State and Local Courts Struggle to Fight Increasing Cyberattacks

Cyberattacks targeting state and local courts are growing in frequency and intensity, as hackers attempt to steal sensitive data, demand ransoms, and sow chaos.

Over the last 18 months, court systems and related agencies like public defenders, prosecutors, and county clerks have been forced offline in Pennsylvania, Florida, Georgia, Missouri, Mississippi, Colorado, and Ohio. The worst recent attack, on the Kansas court system last October, took four months and millions of dollars to overcome.

For the public, law enforcement, lawyers, and court officials, the impact of a prolonged cyberattack is more than just an inconvenience. Trials risk postponement when court records are unavailable. Police and prosecutors may be unable to access a suspect’s criminal history. Protection orders can be delayed. Background checks may slow to a crawl, pushing back start dates for new workers.

“It’s like a category five hurricane,” said John Miller, chief judge of Florida’s First Judicial Circuit, which was attacked last September. “The level of intensity from a cyberattack is ten times what we experienced during the pandemic.”

Many courts are unprepared for such an onslaught, lacking the funds, staffing, equipment, and preparatory plans needed to repel cyberattacks. A survey published in 2022 by the National Center for State Courts found that even as disruptive incidents had dramatically increased, the number of dedicated cybersecurity managers in state and local courts had fallen between 2017 and 2021, and just 60 percent of court officials said they were conducting annual vulnerability and threat assessments of their IT systems.

Meanwhile, attacks show no signs of abating. A review released in January by the nonprofit Center for Internet Security found that in the first eight months of 2023 malware attacks against state and local governments, including the courts, rose 148 percent. Ransomware incidents were up more than 50 percent over the same period the previous year.

“The attacks are becoming more sophisticated, and more personalized,” said Shay Cleary, who directs the National Center for State Courts consulting group focused on court technology and security. “Everyone should be diligent — and nervous.”

The Crash In Kansas

On the morning of October 12, 2023, Kyle Steadman, head of the litigation practice at Foulston Siefkin in Wichita, Kansas, was prepping for a three-week jury trial. The first inkling that something was wrong came from inside the firm. “We were having problems filing some pleadings,” Steadman said.

Across the state, in Kansas City, Casey Johnson, director of advocacy and litigation at Kansas Legal Services, was getting reports from the legal aid organization’s field offices that they were having problems accessing the court system. “We weren’t exactly sure what was going on,” Johnson said.

A few minutes later, the Kansas Supreme Court issued an alert: online access to the statewide court system was down. The court would later reveal that a gang of cybercriminals from Russia had hacked the Kansas judicial system’s computer network, infecting it with ransomware.

To isolate the damage, the information services team in the Kansas Office of Judicial Administration immediately shut down online access in all but one of the state’s 105 counties. Cybersecurity experts were called in, and court officials soon learned the recovery process would take months. This meant the courts and public could no longer access critical software for managing cases or the electronic system for filing documents.

With the judiciary’s permission, lawyers and their clients reverted to paper and fax filings. “The good thing is, [the court system] worked diligently to be in communication and to provide avenues by which we were still able to continue to file cases,” said Mark Dupree, district attorney of Wyandotte County and president-elect of the Kansas Bar Association. “So we slowed down, but the office never stopped.”

While the case management system and electronic filing were operational by the end of December, the process of bringing individual courts back into the system “extended into the first part of 2024,” said Lisa Taylor, public information director for the Kansas Judicial Branch. “Once the case management system was brought back online, it had to be updated with new cases and filings that occurred while it was offline. That work is nearly complete.”

‘A Terrifying Situation’

At Kansas Legal Services, Becky Hesse, a lawyer who works with domestic violence and stalking victims, was advising a woman sheltering in a safehouse to escape a stalker. The woman had sought a temporary restraining order. She would not be able to seek a final order giving her long-term protection until the man had been served paperwork by the court.

The process ordinarily takes a few weeks, but after the cyberattack, the woman’s case slowed to a crawl. “We didn’t know whether or not [the defendant] had been served, because we couldn’t see return of service on our computer systems,” Hesse said.

To seek updates, the woman ventured out to the local courthouse. “If you’re being stalked by someone, that’s a problem,” Hesse said. The situation went on for months, and ultimately, the woman had to dismiss her case and start again once the system was up and running. “This was a terrifying situation for her,” Hesse said. “It can be very dangerous for victims if a perpetrator has not been served.”

Hesse also noted that police lost online access to court records, so if they encountered an abuse or stalking situation, they would have no idea whether the victim was covered by a protection order. “We told our clients to keep a physical copy of their orders with them or to keep a copy on their phones,” Hesse said.

Attacks and Responses

On the morning of September 29 — two weeks before the cyberattack on the Kansas courts — Chief Judge John Miller of Florida’s First Judicial Circuit was getting ready for work when his wife interrupted his shave to hand him his cell phone.

“When your cell phone rings at 6:30 in the morning, it’s normally not good,” Miller said. He was right. The court administrator was calling to tell him his four-county circuit had been hit by a major cyberattack, later attributed to an international ransomware gang. 

By the time Miller reached his office, the phones and computers were down. ”Our case management system was completely wiped out,” he said. The digital court reporting system was also offline, so judges were unable to access critical transcripts from previous hearings and trials.

“We honestly thought we were going to have to retry a five-day murder trial because we could not access the transcript,” Miller said.

Miller turned to the clerks of the court, elected county officials who maintain public records and court filings, and whose systems, which operate independently, were still online. The clerks provided access to their computers, which allowed judges and court staff access to basic information, like court dockets. “The clerks saved us,” he said. 

It was seven weeks before business returned to normal. While the system was down, “we were able to do the mission-critical things, maintaining criminal proceedings and first appearances,” Miller said. “It wasn’t 100 percent, but it was a lot more than I would have anticipated at the very beginning.”

Importance of a Well-Established Plan

How much damage a cyberattack causes may be directly proportional to the planning courts have done to anticipate a breach, and the equipment and staffing they are able to deploy in response. In February, the Pennsylvania court system was the target of a major cyberattack. Within a few days, however, the system was back to normal.

Russell Montchal, the director of information technology for the Administrative Office of Pennsylvania Courts, and Andrea Tuominen, the commonwealth’s court administrator, said the IT team and court officials were able to cut the response and recovery time by hewing to a well-developed cybersecurity incident management plan. The plan is routinely updated, and the IT team tests the court’s defenses on a regular basis.

The Pennsylvania court system also has established working relationships with federal and state law enforcement agencies focused on cybercrime and has secured an appropriation for emergency procurements, both of which give the IT team additional flexibility and firepower to combat an attack, Montchal and Tuominen said.

“Plan for getting attacked,” said Stacey Marz, administrative director of the Alaska Court System. “Nobody should think they’re too small or too uninteresting to be attacked.” The Alaska court system suffered a serious cyberattack in 2021 during which hackers compromised computers and servers even in small, rural communities, Marz said.

“The courts often have plenty of confidential information,” she said. “And there may be other motives; they could be a destabilizing force trying to reduce confidence in the judiciary.”

Marz said the fact Alaska’s courts operate in a unified system was a key advantage in responding and recovering from the attack — a point echoed by administrators and IT directors in other states. “Many court systems are decentralized and they rely on county infrastructure that they have no control over,” Marz said. “I think that is an incredible challenge in a lot of jurisdictions.”

A Window of Opportunity

An attack, while potentially devastating, can also create opportunities for courts to make improvements. In Texas, Casey Kennedy, director of information services at the state Office of Court Administration, remembers the internal opposition the IT team faced when attempting to make security-friendly changes like adding multi-factor authentication and moving certain functions to the cloud.

Then, in May 2020, Texas courts were targeted by cybercriminals in an attack so severe the court only narrowly missed having to scrap its entire system and start over from scratch. In the wake of the attack, the IT team was able to make significant security-related software and hardware upgrades that had been deferred for years because of cost or resistance to change by the judiciary.

One of the most important changes was the purchase of an endpoint detection response tool, or EDR, which alerts the IT team about malicious activity, allowing them to quickly investigate and contain attacks. “I can sleep based on the protection of our EDR,” Kennedy said.

But many courts across the country lack the resources and training for proper protection. In its 2022 report, the National Center for State Courts cited budget concerns, a lack of staff with the appropriate skill sets, reliance on external IT providers with unclear roles, and insufficient cybersecurity training for staff as key obstacles to cybersecurity in the courts.

In Kansas at least, the attack on the courts has prompted action by the judiciary and legislature. On May 9, Gov. Laura Kelly signed into law a bill creating chief information security officers for the judiciary and other branches of government and requiring that these new officials implement minimum cybersecurity standards. In January, Kansas Chief Justice Marla Luckert also requested $2.6 million to cover costs associated with the 2023 cyberattack and to begin the hiring process for three cybersecurity positions.

Money helps, but as Pennsylvania’s Montchal notes, IT teams must design cybersecurity defenses that fit the particular needs of a court system — a process that takes time. “You can’t just flip the light switch on cybersecurity, even if a few million dollars land in your lap,” Montchal said. “If it’s not been done all along, you can’t change overnight.”

David Brown is a freelance writer and former editor in chief of American Lawyer Media (ALM), The National Law Journal, and Legal Times.