New York State court officials are maintaining a tight-lipped stance about their efforts to safeguard judicial computer systems in the wake of high-profile cyberattacks that brought down court systems and city government, respectively, in Philadelphia and Baltimore in recent months.

A spokesman said the New York State Unified Court System has “robust cybersecurity protocols” and operates under the “best practice recommendations” for cybersecurity, maintaining a dedicated oversight unit and a data security committee that meets regularly.

“We constantly monitor the triangle of greatest vulnerability that any large computer network faces: email, e-filing and internal case management,” said Lucian Chalfen, the New York Judiciary's official spokesman.

The court system also interacts with the Office of Information Technology Services and its Chief Information Security Office, which is responsible for protecting the state government's cybersecurity infrastructure and coordinates security services provided to state agencies.

A spokeswoman for ITS, however, did not comment on what steps that were being taken to coordinate efforts with the courts and other state agencies. Instead, she directed inquiries back to Office of Court Administration.

Chalfen responded that “our court security people meet with the NYS Office of Information Technology during our state agency/authority meetings,” but he declined to comment any further.

“Any further detail about our interaction and what we are doing is not appropriate to discuss,” he said in an email.

The reluctance to speak to specific efforts is not all that surprising, given the scope and sophistication of the threats that state and local governments are facing.

Earlier this month, the First Judicial District of Pennsylvania shut down Philadelphia's court website, including its docket tracking and litigation filing features, and blocked court employees from accessing their work email, after a “virus intrusion” was found on court computers.

Meanwhile, Baltimore is dealing with the fallout of a ransomware attack that took city employees' work email, the property tax portal, and water bill and parking ticket payment systems offline for nearly a month.

As in most states, officials in New York are concerned that publicizing security operations could leave them vulnerable to attacks.

“How they protect their systems is proprietary, and they don't want anyone to know,” said Mark Berman, a partner with Ganfer Shore Leeds & Zauderer, who also chairs the New York State Bar Association's committee on technology and the legal profession.

However, looking to efforts outside of New York can prove instructive on how state governments coordinate threat monitoring, detection and response. For example, in Delaware, the preferred venue for litigation among most of the nation's Fortune 500 companies, the state Department of Information Technology provides the core infrastructure on which the entire state runs.

The state court system, which includes the influential Chancery Court, operates in an isolated environment within the overall structure in order to “limit the blast radius” should an attack or intrusion occur, said Solomon Adote, DTI's chief security officer.

The Judicial Information Center, essentially the judiciary's IT department, delivers to DTI the applications that allow the court system to exist online, which DTI then monitors and assesses for weaknesses. The JIC in turn implements controls from DTI and provides security support on a day-to-day basis. Both layers works closely to share information and train judicial branch staff.

The ultimate goal, Adote said, is to make Delaware's system “100% centralized,” to enhance the “visibility and control” that DTI has across the network. Total centralization, he said, would allow for “identity-driven risk control,” and enable DTI to “walk next to” every user that interfaces with the state to ensure that its not a risk.

DTI meets often to identify cybersecurity trends and discuss developments from from outside the state. The Delaware belongs to the Multi-State Information Sharing and Analysis Center, a collaborative effort featuring representatives from all 50 states and hundreds of local governments that helps members share threat data and intelligence.

“We leverage all that data to ensure that we are both reactive and proactive in our protection of the state systems,” Adote said.

MS-ISAC, which is funded by the federal government, features “sensors” on the edge of computing environments that alert members to a majority of attacks that are occurring elsewhere and provides them with real-time threat intelligence briefing of the details and behavior of the attack to protect their own networks.

Attorneys in New York confirmed that the courts share little about their cybersecurity efforts with members of the bar, even amid a push to expand its e-filing system.

Recently, New York launched a pilot program with limited e-filing for matrimonial cases in select counties, which has proved to be very successful, said Eric Tepper, chair of the New York State Bar Association's Family Law Section. Tepper said the section has come out in favor of expanding the system statewide, in order to better protect the private information of clients.

However, the state has said little about how it actually safeguards the data in its system.

“I think we're hearing very little from them,” said Tepper, noting the real fear that diverging the information could “tip off hackers.”

“I am not aware that the court system is publicizing any details as to what they are or are not doing,” he said. “I think as attorneys, we do trust that the court system is protecting confidential information.”

Whatever the state is doing behind the scenes, there is little impact on the way attorneys are able to do their jobs, said Matthew Mehnert, a partner with Lamb & Barnosky. Still, he said, more information from the state would be welcomed by members of the bar.

“I think it would be good to know what's being done, if things are being done, because it does give you a level of confidence in the system,” hes said.

Meanwhile, its up to individual firms to protect their client's information and their own assets, Berman said, through an approach that includes robust computer systems, IT providers and firewalls and anti-virus protections.

“You have an ethical obligation to do that,” he said.

Firms should always require dual authentication for log-ins, and some IT providers monitor emails proactively, before they get to lawyers. Others, he said, employ “reactive monitoring” once suspect emails have entered the system.

Berman said that some firms hire services that will actively seek to break in to the network by sending phishing emails to employees or using other methods to identify vulnerabilities within the system. But the problem, he said, is that some smaller firms may not be able to afford the services or even know that they exist in the first place.

State bar associations can help to fill the void. In New York, the bar association publishes a cybersecurity brochure outlining best practices, and attorneys are invited to participate in continued legal education programs on the subject.

The bar association this month launched an initiative for bar members to access network security services through JDL Group, an outside vendor, at a discounted price. A benefit to NYBSA membership, the program helps put attorneys in touch with a range of security-assessment services, including vulnerability checks, log monitoring and penetration tests. Members can also receive a full compliance assessment, dark web scan for stolen information and a security policy review.