Federal courts are upgrading their cybersecurity on a number of fronts, but multifactor authentication for the system that gives the public access to court data poses “unique challenges,” the Administrative Office of the United States Courts told Sen. Ron Wyden in a letter this week.

Wyden, D-Ore., wrote a scathing August letter to the Supreme Court in response to the latest major breach of the federal judiciary’s electronic case filing system. The director of the Administrative Office of the United States Courts responded on behalf of the Supreme Court.

It is “simply not the case” that the courts have, in the words of Wyden, “ignored” advice from experts on securing the Case Management/Electronic Case Files (CM/ECF) system, wrote Robert Conrad Jr., director of the office.

“Substantial planning for the modernization effort began in 2022, and we are now approaching the development and implementation phase of the project,” he wrote in the Sept. 30 letter. “We expect implementation will begin in the next two years in a modular and iterative manner.”

In recent years, the office has been testing technical components on its modernization effort, and is centralizing the operation of data standards to enable security, Conrad said.

Wyden took the office to task for not enabling phishing-resistant multifactor authentication (MFA). Conrad wrote that the office was in the process of rolling out MFA to the 5 million users of PACER, the public case data system.

“The Judiciary has unique challenges in implementing MFA due to the significant diversity of users,” he responded. “PACER users range from sophisticated, high-volume data aggregators and well-resourced law firms to journalists and ordinary citizens, to indigent litigants. All PACER users need access to court records, but some do not have traditional forms of MFA they can use. The design and implementation of our MFA implementation requires consideration of these unique needs.”

Wyden also took issue with the lack of public explanations about the series of court breaches. Conrad wrote that the breaches are “sensitive from both a law enforcement and national security perspective,” and need to be kept confidential, but noted that the courts have briefed congressional Judiciary, Appropriations and Intelligence committees on a classified basis.

“Even after back-to-back catastrophic hacks of the federal court system, Chief Justice [John Roberts] continues to stonewall Congress and cover up the judiciary’s gross negligence that has enabled these hacks,” Wyden said in response to the Conrad letter. “It is long past time for the courts to follow the same minimum cybersecurity standards as the executive branch, but since Chief Justice Roberts and the Judicial Conference refuse to set such requirements, Congress must step in and legislate.”

Court Watch was the first to report on the contents of the letter.

The post Federal judiciary touts cybersecurity work in wake of latest major breach appeared first on CyberScoop.

Sen. Ron Wyden on Monday urged Supreme Court Chief Justice John Roberts to seek an independent review of federal court cybersecurity following the latest major hack,  accusing the judiciary of “incompetence” and “covering up” its “negligence” over digital defenses.

Wyden, D-Ore., wrote his letter in response to news this month that hackers had reportedly breached and stolen sealed case data from federal district courts dating back to at least July, exploiting vulnerabilities left unfixed for five years. Alleged Russian hackers were behind both the attack and another past major intrusion, and may have lurked in the systems for years.

“The federal judiciary’s current approach to information technology is a severe threat to our national security,” Wyden said. “The courts have been entrusted with some of our nation’s most confidential and sensitive information, including national security documents that could reveal sources and methods to our adversaries, and sealed criminal charging and investigative documents that could enable suspects to flee from justice or target witnesses. Yet, you continue to refuse to require the federal courts to meet mandatory cybersecurity requirements and allow them to routinely ignore basic cybersecurity best practices.”

That, Wyden said, means someone from the outside must conduct a review, naming the National Academy of Sciences as the organization Roberts should choose.

The Administrative Office of the U.S. Courts said on Aug. 7 that it was taking steps to improve cybersecurity “in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system,” but was vague about specific changes. In that statement the office touted its collaboration with Congress and federal agencies about cyber defenses.

But Wyden said in his letter the judiciary “stonewalls” congressional oversight. He cited another intrusion in 2020, revealed by then-House Judiciary Chair Jerrold Nadler, D-N.Y., by “three hostile foreign actors,” where Wyden said the judiciary still hasn’t said what happened.

“There is no legitimate need to keep Congress or the public in the dark about that incident so many years later,” Wyden wrote. “I strongly suspect that the judiciary is covering up its own negligence and incompetence which resulted in the security vulnerabilities that the hackers exploited.”

Wyden especially faulted the courts for its slow, under-reliance on strong multifactor authentication, saying the variety the judiciary adopted was not phishing-resistant.

“The glacial speed with which the federal judiciary adopted this inferior cyberdefense, years after government agencies and businesses have migrated to superior solutions, highlights the fact that the judiciary’s cybersecurity problems are not technical, but rather, are the result of incompetence and the total absence of accountability,” he said.

The press office for the Supreme Court did not immediately respond to a request for comment on Wyden’s letter.

The post Blistering Wyden letter seeks review of federal court cybersecurity, citing ‘incompetence,’ ‘negligence’ appeared first on CyberScoop.