Advertisement

Editorial: A ransomware attack closed L.A. courts for two days. The public deserves a full accounting

A view of a courthouse with a white facade, official seals and two U.S. flags flying outside
The former federal courthouse on Spring Street in downtown Los Angeles now houses part of the Los Angeles Superior Court, which was shut down for several days in July by a ransomware attack.
(Myung J. Chun / Los Angeles Times)
Share via

The Los Angeles Superior Court has an enormous data and online system that for years remained too vulnerable to hackers. The court began stepping up its monitoring, defenses and response operations less than two years ago, and it belatedly brought on a cybersecurity officer — a standard move for any large organization, public or private — this year.

Six weeks later, the court was hit by a ransomware attack that infected its computer system with damaging software, forcing it to temporarily close. The new security systems spotted the breach early on Friday, July 19, and court personnel who began their workdays early found ransom notes on their devices before 7 a.m. that day. The court remained unavailable to the public until the following Tuesday, and even then, it operated at severely diminished capacity for several more days.

The Los Angeles County Superior Court was hit with a ransomware attack that officials say does not appear related to the faulty CrowdStrike update that sparked a global technology outage.

The effect of the July hack was enormous. The L.A. Superior Court is the largest local trial court system in the nation and perhaps the world and, on any given day, conducts hearings and issues orders that directly affect the liberty, familial relationships and pocketbooks of thousands of people. The attack briefly postponed trials and other essential courtroom work, including issuing time-sensitive domestic violence restraining orders and ordering jail releases.

Advertisement

Public-facing operations are now back online, and a criminal investigation is underway. As soon as it concludes, the court owes the public a full accounting of the scope of the attack and any ransom paid to the hackers. Unlike private businesses that often suppress accounts of cyberattacks to avoid embarrassment and lawsuits, the court is a public entity and any amount it may have paid is public money. Any security breach was a failure of an institution accountable to the public.

A group known as CL0P Ransomware Gang is suspected of being behind cyberattacks that hit at least 145 victims, using a vulnerability in a file-transfer software system.

Things could have gone much worse for the court and the 10 million Los Angeles County residents and numerous businesses and other entities that it serves. Other courts and agencies had their systems down much longer after similar attacks.

Apart from federal intelligence, security and military operations, public agencies and offices generally lag behind private corporations in tech matters.

Advertisement

A post on the dark web offering some 24 million student and teacher records from LAUSD data for $1,000 has prompted an investigation by the district.

And among public entities, local courts are often furthest behind, in part because of inadequate funding (the bulk of Superior Court funding is provided by the state budget), and in part because courtroom culture relies so heavily on independence, precedent and tradition. For decades, judges who began their legal careers before the internet or electronic data networks steered their courts away from automation and resented efforts to impose uniform rules for electronic case management.

That was especially true in the Los Angeles Superior Court. But things have slowly changed, and the court now manages one of the nation’s largest cyber operations. As the swift response to the July ransomware attack demonstrates, it has begun to catch up on cybersecurity as well.

There are good reasons for the public to be patient with the court and the FBI as they continue their investigation. This was not a simple stickup and may well have involved foreign actors looking for more than financial rewards.

Advertisement

The website for the Los Angeles Police Department was down Friday.

First, it’s important to remember that crimes of this sort and this magnitude are usually well-planned to impose maximum disruption, and not only because bigger disruption is calculated to produce a bigger ransom payment.

Ransomware perpetrators are often described as pirates, invoking images of freelance criminal mariners who might attack any ship sailing under any flag if the vessel carries treasure that the brigands might plunder. Many are more like real-life privateers such as Sir Francis Drake, Sir Henry Morgan and others who sailed and robbed with the authority of their governments in order to harass their national adversaries.

What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.

In today’s world of online piracy, privateer hackers often operate with the tacit approval or even at the behest of foreign governments, particularly Russia (although Iran, China, North Korea and pre-invasion Ukraine are also implicated).

The cyberattack on the Los Angeles Superior Court was an attempt to extort money, but there’s a good chance that it was also a bid to undermine confidence in the justice system, and to explore and exploit vulnerabilities in data systems and in public attitudes. In other words, it may well have been one of numerous assaults on behalf of foreign adversaries. As in more open warfare, defense against such attacks ideally includes a measure of public understanding about court delays and other inconveniences.

The cyberattack surfaced Dec. 31 when individuals who deploy the malware known as LockBit published screenshots representing data they claim to have seized.

The same is true of similar assaults on other public agencies, including 2022 attacks on the Los Angeles Unified School District and the Housing Authority of the City of Los Angeles.

But again, that patience must have limits. The court owes the public, at the earliest opportunity that does not compromise the investigation, a full report on what lasting damage was done, what lapses were responsible and what steps are being taken (and what further public investment is needed) to strengthen the court‘s defenses against future attacks.

Advertisement