US Supreme Court leak investigation highlights weak and ineffective risk management strategy

The Supreme Court of the United States (SCOTUS) has announced that its investigation to find the insider who leaked a draft opinion of the Dobbs v. Jackson Women’s Health Org. decision to media outlet Politico has come up empty.

In a nutshell, the court’s insider risk management program, designed to protect the information the justices handle on a daily basis, failed—and failed miserably. Frankly, based on the findings of the report, the court’s insider risk management program—if it existed—was anemic at best.

The investigation, detailed in a 23-page report released on January 19, indicates that the court’s methodology was judged to be thorough by Michael Chertoff of the Chertoff Group, who was asked to review the marshal of the court’s investigative results.

Basic security protocols were not in place

Chertoff’s recommendations speak volumes about the state of affairs of the information security arena within SCOTUS and every CISO will recognize that what should have happened was basic blocking and tackling (or infosec 101):

1. Restrict the distribution of hard copy versions of sensitive documents.
2. Restrict email distribution for sensitive documents.
3. Use information rights management (IRM) tools to better control how sensitive documents are used, edited, and shared.
4. Limit the access to sensitive information on outside mobile devices.

All investigations are limited to the available data. The marshal may well have been most thorough, but what was available seems to indicate an arcane and dated information-handling strategy was in place within the court. The court did not embrace the basic tenets of insider risk management by any stretch of the imagination.

SCOTUS leak investigators used subjective criteria

The report highlights that 97 employees were interviewed, all of whom denied providing the draft to Politico. The report goes on to explain that investigators had apparently divided the employees into cohorts based on an “evaluation of statements and conduct of personnel who displayed attributes associated with insider-threat behavior—violation of confidentiality rules, a disgruntled attitude, claimed stress, anger at the court’s decision, etc.—and weighed behavior and evidence that would tend to mitigate any adverse inferences. Investigators also carefully evaluated whether personnel may have had reason to disclose the court’s draft decision for strategic reasons.”

This is a long-winded way of saying that investigators employed subjective criteria and the content of personnel files (no doubt looking for prior reprimands) and considered whether an individual might hold opinions that did not align with the draft opinion to determine who may have been most likely to violate the trust of the court.

Joyce Vance, former US attorney and co-host of the #SistersInLaw podcast, noted in a series of public Twitter posts that it appeared the investigation focused on people who had “anger at the court’s decision.” She contends that the investigation appeared “very one-sided” and noted that the “court could have explained what they did and didn’t do, why they didn’t use criminal investigators, given cyber issues and their list of possible criminal violations. Transparency wasn’t the goal here.”

In fairness, the report does reference that “the investigative team consists of seasoned attorneys and trained federal investigators with substantial experience conducting criminal, administrative, and cyber investigations,” without further attribution. Interestingly, the report does not indicate if the 97 employees included the nine justices.

Remote working clouded leak investigation

Highlighted by the marshal is an issue that every CISO has had to address throughout the pandemic: a dispersed workforce, working from locations other than their principal place of employment—in other words, working from home. This reduced the IT team’s visibility. In addition, the interviews of employees revealed that several did not handle the document in accordance with existing IT policies and numerous copies were printed, though neither logged nor accounted for by any empirical methodologies as there was “very little logging capability at that time.”

Additionally, the report indicates that some employees violated the “need to know” principles and shared sensitive portions of the draft with their spouses.

The investigation goes on to opine that it is “unlikely that the public disclosure was caused by a hack of the court’s IT system.” The report continues that the investigation did not “uncover any evidence that an employee with elevated IT access privileges accessed or moved the draft opinion.” Furthermore, the investigators “did not find any logs or IT artifacts indicating that the draft opinion had been downloaded onto removable media, but it is impossible to rule out.”

The takeaway for CISOs from SCOTUS leak investigation

The important takeaway for CISOs and their infosec and insider risk management teams lay within the conclusion provided in the Marshal’s report: “Assuming, however, that the opinion was intentionally provided to Politico by a court employee, that individual was evidently able to act without being detected by any of the court’s IT systems. If it was a court employee or someone who had access to an employee’s home, that person was able to act with impunity because of inadequate security with respect to the movement of hard copy documents from the court to home, the absence of mechanisms to track print jobs on court printers and copiers, and other gaps in security or policies.”

It was not until the investigation was initiated that it was recognized there were gaping holes in the ability to discern what was happening within the network and with the sensitive data. The court did not know what they didn’t know, and only because they were stung did they learn that they lacked the ability to reconstruct events. The court lost a draft opinion, the loss of which was overtaken by events when the decision was officially made and the ruling put forward. Companies with intellectual property to protect may not be so fortunate.

The loss of intellectual property, the lifeblood of many a company may have significant deleterious effects on the sustainability of the entity. How many companies can withstand the loss of their “crown jewels” and then find themselves competing on the global market at a future date against products following their own design? Not many.

Best to invest upfront in the ability to monitor one’s infrastructure so that in the event of need, one may reconstruct events and provide the empirical evidence desired.