The COSCA/NACM Joint Technology Committee has issued a new report, Responding to a Cyber Attack. The report notes that “accepting that courts will face cybersecurity incidents is essential. Prevention efforts are still important. However, prevention efforts must now be coupled with preparations to respond when the inevitable occurs.”
The report begins:
“There are two kinds of organizations:
Those who have been hacked and those who will be.”1
Taking steps to prevent a cyberattack is clearly worth focused attention. However, the reality is that regardless of preventive measures, most organizations will deal with some form of cybersecurity incident at some point. In fact, a cybersecurity incident may already be ongoing, undiscovered for months or years. Because courts will likely have cybersecurity incidents, they should have an established plan for responding.
A cybersecurity incident is a “past, ongoing, or threatened intrusion, disruption, or other event that impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.” Cybersecurity incidents come in several forms. A cyberattack is an attempt by hackers to damage or destroy a computer network or system. A cyberbreach is an incident of unauthorized access, viewing, use, or retrieval of sensitive, protected, or confidential data. A cyberattack may be used to gain access on an ongoing basis to networks or databases, resulting in a data breach (or cyberbreach).
Cyberattacks include malware, viruses, denial of service (DOS) attacks, ransomware, zero-day exploits, and unauthorized access from within the organization (current and former employees) or by hostile individuals and organizations halfway around the world. Attacks may be targeted at the court specifically, or may simply be opportunistic.
Unlike the threats organizations and individuals faced fifty years ago, cybersecurity is an issue no matter the industry, geography, or jurisdiction. Courts may believe they are unlikely to be victims of a cybersecurity incident because they don’t manage large databases of credit card information. However, threats are real and increasing. James D. Comey, Director of the Federal Bureau of Investigation, compared the “vector change” of cybercrime to the changes that came in the 1920s and 1930s when “…the confluence of the automobile and asphalt… gave birth to an entirely new way of doing bad things.” The confluence of complex interrelated systems and the Internet has had a similar impact, giving criminals entirely new ways of doing bad things digitally. Comey went on to say that cybercriminals today are like outlaws Dillinger or Bonnie and Clyde doing “…a thousand robberies in all 50 states in the same day from their pajamas from Belarus.”
“The traditional notions of space and time and venue and border and my jurisdiction and your jurisdiction are blown away by a threat that moves not at 40 miles an hour or 50 downhill, but at 186,000 miles per second. The speed of light.”
Accepting that courts will face cybersecurity incidents is essential. Prevention efforts are still important. However, prevention efforts must now be coupled with preparations to respond when the inevitable occurs. The time to prepare to deal with an incident is before one occurs. Having a tested plan in place can help courts respond more effectively, mitigating some effects of an attack and/or breach. This paper identifies the tasks that must be addressed in the aftermath of an incident, and the steps courts must take before an incident occurs in order to prepare.
The full report can be viewed/downloaded here.