We definitely have cybersecurity awareness, but we also have what I call cybersecurity readiness and performance. To me, awareness is knowing something, and readiness and performance is having the right amount of knowledge and the right amount of training to be able to act on a problem.
We actually measured cybersecurity readiness and performance of our staff for many years beforehand. This is unique. We weren’t talking about it, but we wanted to know the knowledge, behavior and attitude of our employees. We measured that mathematically.
One of the steps we’ve been taking is looking at the high-profile users — someone who doesn’t have the right amount of knowledge about phishing — and asking, can we monitor them differently? Can we act on them differently?
It goes back to an engineering problem. To me everything is about defining things in a big-picture format, then acting on it with an engineering mindset and then training the operational teams to be able to deal with it.
To directly answer your question, I want to make sure that those actions by the operational teams are directly in line with the way that we’ve engineered the systems. Did the overnight operational teams know how to act on a particular engineering rule that we’ve created? We’ve seen so far that they know how to do that, but it’s an ongoing situation.
Our court could be down if ransomware hits. We’ve made engineering directly related to ransomware, because we’ve seen places like Atlanta, Baltimore, Albany and Quebec that were basically missing the right engineering to be able to deal with these threats.
This has been a major learning situation, not just learning in academic terms but in terms of practical mindsets.
We’ve even seen a mindset change with our users. I always go back to this in cybersecurity: If the end user is talking, I listen. I’ll go to people who may not be engineers, and I’ll talk to them: How do they view cybersecurity awareness month? How do they view working from home?
It’s been interesting during this period. We’ve seen a lot of users at different levels of the organization reaching out who would’ve never reached out to me earlier with cybersecurity questions. It could be questions like, “How do I keep my computer safe for my kid?” or, “What threats do I need to be aware of on the Internet?”
There’s a mindset change there, so I think we’re all learning.
We have several courts here: Supreme Court, Superior Court, Appellate Court and Tax Court. The Supreme Court had several committees during this COVID-19 period. I was part of pretty much all of them, and they were related to technology, cybersecurity and providing justice. There was even a new one recently that was getting into a key topic, the security of judges’ personal information online, which is a major threat to them.
One of the key questions that was posed to me was, what are the disparities? Once you came into the physical court, you had a judge, a jury, a certain background. Now you’re sitting behind a Zoom session or whatever you have, a virtual image. What are the things at home that could lead to disparities in terms of the judge judging you?
If, let’s say, you had red paint in the background, or a lot of noise, does that affect the way that your judgment comes out? If you’re in a court case and you’re always No. 1 on the screen, does that change the way that the judge may rule on your case because you’re always in the forefront? These are things that we never had to deal with before and that we will be studying and understanding for many, many years. And I don’t think that’s going in reverse. Now there’s a new area; we saw a court case out of the U.K. where someone had doctored audio for a child custody case, so deepfakes. This is all part of the world now.