We all know that courts have become very reliant on technology, especially so as they have quickly expanded the use of video, e-filing, and other IT systems during the COVID-19 pandemic. Cybersecurity is not a new problem,[i] but cyber-threats have greatly increased, at times even putting a court’s viability at risk. Over and over again we hear about another cybersecurity breach (and those are only the ones that get publicized!). This blog post highlights some things that are (or will be soon) available to effectively deal with the situation.
First, the National Center for State Courts has again published an excellent Trends in State Courts [Trends-2021_final.pdf (ncsc.org)]. There are articles across a wide variety of topics, but this one particularly caught my eye: How to Mitigate Cybersecurity Risks When You Don’t Fully Control Your IT Environment, by Paul Embley (pp. 65-68).
The inclusion of this article in the NCSC’s Trends-2021 publication is very timely. I encourage everyone to read the entire publication, but at least read the articles that, like me, catch your eye. Meanwhile, what follows are the key points of Embley’s article.
- Catalog-Classify-Prioritize your IT environment. You need to know and document what your technology assets (software, applications, data, and servers) are, and prioritize them. For example, doing so allows you to define what data are public, sensitive, or secure, which in turn drives internal controls (see IV below).
- Ensure good communication and relations between the court and its IT provider. This is essential to effective governance of the IT program, which should include an IT council or similar group. You will need this if a cybersecurity incident ever occurs.
- Ensure that adequate IT expertise and skills are included in court-based staff. Such expertise is important for the court to effectively collaborate with the IT provider.
- Establish controls and maintenance systems. Controls include things like encryption, firewalls, multifactor authentication, network segmentation (e.g., having the court’s systems separated from other governmental entities), and physical security. Systems must be maintained with the latest updates and patches, along with tested backups and restoration processes.
- Conduct periodic IT system audits. Like financial systems, a court’s IT systems will benefit from audits by outsiders. A fresh look at what exists and what is needed will be very beneficial.
- Provide cybersecurity training to all judges and staff. It is often noted that the weakest part of any cybersecurity program are the systems users. Everyone needs to be aware of the threats and the role they play in ensuring a secure environment.
Here are some other upcoming resources to help us understand and respond to cybersecurity threats:
- The Joint Technology Committee of NACM & COSCA (Joint Technology Committee | NCSC) is in the process of redrafting its resource bulletin, “Cybersecurity Basics for Courts,” which should be published in about a month. Don’t forget that the JTC has already published two other cybersecurity bulletins:
- The September Court Leaders Advantage Podcast (Court Leader’s Advantage – Court Leader) will have a great discussion by several court administrators of the topic, focusing on cyberattacks. I encourage everyone to listen or view this podcast next month (subscribe to Court Leader to be notified when it is published, along with all other content). Here is a preview of the what the discussion will cover:
- What was the attack like? What happened and what did you do?
- What type of attack was it? (e.g., ransomware, a virus, a worm, phishing, malware, etc.)
- What kind of questions should court administrators be asking their IT division to be assured that the court is properly protected?
- Is protection against cyberattack part of your court’s continuity of operations plan?
- What can a small court do to protect itself on a shoestring budget?
- Does employee teleworking make courts more vulnerable to cyberattack?
- Also in September, the NCSC’s next Court Technology Conference (CTC, Sept. 28-29, Columbus, OH) has this session: “State of Cybersecurity: Important Points for Recovery & Improving” https://courttechnologyconference.org/attend/schedule/#track2-session2. If you can make it to CTC, this looks to be a valuable session (among many!).
That’s the latest on cybersecurity – comment below if you have any other suggested resources. It is important that we all do our best to be as informed as possible about cybersecurity, applying that knowledge to minimize the inherent risks of court automated systems.
As always, comments and suggestions for future blog post topics are welcome.
[i] See previous CourtLeader posts related to cybersecurity: