It has been just more than a month since a “security incident” shut down online operations for most of the state’s courts.
On Oct. 12, the Kansas Judicial Branch announced in a news release that clerks in 104 Kansas counties were unable to receive online filings. The only county unaffected by the security incident is Johnson County, which operates on a separate electronic filing and case management system.
The judicial branch is working on a “phased recovery” of its information systems, but there is no specific timeline on when everything will be restored. In the meantime, all filings have to be submitted in paper.
The electronic filing system is one of many online systems that have been inaccessible since the security incident. The incident has also negated the court’s ability to electronically process cases, accept electronically filed documents, search district court and appellate case information, search for attorneys by name or bar number, apply for online marriage license applications, and process disbursements on behalf of district courts.
The Kansas Judicial Branch has not provided specifics on the nature of the security incident.
To better understand cybersecurity incidents, Kansas Reflector spoke to two local cybersecurity experts: Brandon Joiner, CEO of ONX IT Solutions, and Jeff Wagner, founder and CEO of Aspis Consulting, both Kansas City-based information technology consulting firms.
How do security breaches occur?
Wagner said many cybersecurity incidents have a common denominator: humans. Security breaches can come from a person plugging an unknown USB into their computer or clicking on an unknown link in an email. Someone’s username and password might get compromised. A person with access to a system might intentionally or unintentionally download malware to the system.
“The common denominator is the human, but the way that the threat actor gets in could vary,” Wagner said.
Similarly, Joiner said the most common way systems are infiltrated are via phishing attacks through email. However, because Joiner’s understanding of the Kansas court system is that it’s more antiquated, he said his guess for what might have occurred to the system is its website was attacked by a distributed denial-of-service attack, or DDoS. He explained it as an attacker bombarding a web server with more connections than it can handle, causing the site to crash.
Have cybersecurity attacks been increasing in frequency?
The short answer, according to both experts, is yes.
Five or 10 years ago, Joiner said, some companies could get away with baseline cybersecurity policies. But today, with cybersecurity attacks increasing and the corresponding monetary damage of the attacks increasing, “everybody has to kind of up their game to not become a victim.”
Joiner described it as a “cat and mouse game,” where cybersecurity companies like his are using the latest and greatest tactics to keep clients safe, but hackers are similarly coming up with new tricks to infiltrate systems.
Wagner noted that with every new technology that is introduced, there’s typically a security vulnerability that is not found during the production of that technology that could then be exploited.
“Does the creator of the technology find it first and fix it, or does the bad guy find it and exploit it?” Wagner said.
How long do security breaches last?
Wagner said the length of security breaches can vary. If the threat actor is a nation state who is interested in espionage, for example, then if they breach a system, they might lay low and let the business continue as usual to try to gather information. On the other hand, a ransomware attack typically shuts down operations immediately in order to try to force the victim to pay a ransom.
Joiner used an analogy of a house fire to explain why security breaches sometimes last longer than the victimized company or organization may like.
“If your house burns down, you, as the homeowner, your goal is to get your house put back together, rebuilt. But the insurance company, the fire marshal … all they want to know is what caused it,” Joiner said. “What’s the damage? What is it going to cost? We need to investigate this. Don’t touch anything. It’s a crime scene.”
That is how cybersecurity breaches often go these days, Joiner said. Until an insurance company investigates the breach, the protocol is to wait. So Joiner said that while the Kansas Judicial Branch wants to get its system back up and running, it might be waiting for an investigation to end.
Wagner said that while the Kansas court’s ongoing four-week shutdown “sounds long,” there’s not enough information about the security incident to judge the length of the shutdown.
Joiner, similarly, said that without knowing all the details of the security incident, the length of the shutdown is not atypical. However, he said it seems to be on the “long end,” especially because it affects the general public and legal system.
“I would think they would want to restore those as quickly as possible, and they would try to get through as much of that red tape as they could to not impact this area of the government,” Joiner said.
What should the Kansas Judicial Branch be doing in response to the breach?
Wagner said the judicial branch should be using an incident response plan and business impact analysis to make informed decisions. He also said the judicial branch should be using resources available to it as a critical infrastructure sector, specifically the Heart of America Regional Computer Forensic Lab and Cybersecurity and Infrastructure Security Agency.
In addition to finding out what caused the breach, Joiner said the Kansas Judicial Branch and government agencies in general need to modernize their systems.
Could the Kansas Judicial Branch “security incident” be ransomware?
Joiner and Wagner agreed this “security incident” could be a ransomware attack.
Wagner defined a ransomware attack as a financially motivated attack in which the ransomware’s goal is to “shut down or severely inhibit the operations of an organization through denying them use of their computer systems.” In order to retrieve access to the system, the victim has to pay a ransom.
Joiner and Wagner noted these types of attacks can either be dealt with by paying the ransom, restoring one’s system from backups, or rebuilding one’s entire system.
Wagner noted he would not advise the Kansas Judicial Branch to disclose the details of the attack until they have recovered from the situation and figured out what happened.
“If there’s a broken lock, you don’t want to tell everybody there’s a broken lock,” he said.
However, as a public organization, Wagner said the public does have a need to know more details about the security incident.