Something happened Oct. 12 that sent the Kansas courts system scrambling back to the pre-digital age of filings done on paper. Exactly what happened is a mystery. Officials are being so tight-lipped about the exact nature of the “security incident” that, five weeks later, it all seems so secret that if they told you what they knew, they’d have to kill you.
Of course nobody has really threatened anyone with death, but details of whatever happened in October are being treated with the same degree of discretion as if they were national secrets.
Lisa Taylor, the public information director for the Kansas Judicial Branch, told me there wasn’t much she could say about the incident.
Was it a cyber-attack?
“Under investigation.”
Have court records been destroyed or confidential information exposed?
“Under investigation.”
Was a ransom demanded or paid?
“Under investigation.”
An unwillingness by public officials to provide details is part of the playbook for cybersecurity threats, so I can’t really be too hard on Taylor. She responded promptly to my calls and seemed to understand the reason for the questions. A similar clamp on information was employed recently by the city of Pittsburg, in southeast Kansas, when their systems came under attack.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX
Pittsburg experienced a “cybersecurity incident” in mid-September that created a service outage that affected city email, phones, and online payments. It also froze municipal court and took the Crawford County Jail roster offline because the jail used the same system as Pittsburg police. The attack did not disrupt 911 calls, however.
The city announced Nov. 3 that most services had been restored and the municipal court would begin normal operations within days. While the press release said city staff had been “working around the clock with cybersecurity consultants,” it gave no information on who those consultants were or the nature of the attack.
I’m glad the Pittsburg Public Library and other municipal departments can presumably answer their phones and respond to email again. But I can’t help but wonder if the conventional wisdom of revealing no details about the attack to the public is the right one.
I can think of no other crime against a public institution — and I believe it’s safe to assume that what happened in Pittsburg and to the state courts system were crimes — where information about the nature of the offense would be so tightly guarded. It would be irresponsible, of course, to release details that could help others hack the system. But officials should not hide behind a gauze of vagueness when it comes to categorizing what happened. Calling these events “incidents” without elaboration reduces all online crime to an Orwellian level of obfuscation — if not to “1984,” then to “Politics and the English Language.”
This poses a special problem when dealing with institutions that rely on the trust of the citizenry to function, like city hall or especially the state courts system. To be clear, there is no indication that trust has been breached in either of the “incidents” discussed here. But so many questions surround the official narratives, or lack thereof, that dutiful and ordinarily well-informed citizens might experience a bit of doubt slithering down their spine.
Nearly every cybersecurity expert recommends transparency about attacks, as even a cursory online search reveals, but the emphasis is on reporting the attacks to authorities. Many private companies have been reluctant to report cybercrimes, for fear of reputational harm or inviting more attacks.
In 2022, a new federal law called CIRCIA went into effect that will mandate reporting of ransomware attacks and other crimes. Taylor, the Kansas courts public information officer, said the agency had contacted the federal Cybersecurity and Infrastructure Security Agency about the incident. She also said the judicial branch had undergone a state audit of its IT department and practices, but that the results of the audit were closed by statute. Earlier this month, lawmakers were briefed behind closed doors about the state courts outage.
The Kansas incident might be the biggest, or at least longest, attack on any state court system. Other states that have experienced something presumably similar in the past few years include Alaska, Texas and Wisconsin. But Kansas seems to have been hit harder: Of 105 counties in the state, 104 have been offline since Oct. 12.
The only county whose online system remains in operation is Johnson County, the most populous county in Kansas, which is still operating its own case management system. All other judicial districts had migrated, by this August, to the Kansas eCourt system.
Taylor said the FBI and the Kansas Bureau of Investigation had been informed of the incident, but she couldn’t say if either were investigating. Several organizations, she said, have been involved in addressing the situation, including “outside experts” who had knowledge of the judicial branch’s online filing system and other related systems. The goal, she said, was to resolve the situation in a “secure and responsible” way.
In addition to disrupting normal operations, the attack — and I’m going to go out on a very small limb here and call it an attack — also curtailed the public’s ability to access records. Each district court has a public access terminal for the use of the local residents and the press, but during the outage those terminals went dark and remain so. Taylor said open records requests are still being taken by local district clerks but that those requests would be forwarded to the judicial offices in Topeka to be filled.
As part of a phased restoration, Taylor said, a public access service center has been opened on the first floor of the Kansas Judicial Center, 310 SW 10th Ave., Topeka. Ten terminals allow access to court information, 8 a.m. to 5 p.m. Monday through Friday, and visitors may request up to two 30-minute appointments each day.
In addition to the district court filings, the October attack also knocked offline marriage applications and the Central Payment Center, which among other issues caused delays with child support payments through the Kansas Department for Children and Families. Taylor said the issue of restoring the courts system was complex because it involved a number of inter-related systems serviced by different vendors.
The magnitude of the problem is revealed in the numbers.
In 2021, more than 324,000 cases were filed in Kansas courts, according to the most recent annual report from the judiciary. Of those, the biggest category, 23%, involved contract disputes. About 9% were criminal. The rest were for protection orders, divorces, adoptions, or other proceedings.
Imagine the backlog that must have built up in the five weeks since the online filing system has been down. While it did not stop the courts, because attorneys were directed to revert to paper filings, it would have proved a serious disruption.
Other state agencies may be at similar or greater risk of attack.
A July 2023 report from the Legislative Division of Post Audit found that more than half of the 15 agencies it audited did not substantially comply with IT best practices. While the report did not identify the entities at risk, the agencies audited included the Department of Administration, Fort Hays State University and the Kansas Highway Patrol.
With non-cybercrimes, a fair amount of information is typically released to the public as the case makes its way through the court system. From the complaints, affidavits and court testimony, the outlines of the offense typically become clear. But relatively few cybercrimes are prosecuted, either for a lack of evidence or because the perpetrator is in a country that has no extradition agreement with the United States. We have little hope that any additional information about the attacks on the Kansas courts system or the city of Pittsburg will ever come to light through legal filings or court testimony.
But there’s yet another reason such incidents may remain mysteries to the public: Some organizations decide just to pay the ransom.
Even entities that have “do not pay” policies often pony up, according to a recent report by technology disaster recovery firm Veeam. Eighty percent of organizations that suffered a ransomware attack last year paid up, according to the report, or at least their insurance companies did. Worse, 25% of the organizations paying ransom never got their data back.
There is no indication that either the state courts system or the city of Pittsburg paid ransom, or that it would even be legal for them to opt to do so, but they wouldn’t have been the only ones involved in the decision. The vendors, of course, would have a say as well, and the insurance companies that provide coverage to the vendors, and so on.
I hope no ransom was paid by anybody in either case. It strikes me as morally bankrupt to do so, a cold kind of calculus that trades the common welfare for a chance at mitigating damages. It would also encourage the kind of activity you’re hoping to fight.
Taking the long view, we could learn a thing or two from Alfred C. Hobbs.
Hobbs was an American lockpick who in 1851 went to the Great Exhibition at the Crystal Palace in London and cracked what was regarded as an unbeatable lock.
For more than 30 years, the Chubb “Detector” lock had seemed impervious to all assault. It was a bolt lock, made to secure doors, and it had a clever system that froze the lock if it detected tampering. But Hobbs — armed with a few tools and his own considerable experience — opened the lock in less than 15 minutes.
Hobbs wasn’t a thief. He was a salesman for an American lock company, and he pitched his wares by going to banks and other businesses with a need for security and demonstrated that he could pick the locks of his competitors. Then he would sell the firm one of his locks.
He went to London because the Victorians, who were mad for locks because they represented security and power and were good for locking things away from grubby people who might otherwise touch them, were regarded as having the best locks in the world.
After breaking the Chubb lock at the Crystal Palace, Hobbs went on to take up the Braham challenge, which was a standing offer of 200 gold coins for anyone who could break the firm’s “unbreakable” padlock. It took Hobbs 16 days, but he finally managed to crack it. The firm paid up, though it grumbled that in ordinary circumstances a burglar wouldn’t have an unlimited amount of time.
The lesson here is that no lock is unbreakable.
Cyber thieves have an advantage because they have an unlimited amount of time to try password combinations, phish for an over-trusting employee to unwittingly betray a secret, or deploy AI in their quest for gold. In the near future, perhaps as soon as the end of this decade, the best security systems in use today will likely fall to the power of quantum computing to break cryptography.
We will never invent a lock or online system that somebody else can’t crack, hack, backdoor, or social engineer their way around. A permanent solution to our online security woes might just be what the Kansas courts system has resorted to, and something that Alfred C. Hobbs could appreciate: going back to putting our most important stuff on paper only and physically locking it away so somebody on another continent can’t steal it.
Yeah, that’s never going to happen.
Max McCoy is an award-winning author and journalist. Through its opinion section, the Kansas Reflector works to amplify the voices of people who are affected by public policies or excluded from public debate. Find information, including how to submit your own commentary, here.
