Recent news reports indicate the United States Federal Courts have been thoroughly infiltrated by hackers. Since at least 2020, hackers have breached the core case management system, which each judicial district uses to track the many documents filed on a docket. The system processes everything from mundane scheduling changes to sealed indictments and information about witnesses cooperating with law enforcement.¹ According to one official, the access is so deep that “[the hackers] probably know more about [the case management system] than the Administrative Office of the U.S. Courts.”

As a nation founded on the rule of law, this incident (or series of incidents²) presents a host of challenges for policymakers and the broader public. From a cybersecurity perspective, three in particular stand out to me:

1. Confidentiality versus availability – When dealing with a targeted data breach, organizations must weigh the potential negative impacts of taking a system down to (hopefully) eradicate bad actors against the importance of maintaining the confidentiality of the data stored within.
2. Transparency: trust-affirming or trust-impeding? – For institutions of public trust, the mere existence of a breach can erode confidence in the institution’s security and integrity—but so can a feeling that leaders hid information from the public.
3. Investments in treading water – After a breach is discovered, organizations tend to invest in instruments to understand the scope and scale of the breach. However, these investments tend to vie for the same pool of funding as investments in modernization initiatives that will address the underlying vulnerabilities that caused the breach in the first place.

What happened?

Recent public disclosures indicate that hackers breached the Judicial Branch’s case management/electronic case filing (CM/ECF) system and its portal, the Public Access to Court Electronic Records (PACER) system. Per Judge Michael Scudder, the Chair of the Judicial Conference Committee on Information Technology:

“CM/ECF is the backbone system federal courts depend on for mission critical, day-to-day operations. It is used by electronic filers to submit filings in all cases and proceedings, including criminal, civil, appellate, and bankruptcy matters. And it is used by judges and court staff to conduct many tasks related to case management. PACER is the front-end portal to CM/ECF used by individuals, businesses, federal entities, and others to access public court records.”

Breaches of the CM/ECF date back to at least 2020, indicating ongoing cybersecurity issues with the system. Administrative Office of the Courts officials testified in 2022—and as recently as June of this year—about the system’s significant cybersecurity risks. While many of the filings in the case system are public, a number of the filings contain documents that are sealed, meaning they have deliberately been restricted from public access. There has been little clarity from the Judicial or the Executive Branches on what data have been taken, though media reports indicate some of the exfiltrated files may pertain to cases against drug cartels.

Confidentiality vs. Availability

News reports indicate that the malicious actors have used similar vectors to access the CM/ECF system for the past five years. This is consistent with Judge Scudder’s testimony that: “[b]ased on extensive internal and external analyses, we have concluded that CM/ECF and PACER are outdated, unsustainable due to cyber risks, and require replacement.” Given knowledge of these breaches since at least 2020, and known inadequacies in the system, how can this be the case?

At least some of the answer may be found in consequence analysis tied to impacts to the confidentiality of data stored in CM/ECF versus the availability of the system itself. POLITICO notes that, based on their sourcing, the intruders “have grown bolder about how much data they steal over time.”

Consider, then, the perspective of court officials at the time of the 2020 breach. There is some indication that hackers had stolen only a limited amount of data at the time, and that they retained some level of access. Court officials could opt to root them out, a choice that would likely involve a significant period of downtime for affected systems—which are federated across each judicial district—to make necessary upgrades. Alternatively, the officials could invest in cybersecurity tooling to better alert them to suspicious activity, allowing them to quickly stamp it out while gradually building a replacement system.

It seems clear, both from testimony and press reporting, that the Courts chose the latter approach. And perhaps for good reason: they weighed the uncertain loss of a limited amount of information, much of which might be public,against shutting off the “backbone system” for “mission critical, day-to-day operations.”

Following the 2020 breach, the Courts developed a modernization plan in collaboration with the Executive Branch and have made significant investments in IT modernization. Given the recent spate of hacks, however, that phased approach was not sufficient to thwart the bad actors, who seem to have developed a more voracious appetite for court files.

Perhaps most notable about the recent reporting is that, even presented with this new evidence of compromise, the CM/ECF system remains active. District courts are beginning to order sealed documents to be filed by hand, rather than electronically, but those orders are limited in scope—every district must take action independently. It is also unclear what effect prospective paper filing will have on sealed records that are already in the system.

Writ large, the great policy challenge in cybersecurity remains incentivizing the people best able to protect national security, economic security, and public health and safety—network owners and operators—to take actions that are not clearly in their own best interests whether because their priority is their core mission or their balance sheet. Policymakers will do well to examine the incentive structure that has allowed these vulnerabilities to persist for years.³

Transparency: Trust-affirming or Trust-impeding?

Based on publicly-reported timelines, it seems clear that Judge Scudder’s testimony on June 24, 2025, took place after the court system was already aware of the scope of the latest exfiltration. Yet neither Scudder nor Judge Amy J. St. Eve, Chair of the Judicial Conference Committee on the Budget, mentioned the incident beyond this statement: “With assistance from our Executive Branch partners, we provided a classified briefing for appropriations and authorizing full Committee and Subcommittee leadership in May where we provided more details about specific incidents that have occurred and their implications.”

The general opaqueness in public statements from the courts could be for several reasons. First, there may have been operational sensitivities surrounding the breach that required discretion. However, given the relatively broad briefings provided to district judges in May—and the fact that the underlying vulnerability that led to the breach seems to have been largely unchanged for the past five years—it seems unlikely that operational security would motivate the lack of transparency.

Notably, Scudder’s public testimony references classified briefings for Congress. As the Courts are not an original classification authority, some portion of the details related to the incident—at least those discovered on the court networks—must not be classified. Knowledge of the existence of a cyber incident, then, should be publicly disclosable, even if information about the threat actors involved might not be.

Given this, in my view, the most likely reason for a lack of transparency about the breach is concern that disclosure would undermine confidence in the judicial system. At a time when courts are under attack by public officials, and public confidence in the courts is at a record low, well below the OECD average, news of a cybersecurity incident could further erode public trust. Officials might also reason that, based on the threat actors involved,⁴ there was little likelihood that court proceedings would be affected.

The concern, of course, is whether the lack of transparency itself becomes a source of mistrust once the breach becomes public. Policymakers should consider how this incident shapes perception of the court system as they navigate the current phase of the response and should calibrate their future recommendations or requirements about transparency accordingly. In particular, policymakers should also examine the confidence level of attribution to a given threat actor and the confidence level that no other threat actor could take advantage of the vulnerabilities in question.⁵ Weighing whether or not to go public—and, in turn, to leave the system online—when only the confidentiality of court documents is at stake is one thing, but that calculus changes if the threat actors might interfere with the integrity of records, too.⁶

Investments in Treading Water

Finally, I note the investments in “treading water” as a final point of interest for policymakers–and the broader public. It is reasonable for policymakers to ask what happened to the IT modernization and cybersecurity investments of the past several years if this breach is still ongoing? Or, as Chairman Issa put it: “[I]t will not surprise you that I’ve had more than a few of the prime vendors to government say: ‘if you gave us that much money and told us we had to immediately upgrade the system and then maintain it, we could do it on monies similar to what you spent.’”

I cannot say whether the Administrative Office of the Courts has wisely spent all of the tax dollars appropriated to it for this purpose. However, there are two considerations to keep in mind.

First, the Judiciary is extremely federated. Judge Scudder—and Director of the Administrative Office of the United States Courts Judge Roslynn Mauskopf and her successor, Judge Robert Conrad—have consistently prioritized cybersecurity in their actions and budget proposals. However, they are not empowered to run the interoperable judiciary networks as a single enterprise. This historical discretion that local courts have been afforded to customize their systems has likely led to significant cybersecurity challenges. Congress afforded the Secretary of Homeland Security the power to mandate cybersecurity activities on other federal agency networks in 2014. Perhaps a similar approach might be warranted for the Chief Information Officer within the Administrative Office of the United States Courts.

Second, as Judge Scudder described in his testimony, some of the investments are going towards “protect[ing], as best we can, the existing CM/ECF and PACER systems to reduce cyber risk while the new case management system is being developed.” As noted above, the decision to keep CM/ECF available necessitates additional cybersecurity spending to monitor (and hopefully halt) malicious activity. This is, in essence, the equivalent of a doctor prescribing treatment to mitigate symptoms, rather than address an underlying disease. As a result of this two-pronged approach that requires additional cybersecurity service costs on a yearly basis, the modernization project ends up being significantly more expensive.

Chairman Issa noted potential Congressional interest in authorizing the Administrative Office of the Courts to enter into longer term contracts that could greatly accelerate software procurement. Innovative solutions that allow for both additional operational security spending and capital modernization efforts are critical to address these types of pernicious cybersecurity challenges going forward.

What’s Next

The breach of the U.S. Courts’ case management system is significant, and policymakers in all three branches of government must take urgent steps to mitigate risks to the functioning of our courts. In doing so, they would do well to consider the conditions and incentives that allowed the system to remain vulnerable for more than five years—and ensure that their actions overcome those security-impeding dynamics. Finally, policymakers should bear in mind that current threat modelling may not take into account other malicious actors in cyberspace, who, alerted to the vulnerability of the system, may penetrate it with a view toward causing disruption to our justice system and the principles of our democracy.

¹ Press reports do indicate that information about the most sensitive protected witnesses and classified national security information are stored on different systems.

² For the purposes of this blog, I refer to the challenges with the case management system as one ongoing incident, as this seems most likely given the current reporting. It is possible that different threat actors have breached the courts multiple times over the past several years.

³ Note that this does not mean policymakers should blame the court officials who have been diligently trying to address these vulnerabilities. While accountability is important, the structural challenges that lead to misaligned operational (keeping the court system operating) and national security (keeping sealed court documents safe from foreign adversaries) incentives are the real issue.

⁴ While public reporting has indicated that the Russian government may be behind the hacks, the specific attribution is not important to the analysis.

⁵ There is some reporting that exfiltration of cartel-related information is, in fact, what intensified the response from officials.

⁶ Given the level of penetration of the system, it’s not clear that cyber defenders would be able to easily detect hackers making changes to court records.