by Tova Osofsky
Posted on January 25, 2023
Want to interview Tova?Contact
The confidential deliberations of the US Supreme Court are extraordinarily sensitive. Supreme Court decisions affect millions of lives and have powerful political repercussions. And few are more sensitive – personally and politically – than decisions relating to abortion. The 2022 leak of the Court’s draft opinion in Dobbs v. Jackson Women’s Health Org was an extraordinary breach of Supreme Court traditions and decorum. It brought undesired publicity, scrutiny and a whiff of scandal to the court as it was dealing with one of the most highly charged political issues in America.
It also points to the importance of security controls that were, until now, insufficient but are now likely to be strengthened at the highest court in the United States.
Draft opinions are routinely circulated internally as part of the Supreme Court’s confidential deliberations – emphasis on “internally” and “confidential.” On May 2, 2022, Politico published a draft majority opinion on Dobbs v. Jackson Women’s Health Org that had been leaked to them by a source “familiar with the court’s deliberations.” The draft opinion, which had been circulated within the court in February, all but confirmed what abortion rights advocates had feared and “right-to-life” organizations had hoped – that the Supreme Court was going to overturn the landmark Roe v. Wade decision of 1973. It was a bombshell, in terms of content as well as the mere fact that it was released long before the court issued a ruling.
The day after the report was published, Chief Justice John Roberts ordered a thorough investigation to find the source of the leak, and to determine whether the court had been hacked or an insider had deliberately leaked the opinion. The investigation included IT forensics as well as interviews with almost 100 employees.
The Marshal of the Supreme Court, Gail Curley, recently completed her investigation and reported that no evidence was found to indicate that an outside hacker had broken into the court’s IT system. The investigation also failed to identify which of the 82 employees known to have had access to the decision might have leaked it.
Since the investigators found no indication that the court’s cyber defenses were breached, they concluded the leak was likely the work of a “trusted insider,” an employee of the court who had access to the report. It also revealed a shocking lack of controls to limit potential leakage of confidential information.
The report exposed a number of security issues that created vulnerabilities and/or hindered the investigation:
The report’s bottom line conclusion was this:
…the pandemic and resulting expansion of the ability to work from home, as well as gaps in the Court’s security policies, created an environment where it was too easy to remove sensitive information from the building and the Court’s IT networks, increasing the risk of both deliberate and accidental disclosures of Court-sensitive information.
The Chief Justice had former head of Homeland Security, Michael Chertoff, review the investigation. Chertoff recommended these measures:
While the political ramifications of this leak are unusually broad in scope, what is equally alarming – at least for cybersecurity professionals – is the Supreme Court’s glaring lack of data security controls in particular and cybersecurity controls in general. Relying on organizational norms and assuming that all users are trustworthy is the antithesis of the Zero Trust approach that has been mandated for government agencies. It is not the way to keep any organization’s data secure, much less one that has broad influence on the lives of millions of citizens.
A number of important lessons can be gleaned from the Supreme Court leak – and especially from the security flaws that were revealed as a result:
If it can happen to the US Supreme Court, it can happen anywhere and to anyone. Exposure of confidential information can be devastating for any organization. Proper protection requires a combination of the right policies and the right technology. A comprehensive, Zero Trust-based cybersecurity platform, such as ZTEdge, provides the cybersecurity control tools needed to keep confidential data secure.
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.
Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.
Risk assessment is a key factor in investment decisions. Now, with SEC disclosure rules in effect, investors can more easily take cyber risk into account.