U.S. Federal Court breach reveals IT and security maturation issues

In late July 2022, Politico ran a story detailing how the U.S. Department of Justice was investigating a recent data breach of the federal court system, which dated back to early 2020. The chair of the House Judiciary Committee, Jerrold Nadler (D-NY), described the breach as a “system security failure of the U.S. Courts’ document management system.”

On the same day, July 28, 2022, the U.S. Government Accountability Office (GAO) published the report GAO-22-105068 “U.S. Courts: Action Needed to Improve IT Management and Establish a Chief Information Officer.” The GAO report described systemic shortcomings in the administration of the U.S. court system, including the lack of a CIO, to oversee the substantive infrastructure.

The U.S. court system breach(es)

Nadler described the breach as “three hostile foreign actors” who had attacked the U.S. court system. At the briefing, DOJ’s Assistant Attorney General for National Security Matthew Olsen noted that his division was working closely with the courts and judges on the attacks. Olsen, quoted by Reuters, said “While I can’t speak directly to the nature of the ongoing investigation of the type of threats that you’ve mentioned regarding the effort to compromise public judicial dockets, this is of course a significant concern for us given the nature of the information that’s often held by the court.”

David Sellers a spokesperson for the Administrative Office of the U.S. Courts noted, “Cybersecurity is one of our highest priorities. We continue to work closely with our executive branch partners, take precautions to protect our systems, and engage in the modernization of the CM/ECF system (Judiciary’s Case Management/Electronic Case Files system).” He pointed to the January 2021 statement put out by his office concerning the Solar Winds compromise, which affected the court system. During the hearing, it was made clear that the Solar Winds compromise was not the breach to which Nadler was referring but a separate action involving the U.S court system.  

The GAO would like a word

The obfuscation of the Administrative Office of the U.S. Courts makes sense, with the broad and all-encompassing phrase, “and engaged in the modernization of the CM/ECF system” when taken in the context of the state of affairs within the office from the optic of the GAO. The GAO report highlights shortcomings in 11 of the 12 recommended leading workforce management practices

• Strategic planning
• Recruitment and hiring
• Training and development
• Performance management

The GAO made 18 recommendations in the July 2022 missive. To the trained CIO/CISO eye, the GAO’s recommendations are clearly designed to guide an office seemingly starting from ground zero to evolve an IT and cybersecurity workforce that currently lacks maturation.  

1. Conduct strategic analysis to determine IT staffing needs.
2. Identify and document skill sets, knowledge, and technical competencies, needed for the IT workforce.
3. Identify the staffing and competency needs of the overall IT workforce and any gaps the agency may have in those areas.
4. Develop strategies and plans to address gaps in IT competencies and staffing, after completing a strategic analysis of all IT competency and staffing needs.
5. Develop and track metrics to monitor the effectiveness of the agency’s recruitment and hiring efforts specifically for the IT workforce, including their effectiveness at addressing IT skill and staffing gaps.
6. Adjust recruitment and hiring activities after establishing and tracking metrics to monitor the effectiveness of these activities at addressing skill and staffing gaps in the IT workforce.
7. Establish a training program that identifies required and recommended training for all IT staff.
8. Ensure that IT employees complete appropriate training (after establishing a training program that identifies required training for IT staff).
9. Collect and assess performance data (including qualitative or quantitative measures) to determine how the training program for IT staff contributes to improved performance and results.
10. Update the Administrative Office performance management process to include appropriate technical competencies, once identified, against which IT staff performance should be assessed.
11. Align individual performance expectations for IT staff with organizational goals.
12. Ensure that the selected Departments of Administrative Services and Program Services IT projects comply with the agency’s guidance or a set of standard processes for IT project management.
13. Develop guidance for IT projects (including contractors) to follow related to the best practices that were not fully reflected in Administrative Office’s existing IT project management guidance. The guidance should address, among other things, cost and schedule estimating best practices.
14. Require, and take steps to ensure, that the Judiciary Electronic Filing System, JSPACE (an enterprise facilities management system), and Probation and Pretrial Services Automated Case Tracking System 360 projects document and track activities related to the best practices that they did not fully implement.
15. Establish a CIO with enterprise control and oversight of the agency’s IT workforce and project portfolio.
16. Direct the Court Services Office to perform and document a comprehensive assessment of risks to EPA program obligations, including identifying, analyzing and responding to risks associated with obligating EPA program funds.
17. Direct the Court Services Office to fully design and document the procedures for reviews of EPA program obligations and establish performance metrics for evaluating the effectiveness of the agency’s internal control system over EPA program obligations in supporting program objectives and minimizing risks.
18. Direct the Court Services Office to require the Administrative Office to conduct and document periodic reviews of control activities over EPA program obligations to ensure their continued effectiveness in achieving the EPA program’s objectives and document responsibilities for conducting reviews of control activities and addressing any deficiencies in the established internal controls over EPA program obligations.

While not directly associated with the breaches described by Representative Nadler, the lack of a CIO is indicative of a boat sailing without a guiding hand on the tiller to keep it moving in the right direction. The 18 recommendations indicate that the information technology/security team is at the docks and needs to chart its course toward a more robust and secure environment for the nation’s court system.