Information Systems and Cybersecurity – Annual Report 2021
The Judiciary is committed to maintaining secure, robust, and flexible technology systems that meet the changing needs of judges, court staff, and the public.
Probation and Pretrial Services Team Leader Marci D. Brown works from home with the aid of multiple electronic devices.
Improving Cybersecurity
In December 2020, government and private sector IT networks were breached during a major cyberattack on SolarWinds, a widely used tool for managing data networks. The Judiciary worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Office of the Director of National Intelligence to determine whether there was an impact on Judiciary networks. The Judiciary suspended all national and local use of the tool and immediately added new security measures to protect sensitive documents in the Case Management/Electronic Case Filing (CM/ECF) system.
In June 2021, the Administrative Office of the U.S. Courts (AO) formed the IT Security Task Force to examine the Branch’s security posture in light of internal assessments and those made by CISA, which recommended changes to improve the Judiciary’s technology environment. The group was charged with making recommendations to ensure the Judicial Branch’s alignment with industry and government IT security best practices. The Task Force includes members of Judicial Conference committees on the Budget, Court Administration and Case Management, Criminal Law, Defender Services, IT, Judicial Resources, and Judicial Security as well as other judges, court executives, and staff.
The AO also has created the Insight Program to help courts anticipate issues and better manage their IT infrastructure and assets. The program provides several cybersecurity tools to enable uniform, layered security protection of IT assets and data Judiciary-wide, including periodic vulnerability scanning and patch management for the timely identification and remediation of system weaknesses; web-based user threat protection from malicious websites; centralized log management of all security events; and consistent management of all mobile devices.
Protecting Highly Sensitive Documents
After the SolarWinds incident, the federal courts also added new security procedures to protect highly sensitive confidential documents filed with the courts.
Under the new procedures, highly sensitive documents (HSDs) filed with federal courts were accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These HSDs were no longer uploaded to the CM/ECF system. The new practice did not affect current policies regarding public access to court records, since the HSDs are court-sealed records and already are treated as confidential and unavailable to the public.
The courts issued standing or general orders explaining the new procedures, including descriptions of the types of filings considered to be HSDs. For example, most documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, administrative immigration records, and sealed filings in many civil cases were not sufficiently sensitive to require HSD treatment and could continue to be sealed in CM/ECF as necessary.
The AO assisted courts with implementation of the new procedures by providing model HSD orders; issuing technical guidance for building and maintaining stand-alone systems not connected to any network; reviewing orders and notices that courts used to implement the new protective procedures; and responding to court inquiries.
Vulnerability Disclosure Policy
In early 2021, the Judiciary unveiled a new Vulnerability Disclosure Policy to ensure the security of data that can be accessed online. The policy gives security researchers clear guidelines on how they may conduct vulnerability discovery activities. It also instructs researchers on how to submit discovered vulnerabilities to the Judiciary.
Vulnerability disclosure policies are becoming an industry standard security practice, as federal agencies work to secure their networks from hackers and other malicious actors. Agencies with such polices include the CISA, Department of Justice, Department of Energy, and the Federal Trade Commission.
Under the policy, researchers must stop testing as soon as they establish that a vulnerability exists or they encounter sensitive data. This can include personally identifiable information, financial information, or proprietary information or trade secrets. Researchers also must notify the Judiciary immediately and not disclose the accessed data to anyone else.
This policy applies to the following systems and services:
- www.uscourts.gov, the official website of the federal Judiciary; and
- oscar.uscourts.gov, the federal law clerk and appellate staff attorney recruitment website.
Any service not expressly listed is outside the disclosure policy and not authorized for testing. Similarly, an extensive list of specific activities, including denial of service attacks, are not authorized. The policy warned that anyone conducting unauthorized activities inconsistent with the policy or other applicable laws may be subject to criminal or civil liabilities.
Questions regarding this policy and suggestions for improving it may be sent to support@responsibledisclosure.com.
Strengthening Data Security
To help court units categorize data for a systemwide approach to data security, the AO developed data security workbooks for each court unit type and for national systems. With input from the courts, the AO identified mission-critical types of information common across the Branch, established a consensus on type descriptions, and identified security impact ratings associated with each data type. The workbooks help court units and the AO understand their systems’ data security risk levels so they can better safeguard their data and information systems.