The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
U.S. Courts: SolarWinds Hack May Have Affected CM/ECF Filing System
"An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation"
Yesterday, the Administrative Office (AO) of the U.S. Federal Courts issued a remarkable press release, titled Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records.
In mid-December, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an emergency directive regarding "a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors." The Administrative Office of the U.S. Courts (AO) immediately notified courts of this development and in response, the Judiciary has suspended all national and local use of this IT network monitoring and management tool.
The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing.
Wow! Did hackers gain access to sealed files on CM/ECF? The U.S. Courts will have to make disclosures of all sensitive information that was at risk.
How are the courts addressing this system compromise? Highly sensitive court documents will now be filed by SneakerNet!
Under the new procedures announced today, highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to CM/ECF. This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not available to the public.
I recently criticized federal court web site for not even having SSL certificates. Now, the scope of their security failures becomes far more glaring.
