A system breach at the US Department of Justice (DoJ) has us asking: is paper safer if records management and security priorities aren’t in sync? Back in 2020, three hostile foreign actors did in fact breach the Department of Justice’s case management and document filing system, known as the Case Management/Electronic Case Files system (CM/ECF).
The system holds highly sensitive non-public documents, including sealed filings. These documents may describe restricted information about how investigators work cases, or details of people under surveillance, for example.
The Court noted that it was focused on modernising the system, and the related online portal known as PACER (Public Access to Court Electronic Records). The Court was also affected by the SolarWinds breach in 2020, and these significant incidents have had impacts not just on privacy and security, but also on the way the judiciary does its business.
Back to the future
In 2021, following the SolarWinds breach, the DoJ was concerned the CM/ECF was vulnerable, and so introduced new procedures for information handling.
“An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation.”
“Under the new procedures announced today, highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to CM/ECF.”
So, in response to a vulnerable electronic document and records management system, the DoJ reverted to paper and off-line processing. This was obviously the fastest and most reliable way to address the threat, which indicates that the electronic system just couldn’t be patched that easily. The software is also decentralised, with each court running their own copy, making uplift challenging across the more than 200 versions of the software. And in fact, the directive still stands, meaning that the CM/ECF still isn’t secure.
In this case, security has won out over records compliance and information accessibility, as it should. But this is a timely reminder that records management systems can’t get away with underperforming on the cyber security front – they can and will be abandoned if they don’t meet expectations.
The flow-on effects
The sensitive records are more secure now, theoretically (noting that it’s hard to manage an audit trail of people photocopying a sensitive record, for example, or smuggling it out of the building).
But one trade-off comes in the form of overhead:
“We fully appreciate the practical implications of taking these steps and the administrative burden they will place on courts, yet any such burdens are outweighed by the need to preserve the confidentiality of sealed filings that are at risk of compromise.”
It’s clearly much less efficient to manage paperwork offline – that’s why the CM/ECF was developed in the first place back in the 1990s. But the biggest burden here was working out what was in scope for the change.
There is no standard pattern for what constitutes a Highly Sensitive Document (HSD):
“If they have not done so already, courts will issue standing or general orders regarding these new procedures. While they are intended to apply to all HSDs filed with a court, not all currently sealed filings should be considered an HSD. It is anticipated that court orders will address the type of filings a court does and does not consider to be HSDs.”
This had to be determined on a court-by-court basis, more than 100 times.
Another key trade-off must be made to public accountability. Public records, which should be accessible by the public in the interests of transparency, are held in the same system infrastructure as highly protected records. Turning off the access to the sensitive records can affect the integrity of the court process, as it can hamper access and accountability to the public.
The impact of technical debt
Technical debt commonly afflicts record-keeping systems, for a few reasons.
One, these systems are old. We have needed them since records first went digital, and decisions made in the 90s and 2000s couldn’t have predicted the rate of change and technology evolution.
Two, they are mission critical. They don’t get taken off-line for a rebuild or migration, or totally re-platformed, because people are too dependent on them for business as usual. The DoJ has been trying to deploy its ‘NextGen’ CM/ECF for a decade, and more than 50 courts still haven’t transitioned.
Three – they aren’t prioritised. Records management and security teams still don’t work hand in glove, managing risk as well as value.
But the debts are being called in. We will see more records management practices come off-line unless we can ensure security – it’s better to be ineffective and inefficient than insecure in this threat climate.
This article by Rachael Greaves was originally published in IDM Magazine.