The confidential deliberations of the US Supreme Court are extraordinarily sensitive. Supreme Court decisions affect millions of lives and have powerful political repercussions. And few are more sensitive – personally and politically – than decisions relating to abortion. The 2022 leak of the Court’s draft opinion in Dobbs v. Jackson Women’s Health Org was an extraordinary breach of Supreme Court traditions and decorum. It brought undesired publicity, scrutiny and a whiff of scandal to the court as it was dealing with one of the most highly charged political issues in America.
It also points to the importance of IT security controls that were, until now, insufficient but are now likely to be strengthened at the highest court in the United States.
Draft opinions are routinely circulated internally as part of the Supreme Court’s confidential deliberations – emphasis on “internally” and “confidential.” On May 2, 2022, Politico published a draft majority opinion on Dobbs v. Jackson Women’s Health Org that had been leaked to them by a source “familiar with the court’s deliberations.” The draft opinion, which had been circulated within the court in February, all but confirmed what abortion rights advocates had feared and “right-to-life” organizations had hoped – that the Supreme Court was going to overturn the landmark Roe v. Wade decision of 1973. It was a bombshell, in terms of content as well as the mere fact that it was released long before the court issued a ruling.
The day after the report was published, Chief Justice John Roberts ordered a thorough investigation to find the source of the leak, and to determine whether the court had been hacked or an insider had deliberately leaked the opinion. The investigation included IT forensics as well as interviews with almost 100 employees.
The Marshal of the Supreme Court, Gail Curley, recently completed her investigation and reported that no evidence was found to indicate that an outside hacker had broken into the court’s IT system. The investigation also failed to identify which of the 82 employees known to have had access to the decision might have leaked it.
Since the investigators found no indication that the court’s cyber defenses were breached, they concluded the leak was likely the work of a “trusted insider,” an employee of the court who had access to the report. It also revealed a shocking lack of controls to limit potential leakage of confidential information.
The report exposed a number of security issues that created vulnerabilities and/or hindered the investigation:
- Technical limitations in the court’s computer recordkeeping make it impossible to rule out the possibility that the draft opinion was emailed to someone not authorized to see it.
- The court’s system lacks substantial logging and search functions for event logs.
- They can’t rule out the possibility that the opinion was downloaded to removable media.
- Printer logs are non-existent or limited to a certain number of print jobs.
- They cannot say for certain that the system wasn’t hacked.
- It’s possible that the opinion was inadvertently or negligently disclosed, i.e., someone could have left a physical copy of the document visible in a public space.
- If, as suspected, an insider leaked the document, gaps in physical and/or cybersecurity allowed the perpetrator to get away with it.
The report’s bottom line conclusion was this:
…the pandemic and resulting expansion of the ability to work from home, as well as gaps in the Court’s security policies, created an environment where it was too easy to remove sensitive information from the building and the Court’s IT networks, increasing the risk of both deliberate and accidental disclosures of Court-sensitive information.
The Chief Justice had former head of Homeland Security, Michael Chertoff, review the investigation. Chertoff recommended these measures:
- Restricting the distribution of hard copy versions of sensitive documents
- Restricting email distribution of sensitive documents
- Utilizing information rights management (IRM) tools to better control how sensitive documents are used, edited and shared
- Limiting the access of sensitive information on outside mobile devices.
Protecting Your Organization with Data and Cybersecurity Controls
While the political ramifications of this leak are unusually broad in scope, what is equally alarming – at least for cybersecurity professionals – is the Supreme Court’s glaring lack of data security controls in particular and cybersecurity controls in general. Relying on organizational norms and assuming that all users are trustworthy is the antithesis of the Zero Trust approach that has been mandated for government agencies. It is not the way to keep any organization’s data secure, much less one that has broad influence on the lives of millions of citizens.
A number of important lessons can be gleaned from the Supreme Court leak – and especially from the security flaws that were revealed as a result:
- “Least Privilege Access” must be managed and enforced on the user, resource, infrastructure, app and even in-app activity levels to be truly effective. Not every individual in a particular job function needs the same access. It’s possible that all 82 people who had access to the draft opinion needed it; it’s also possible that some were able to see it because of their job title, not because they needed to for their work. Robust Identity and Access Management should enforce least privilege access at the most granular level.
- Remote access from unmanaged devices – even authorized users on BYOD devices – represents a serious risk. A clientless Zero Trust Network Access (ZTNA) solution like ZTEdge Web Application Isolation enables simple, secure access on any device, governed by user-level data security control policies covering which apps individuals can access and the activities they can execute once they are in.
- As highlighted in the Marshal’s report, it is simple for any user to evade workplace data controls through shadow IT. For instance, a user may have been emailed the draft opinion to a third party via their personal Gmail account, uploaded it to their personal Dropbox for future access, or attached to a WhatsApp to the Politico reporter. ZTEdge Remote Browser Isolation (RBI) enables organizations to prevent this type of data loss through granular control of browser functions like copy/paste, print and uploads. DLP can be applied as well, to prevent exfiltration of sensitive data even via E2EE channels.
If it can happen to the US Supreme Court, it can happen anywhere and to anyone. Exposure of confidential information can be devastating for any organization. Proper protection requires a combination of the right policies and the right technology. A comprehensive, Zero Trust-based cybersecurity platform, such as ZTEdge, provides the cybersecurity control tools needed to keep confidential data secure.