Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

After SolarWinds Attack, Courts Revert to Paper for Secrets

Big Step Back: Move Carries Steep Bureaucratic and Usability Costs
After SolarWinds Attack, Courts Revert to Paper for Secrets
Photo: Mathew Schwartz

What if there was something more insidious than hackers stealing data and crashing computers? For example, what if the hacking forced victims to lose faith in the reliability and security of digital tools, thus driving them to use analog alternatives that result in a massive slowdown of essential social processes - such as the nation's court system?

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

Enter the SolarWinds supply chain attack, in which suspected Russian spies successfully planted a backdoor in widely used Orion network monitoring software. Hundreds of organizations appear to have been hit with follow-on attacks that involved data exfiltration during the nine-month espionage campaign last year.

"Why bomb a country into submission when you can cause it to grind to a halt under the weight of paperwork needed to keep our social processes working?" 

Numerous U.S. government agencies, including the State Department, the National Institutes of Health and the Department of Homeland Security, have confirmed they were breached. So too have technology firms, including Cisco and Microsoft.

On Jan. 6, the Administrative Office of the U.S. Courts said that it too had fallen victim.

That same day, James C. Duff, the AO's director, issued an "urgent action" memo saying that courts, if they had not already done so, should issue an order "requiring that highly sensitive documents will be accepted for filing only in paper form or via a secure electronic device" and that such documents "should be stored in a secure paper filing system or a secure standalone computer system that is not connected to any network, particularly the internet."

Hence, one consequence of the SolarWinds attack is that at least some sensitive information can no longer be electronically submitted to district courts. Instead, lawyers are now required to submit only hard copies of such information, unless they use some type of approved "secure electronic device." The particulars of which devices are allowed varies by court. All U.S. district courts, courts of appeals and bankruptcy courts have now complied, and a list of each court's order is available online.

Multiple courts do not allow sensitive information to be submitted except on paper. The order issued by the U.S. District Court for the Western District of New York, for example, states: "The required documents shall be submitted to the clerk's office unfolded and in a sealed envelope marked 'HIGHLY SENSITIVE DOCUMENT.' The outside of the envelope shall include the case number, if applicable, and the presiding judge or, if one is not assigned, the duty judge."

"The executive committee fully appreciates the practical implications of taking these steps and the administrative burden this will place on courts," Duff said. "Yet, it has determined that any such burdens are outweighed by the need to preserve the confidentiality of sealed filings that are at risk of compromise. The federal judiciary’s foremost concern must be the integrity of and public trust in the operation and the administration of its courts."

The court made that move because Russian intelligence agency hackers "probably gained access to the vast trove of confidential information hidden in sealed documents, including trade secrets, espionage targets, whistleblower reports and arrest warrants," The Associated Press news service reports.

But one piece of good news is that while "criminal, civil and bankruptcy filings" may have been exposed, the Foreign Intelligence Surveillance Court, which handles national security warrants, doesn't appear to have been affected.

Encrypting sensitive documents would seem to be an obvious defense against hack attacks, and indeed, insiders told AP that some of the country's 13 circuit courts require that sensitive documents be encrypted. But they note that sophisticated hackers could have also stolen users' credentials - including those of court employees or external law firms' staffs - thus allowing them to decrypt such files.

Back to the Future

This isn't the first time a hack attack allegedly drove victims back to using paper to store and disseminate sensitive information.

In 2013, Russian intelligence agencies were reportedly livid after Edward Snowden's leaks revealed that the U.S. had intercepted top-secret communications sent to Dmitry Medvedev, then president of Russia, when he attended the G-20 summit in London. At the time, news media outlets reported that as a result, some Russian government agencies were reverting to using paper and typewriters - for example, at Russia's Federal Protective Service, known as FSO, which includes the president's security detail and also protects other high-ranking officials.

"From the point of view of ensuring security, any form of electronic communication is vulnerable," Nikolai Kovalev, a Russian legislator and former head of the FSB, told Izvestiya newspaper at the time.

"Any information can be taken from computers," Kovalev said. "Of course there exists means of protection, but there is no 100% guarantee that they will work. So from the point of view of keeping secrets, the most primitive method is preferred: a human hand with a pen or a typewriter."

The Register, however, obtained a copy of the Russian government purchase order on which news reports were based (here's an English translation). While the purchase order was seeking 20 Triumph-Adler typewriters, it was also looking for new ribbons for a completely different model of Olympia typewriter.

So, the Register concluded that rather than "reverting to type," when it came to using typewriters to record sensitive information on paper, the Russian government had apparently never stopped.

Cue Paper-Based Holdups

Committing a country's most sensitive national security and intelligence records only to paper is perhaps understandable. But forcing the U.S. District Court system to revert to hard copies - in the midst of the COVID-19 pandemic - might create an even bigger fallout.

"We’re all so dependent on IT-based systems now that to try to move back to a paper-based system as anything other than a backup would lead to all sorts of holdups," says Alan Woodward, a professor of computer science at England's University of Surrey. "Unless you’re planning to reinstate the typing pools and bring back Dictaphones, not to mention the messengers to carry hard copies to court, we have to find a way to secure these systems."

Beyond whatever Russian spies might have stolen from the court system, Woodward says the secondary effect of the hack could be the most damaging.

"There was surprise expressed about why they had targeted the court system," he says. "Simple: It’s way of disrupting the daily lives of those interacting with the establishment. Why bomb a country into submission when you can cause it to grind to a halt under the weight of paperwork needed to keep our social processes working?"



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.