Contributing Authors: Gary Stahl, Alex Farmer, and Donald Gross.
Editor: Brian McGovern
As courts shifted to digital dockets and mandatory e-filing, they left litigants with no direct path to a judge outside systems judicial officials have acknowledged are outdated, heavily targeted and dependent on credentialed access vulnerable to misuse.
MARCH 31, 2026 Washington, D.C. — The legal system has spent the past two years confronting one visible technology problem in court filings: lawyers submitting briefs with invented authorities generated by artificial intelligence tools. Judges could see those filings, identify the errors, and sanction the lawyers responsible. The record, however flawed, still reached the court.
A different problem sits farther upstream. It concerns the systems through which filings are received, converted, routed, entered on the docket, and made visible to judges and litigants. It is less visible, harder to detect, and potentially more consequential because it concerns not the quality of a submission but whether the submission enters the judicial process in the form, sequence, and time the court believes it did.
Since 2021, public reporting and official statements have confirmed unauthorized access to federal judicial systems, including the Case Management/Electronic Case Files platform, or CM/ECF, and the PACER system used for public access to federal court records. In response to the SolarWinds-related compromise, courts moved certain highly sensitive documents off network-connected systems and into more restrictive handling procedures after concerns that sealed materials could have been exposed. By August 2025, the federal judiciary publicly acknowledged further “sophisticated and persistent” attacks against its case-management environment. By March 2026, federal judicial officials reportedly had accelerated plans to replace the aging CM/ECF system, describing the existing infrastructure as facing acute and persistent risk.
Those disclosures settled several points. The federal judiciary’s filing infrastructure has been penetrated. Sensitive information has been at risk. The systems in use are old enough and exposed enough that the judiciary is now fast-tracking replacement. What those disclosures did not fully address is the operational consequence of those facts for litigants and courts: once filing intake, docketing, and notification are fully mediated by electronic systems, any weakness inside those systems affects not only confidentiality, but access.
That structural dependence is now drawing closer scrutiny because modern courts no longer maintain a meaningful path to judicial action outside the digital chain itself. Even conventionally filed papers generally do not go from the clerk’s hand to a judge’s chambers as operative filings. They are scanned, digitized, indexed, uploaded, and routed through the same systems that support electronic filings. In practical terms, hand delivery no longer creates an independent route to the court. It creates a different entry point into the same electronic process.
That design choice has consequences. A litigant can file in person, seek emergency relief, or attempt to bypass a compromised online portal, but the filing still has to be turned into a digital docket artifact before it can become part of the record the court actually uses. Judges and law clerks ordinarily do not act from paper originals; they act from electronically routed case materials. PACER and related procedures describe CM/ECF as the system through which courts maintain electronic case files and accept filings. Even documents filed conventionally are generally converted into electronic form before becoming part of the working docket. That means the operative court record is the digital one, and access to the judge depends on passage through the intake and routing systems that have already been acknowledged as vulnerable.
That is the point at which cybersecurity stops being only an information-security issue and becomes a due process issue. If the only path to judicial review runs through infrastructure that can be compromised, then compromise affects more than storage. It affects sequence, visibility, timing, service, and the integrity of the record from which a judge acts.
Several technical analyses submitted in litigation and related proceedings have focused on exactly that problem. One February 2026 report examining cyber attacks and the manipulation of federal court filings describes the risk as extending beyond exposure of sealed materials to possible interference with the record itself. According to that analysis, a sufficiently sophisticated actor with valid credentials or trusted-system access could alter what appears in the electronic record, affect whether a filing appears at all, or manipulate docket entries and notices in ways that would be difficult to detect from the outside. The report discusses the possibility of missing filings, altered docket activity, fabricated orders, and divergences between what was submitted and what the system later reflected. It does not present those conditions as judicial findings. It presents them as technical risks that follow from persistent access inside filing infrastructure.
A separate integrity analysis of federal court docket systems approaches the same issue through the judiciary’s known breaches and the way courts responded to them. It describes the central role of CM/ECF and PACER in maintaining the official record and notes that the judiciary’s concern after the 2020 breach was not merely that sensitive files might have been read, but that the integrity of official dockets and filings had to be treated as a security problem in its own right. The report describes the systems as longstanding targets for hostile actors because they contain not just public filings but sealed and highly sensitive materials whose value extends beyond the cases in which they were filed.
Another February 2026 analysis of selected federal case studies focuses on anomalous metadata, restricted-access portal behavior, and filing-related irregularities. Its significance lies less in any individual case than in the model it describes. Where a filing must pass through a chain of intake, digitization, indexing, and routing before it reaches chambers, there is a practical difference between a document being handed to a clerk and that document becoming the thing the judge actually sees. That difference is ordinarily invisible because the system is presumed to work. The report’s concern is that once the system itself is known to be compromised, that presumption becomes harder to sustain without verification.
The same structural concern appears in analyses outside the federal system. A portal infiltration report examining legal and quasi-judicial portals in Florida describes coordinated unauthorized access involving valid credentials, timed activity, and changes affecting domain and routing infrastructure. Its conclusion is not that every irregular filing or notice proves interference. It is that in credentialed environments, hostile actors do not need to defeat the perimeter dramatically. They can operate through the same gates lawyers, clerks, and staff use every day. That makes compromise harder to spot because the traffic looks ordinary.
A February 2026 report focused on court-related electronic communications reaches a similar conclusion from the communications side. It describes what it calls “cryptographically aligned but operationally counterfeit” messages—communications that pass SPF, DKIM, and DMARC authentication while still being wrong in the ways that matter most. A notice can appear valid within the system, be logged as sent, and yet still be delayed, redirected, duplicated, or otherwise manipulated through the infrastructure carrying it. In a litigation environment dependent on electronic notices of filing and service, that distinction is not technical trivia. It goes directly to whether the parties are actually receiving the process the system claims to have provided.
This is the context in which the phrase “single point of failure” stops sounding rhetorical and starts sounding descriptive. When courts made digital docketing mandatory and eliminated meaningful exceptions to the requirement that filings become electronic artifacts before they become operative, they concentrated access to judicial action in one place. If that place fails, there is no parallel path. A litigant cannot simply insist that the judge review the physical submission as the operative filing if the court’s working reality is the docketed digital record. The filing has to enter the system. The system has to reflect it. Chambers has to receive it. The notice has to issue. Every stage depends on the same infrastructure.
That dependence matters because public reporting and technical analysis now point to the same uncomfortable fact: the systems carrying those functions are old, fragmented, and exposed.
The fragmentation problem is especially important. CM/ECF is not a single seamless national platform in the ordinary sense. Federal courts have long operated with district-by-district implementations, local practices, and legacy dependencies layered over time. State systems are even more fragmented, with separate portals, varying vendors, different intake procedures, and different rules for how conventionally filed materials are converted and routed. Fragmentation does not merely create inconvenience. It creates uneven security, uneven logging, uneven review practices, and uneven visibility into anomalies. A hostile actor does not need to own the whole system. Persistent access to a weak point can be enough if every filing must eventually pass through it.
Compounding that risk is the judiciary’s dependence on credentialed access. Modern filing systems assume that if a login is valid, the session is presumptively legitimate. That is a reasonable design principle in ordinary operation. It is a dangerous one in an environment where credential theft is a known and documented component of sophisticated cyber campaigns. Technical materials in the record repeatedly describe valid credential use, remote access, and silent persistence as common methods through which attackers avoid detection. The problem is not only unauthorized outsiders hammering the door. It is hostile actors presenting as authorized users inside systems designed to trust the credential once it has been accepted.
That is also why the current discussion has widened beyond court administrators and security personnel to include bar associations, sector-specific collaboration groups, and lawyer-focused cybersecurity initiatives. The American Bar Association has maintained cybersecurity resources for lawyers and law firms for years, including materials directed to law practice risk and information security. CISA has taken a broader approach through public resources and the Joint Cyber Defense Collaborative, emphasizing information sharing across sectors facing systemic cyber threats. Those efforts do not focus solely on courts, but they reflect a growing consensus that cybersecurity risk affecting legal practice cannot be treated as a narrow office IT problem. It is tied to the systems through which law is practiced.
Within that landscape, the National Attorneys Cybersecurity Bar Association, NACABAR.ORG, recently launched an initiative focused on threats targeting attorneys and law firms through templated advanced persistent threat activity offered “as a service.” Its public mission is framed around cyber-awareness, resilience, and community within the legal profession. The relevance of that launch is not promotional. It is contextual. It reflects a growing recognition inside the profession that threats aimed at lawyers increasingly implicate filing systems, notice systems, client communications, and court-facing infrastructure, not just stolen documents or ransomware events.
The point is not that any one organization has solved the problem. It is that the profession has begun to recognize the problem as structural.
For litigants, the consequences are immediate. If a filing disappears at intake, appears late on the docket, is misrouted before chambers review, or generates defective notice, the harm is not theoretical. Deadlines are missed. Emergency relief is delayed. Service disputes arise. Defaults become possible. A party can be harmed long before any forensic explanation is available. And because the system is presumed reliable, the initial burden often falls on the litigant to prove that something happened inside infrastructure the litigant cannot see.
That is the unresolved issue beneath the judiciary’s modernization effort. Replacement of aging systems may reduce future risk. Stronger authentication, better logging, and improved architecture may help. But the present system remains the vehicle through which current cases move. Public statements have addressed the need for security upgrades. They have said far less about whether courts have a uniform procedural way to examine disputed intake anomalies, routing discrepancies, or record-integrity questions in systems already acknowledged to have been compromised.
For now, the strongest conclusion supported by public disclosures, official statements, and technical analyses is a limited but serious one. Court filing systems are not merely repositories of documents. They are the mechanism through which litigants gain operative access to the court. Once that mechanism becomes mandatory, digital, and without meaningful exception, compromise of the system is no longer just a cybersecurity incident. It becomes a risk to the judicial process itself.
