by Tova Osofsky
Posted on January 25, 2023
Want to interview Tova?
ContactThe confidential deliberations of the US Supreme Court are extraordinarily sensitive. Supreme Court decisions affect millions of lives and have powerful political repercussions. And few are more sensitive – personally and politically – than decisions relating to abortion. The 2022 leak of the Court’s draft opinion in Dobbs v. Jackson Women’s Health Org was an extraordinary breach of Supreme Court traditions and decorum. It brought undesired publicity, scrutiny and a whiff of scandal to the court as it was dealing with one of the most highly charged political issues in America.
It also points to the importance of security controls that were, until now, insufficient but are now likely to be strengthened at the highest court in the United States.
Draft opinions are routinely circulated internally as part of the Supreme Court’s confidential deliberations – emphasis on “internally” and “confidential.” On May 2, 2022, Politico published a draft majority opinion on Dobbs v. Jackson Women’s Health Org that had been leaked to them by a source “familiar with the court’s deliberations.” The draft opinion, which had been circulated within the court in February, all but confirmed what abortion rights advocates had feared and “right-to-life” organizations had hoped – that the Supreme Court was going to overturn the landmark Roe v. Wade decision of 1973. It was a bombshell, in terms of content as well as the mere fact that it was released long before the court issued a ruling.
The day after the report was published, Chief Justice John Roberts ordered a thorough investigation to find the source of the leak, and to determine whether the court had been hacked or an insider had deliberately leaked the opinion. The investigation included IT forensics as well as interviews with almost 100 employees.
The Marshal of the Supreme Court, Gail Curley, recently completed her investigation and reported that no evidence was found to indicate that an outside hacker had broken into the court’s IT system. The investigation also failed to identify which of the 82 employees known to have had access to the decision might have leaked it.
Since the investigators found no indication that the court’s cyber defenses were breached, they concluded the leak was likely the work of a “trusted insider,” an employee of the court who had access to the report. It also revealed a shocking lack of controls to limit potential leakage of confidential information.
The report exposed a number of security issues that created vulnerabilities and/or hindered the investigation:
The report’s bottom line conclusion was this:
…the pandemic and resulting expansion of the ability to work from home, as well as gaps in the Court’s security policies, created an environment where it was too easy to remove sensitive information from the building and the Court’s IT networks, increasing the risk of both deliberate and accidental disclosures of Court-sensitive information.
The Chief Justice had former head of Homeland Security, Michael Chertoff, review the investigation. Chertoff recommended these measures:
While the political ramifications of this leak are unusually broad in scope, what is equally alarming – at least for cybersecurity professionals – is the Supreme Court’s glaring lack of data security controls in particular and cybersecurity controls in general. Relying on organizational norms and assuming that all users are trustworthy is the antithesis of the Zero Trust approach that has been mandated for government agencies. It is not the way to keep any organization’s data secure, much less one that has broad influence on the lives of millions of citizens.
A number of important lessons can be gleaned from the Supreme Court leak – and especially from the security flaws that were revealed as a result:
If it can happen to the US Supreme Court, it can happen anywhere and to anyone. Exposure of confidential information can be devastating for any organization. Proper protection requires a combination of the right policies and the right technology. A comprehensive, Zero Trust-based cybersecurity platform, such as ZTEdge, provides the cybersecurity control tools needed to keep confidential data secure.
“Operation Duck Hunt” Shuts Down QakBot Botnet
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
How GenAI is Supercharging Zero-Day Cyberattacks
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals Disdain the Law, But Find Law Firms Attractive
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.