Source: Sora Shimazaki/Pexels.
Judiciaries worldwide face a severe and intensifying threat of cyberattacks, especially as the transition to digital case administration and management—accelerated by the COVID-19 pandemic—continues.
Courts in the Americas face millions of cyberattacks each year, and the threat is growing. In September 2023, a massive ransomware attack was launched against the Colombian judiciary, caused by vulnerabilities introduced by a third-party data custodian. The attack forced the suspension of an estimated two million judicial proceedings and the cancellation of court hearings for over a week. This resembles a 2020 attack of “startling breadth and scope” against the U.S. judiciary by foreign actors. While not ultimately affecting public-facing operations, the attack represented a grave danger to the integrity of the U.S. Courts and prompted the enactment of emergency measures to protect highly sensitive court records from being compromised. Similarly, judiciaries in Argentina, Brazil, Chile, and Mexico have recently suffered cyberattacks—and this represents just a handful of examples.
These types of attacks are almost certain to increase in scope and frequency as more judicial proceedings are brought online and the power of computing (and now, artificial intelligence) continues to accelerate. Judiciaries across the Americas must start placing cybersecurity among their top administrative priorities, or else risk catastrophe.
The Growing Digital Threat to Judicial Administration and the Rule of Law
Cyberattacks against court systems are not just technical inconveniences compromising judicial efficiency. Rather, they are assaults on the legitimacy of the justice system and the rule of law itself. As a former member of the U.S Judicial Conference’s Information Technology Committee noted, “not a stretch to say that the rule of law is at stake” where judicial cybersecurity is concerned.
This concern stems from judiciaries’ role as repositories of highly sensitive information, and their symbolic representation of justice and state legitimacy. Court records contain trade secrets, intellectual property, identities of protected informants, and national security data. Similarly, leaks of judicial work product like correspondence between judges and draft opinions can have serious consequences.
More broadly, judicial infrastructure represents a mission-critical system that directly impacts national security. The 2023 cyberattack on the Colombian judiciary provides a small taste of the potential damage that a successful, system-wide digital assault on a judicial branch could inflict.
Imagine a scenario where online docketing and case management systems are disabled for weeks, which in turn requires ongoing cases to be stayed. Although some cases could continue using paper documentation, this is not a viable option at scale. As a result, litigants entitled to emergency judicial relief, such as orders to stop using a competitor’s trade secrets or restraining orders to prevent domestic violence, might not receive it. Additionally, sensitive information like the identity of protected police informants, confidential business data, or classified national security information could be released publicly, causing potential damage to individuals or organizations involved.
Aside from the obvious social harms and economic losses—which one can safely assume would reach the hundreds of millions of U.S. dollars—such an event would sow distrust in the safety and reliability of judicial institutions, cornerstones of their legitimacy. This type of reputational damage is not easily rebuilt, making such attacks attractive for authoritarian regimes looking to damage democratic governance in our region.
The Hard Road Ahead: Designing and Implementing Effective Responses
Effective responses to judicial cybersecurity threats are particularly challenging, however, for four key reasons. First, judiciaries are decentralized organizationally and physically. Usually, no judicial supreme leader exists that can simply mandate change like a president can. Instead, judicial executives must persuade (or at times, cajole) each local or regional court system to implement cybersecurity reforms.
Second, as judiciaries worldwide adopt digitized platforms, their exposure to attacks has expanded. The pandemic has accelerated this process, placing many jurisdictions in the uncomfortable position of having rapidly adopted new technology without the institutional infrastructure to protect it.
Third, the ideals of democracy and transparency our hemisphere values means that our judiciaries must give the public direct access to many of its IT systems, such as online dockets, rendering them particularly vulnerable. Moreover, a core function of modern online case management systems is permitting litigants to upload content to judicial networks.
Fourth and finally, cybersecurity is expensive. Some experts have called it the “single greatest protection cost in modern history.” And since these funding needs are complex and long-term, relying solely on the annual appropriations process is usually insufficient. While special financing vehicles like the U.S. Judiciary Information Technology Fund or Mexico’s Fondo Nacional para el Fortalecimiento y Modernización de la Impartición de Justicia help with long-term planning, they currently do not fully cover courts’ cybersecurity needs. Worse still, the Mexican Fund has recently been eliminated, creating a vacuum of stable funding for judicial cybersecurity in this G20 country.
A Call to Action
Most broadly, judicial leadership must change their mindset surrounding cybersecurity. Unfortunately, a “wizardry” approach to cybersecurity has traditionally dominated cybersecurity strategy, especially in conservative, non-technology-centric institutions like the courts. The wizardry approach views cybersecurity as a battle between technological “wizards” on each side, like a digital Harry Potter. You win the wizarding war when your superior technological wizards can defeat the attackers—your Gryffindor to their Slytherin.
Experience shows that this is a serious mistake, however. Effective cybersecurity planning requires coordination of interrelated processes across the entire organization, beyond just IT experts: human resources, finance, procurement, communications, and high-level management. The Colombian attack proves this. Since it was directed against a key third-party vendor, the only way to have prevented it was to have integrated cybersecurity planning into the judiciary’s procurement and strategic oversight processes.
The wizardry approach also overlooks the fact that human behavior creates many cybersecurity vulnerabilities. In the words of a high-ranking judicial administrator I spoke with, “It would be a big step just to convince judges to stop using Gmail for official business.” Likewise, human decision-making ultimately drives how technology is sourced, implemented, used, and maintained.
The Hogwarts-for-computers perspective must therefore be replaced with a “managerial” approach that sees cybersecurity as another mission-critical institutional process that, like physical security or legal compliance, requires institution-wide collaboration and high-level oversight.
This managerial mindset also ties into the more practical steps that judiciaries must take to protect their digital assets. For starters, financing must be harmonized with the long-term planning effective cybersecurity demands. Annual appropriations simply are not reliable enough for judiciaries to make larger IT infrastructure purchases or sustain the implementation of multi-year initiatives. Special financing mechanisms are required.
Strategic planning that accounts for a judiciary’s unique needs must also accompany such financing. A national cybersecurity strategy is essential, and top judicial administrators must participate directly in its development and implementation. (Or, at a minimum, they should develop their own complementary strategies tailored to the court system.) These efforts can be catalyzed by creating units that work across all branches of government on cybersecurity issues, such as the U.S. General Services Administration’s 18F consulting group.
Finally, judiciaries can take several small-but-effective steps now to bolster cybersecurity without large additional expenditures. First, they can create uniform, judiciary-wide IT practices, which make IT systems easier to administrate and protect while still permitting the compartmentalization of data. Second, judicial leadership can create direct channels of communication with the executive and legislative branches specifically on cybersecurity, ensuring that the issue remains a top administrative priority. Third, judiciaries can emphasize cybersecurity training for personnel of all ranks. It need not to be technical. The biggest wins are often found in changing basic behavior, such as limiting official communication to official systems.
Whatever the approach, judiciaries need to act proactively on this issue today. If not, we place at great risk one of the Americas’ most valuable ideals, embodied by the Inter-American Democratic Charter—the rule of law.
Jeffrey E. Zinsmeister is a Global Americans Fellow specializing in rule of law, cybersecurity, data privacy, and organized crime, with over 20 years’ experience in law and international affairs. A former U.S. diplomat and Organization of American States official, he has worked extensively throughout Latin America and the Caribbean, with particular experience in Mexico and Brazil. He is also currently Of Counsel at the law firm Holcomb & Ward LLP, and co-author of the book Lost (and Found) in Translation: How to Find, Hire, and Work with the Right Professional Translator for Your Business, published in 2022.
Global Americans takes pride in serving as a platform that offers in-depth analyses on various political, economic, environmental, and foreign affairs issues in the Western Hemisphere. The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the views of Global Americans or anyone associated with it, and publication by Global Americans does not constitute an endorsement of all or any part of the views expressed.