad as these kinds of cyber incidents are, we have so far avoided, for the most part, the cybersecurity threat of data manipulation, which potentially presents a far greater and frightening problem. Unfortunately, as noted above, we are starting to see increased activity in this area. This change, along with our new normal in the cyber security space, demands careful thought in prevention and preparation for all categories of cyber security incidents. Engaging in risk based analysis, one which contemplates the value of information and its relative location, will naturally guide the courts to address all three pillars of the C-I-A triad of confidentiality, integrity, and availability. As it relates to protecting the integrity of information, a more intense and concentrated security approach is warranted by all sectors, including the judicial branch of government.

If a court’s system is compromised and data is manipulated, there are many potential victims, such as, court personnel, other agencies, parties to a litigation, and even the public at large. In fact, if the validity of the information in the court’s holdings is called into question, then the authority of the judicial branch can ultimately be challenged. Thus, protecting the integrity of judicial data quite literally protects the integrity of the American Judicial System.

[1] Ibid.

[2] Tom Dempsey, Professor: KU student expelled for hacking, changing grades online, Scripps Media (https://www.kshb.com/news/state/kansas/ku-student-expelled-for-hacking-changing-grades-online)

[3] Brian Thompson, MJ Student Hacked High School Computers, Upped Grades to Get Into Ivy League School (https://www.nbcnewyork.com/news/local/New-Jersey-Tenafly-Student-Hack-School-Ivy-League-461385433.html)

[4] Ibid.

[5] Though it appears cyber-attacks involving the integrity of data have been somewhat less frequent, they remain a major vulnerability for us all, and recent events indicate such attacks may be on the rise. It certainly is an area which deserves greater focus.

[6] Press Release, Department of Justice, U.S. Attorney’s Office, Eastern District of Michigan: Ann Arbor Man Pleads Guilty to Computer Intrusion Case (https://www.justice.gov/usao-edmi/pr/ann-arbor-man-pleads-guilty-computer-intrusion-case)

[7] Ibid.

[8] Ibid.

[9] Brian Fung, Online outage cripples U.S. court system, The Washington Post: (https://www.washingtonpost.com/news/the-switch/wp/2014/01/24/online-attack-cripples-u-s-court-system/?utm_term=.2ae6503ca3cb)

[10] Ibid.

Aristedes Mahairas was appointed Special Agent in Charge, of the FBI’s New York Special Operations/Cyber Division, in 2015 by FBI Director James B. Comey.