Note: This post was edited in response to feedback concerning Tyler Technologies and the fundamental claims of the original article.
With respect to Tyler, while the company certainly provides extensive support and software products to local governments, a review of the company’s offerings shows nothing specific to election reporting or other functions, at least to the extent indicated by other reporting. Thank you to Kim Zetter, one of the best in the business of information security journalism, for pointing this out.
Second, it was brought to my attention that the original article only proposed the possibility of state-nexus (in this case Russian) actors using ransomware for the purposes of electoral disruption, as opposed to saying that such a link already provably existed. This has been reflected in an edit to this post, although I maintain the “takeaway” from the NYT article is designed to leave the reader with the impression of ransomware as an actual disruptive factor in elections (which would be within the remit of journalism) as opposed to a theoretical possibility (which would be an item for threat intelligence reporting, complete with estimative language and evidence).
On 27 September 2020, the New York Times (NYT) published an article hinting at a link between the increasing scourge of ransomware and state-sponsored activity. The specific claim advanced is that ransomware events targeting local government entities and some specific technology providers may be related to Russian state-directed operations seeking to destabilize the 2020 US election.
There is much to be said with respect to this article, its claims, and the intellectual rigor underpinning the piece. Among other items, one of the responsible journalists lashed out rather harshly in response to questions and criticisms surrounding the item – while leveraging two logical fallacies at the same time (an appeal to authority and an ad hominem attack). Given that Katie Nickels is by far one of the best of us in the cyber threat intelligence field, seeing such flippant disregard for “Katie’s CV” hurts.
Prickly responses to criticism aside, the idea of ransomware as a camouflage for state-directed disruptive operations is a thought worth pursuing – and one that I’ve previously written at length about. Overall though, state-directed disruption through ransomware is nothing new – we already have a clear example in 2017’s NotPetya wiper event which attempted to masquerade as a variant of Petya ransomware. But since 2017, there have been multiple events with possible state interests from the mysterious case of Lockergoga at Norsk Hydro in 2019 to the ColdLock ransomware events impacting critical aspects of the Taiwan economy in 2020 which was subsequently linked to Chinese state-directed operators.
Overall, the idea of ransomware being weaponized for disruptive purposes is not new. Additionally, this concept may represent a new, interesting, and deeply frustrating development in the realm of offensive cyber operations given the inherent deniability for credible ransomware activity to be used for disruptive purposes while masquerading as a criminal operation. Given the relative impunity of ransomware operators to continue their activity absent repercussion or consequence, significant space exists for state-directed interests to leverage this lawless realm for executing outright attacks – targeting economies, elections, or other items.
Yet in reporting its story, NYT took a theoretical possibility – that ransomware may be leveraged to disrupt election-related activity – and turned it into something just short of a prima facie reportable fact. As seen in the following selection, “ransomware attacks” are immediately linked to “Russian tactics” – without specifying whether such tactics are the efforts of the Russian state, or Russian criminals.
That information operations and the perception of manipulation are a risk is nothing new – the CyberBerkut operation in Ukraine during that country’s 2014 elections attempted a combination of disruption and strategic communication to cast doubt on results, but failed due to the continued resilience and capability of Ukrainian network defenders. Yet NYT’s reporting almost seems to play directly into the hands of those who would like to call electoral results and integrity into doubt – a concept coincidentally detailed by the FBI and CISA on the same day as the NYT article.
Admittedly, the above may put us into a rapidly collapsing self-referential trap where even speaking of a “thing” ensures the manifestation of said thing. But absent such risks, there still seems to be more (or rather less) to NYT’s story. For example, the following passage attempts to link a ransomware incident at Tyler Technologies, a provider of various software products to local governments but not anything specific to elections (thank you to Kim Zetter for pointing this out), to follow-on incidents at customer sites:
Yet the lack of detail here is concerning, to say the least. “Outsiders trying to access their systems” could easily be observations of continuous remote access probing and brute forcing – associated with multiple ransomware and other actors – that represent the “norm” of externally-facing services as opposed to any targeted or specific activity. The confusion between correlation and causation in NYT’s reporting is further amplified in sections such as the following:
On its face this seems alarming – yet a Texas district that voted for Hilary Clinton in 2016 is likely a populous, urban district. Similarly, the “counties that helped determine the election” in Ohio are also likely populous regions – which would presumably be a more attractive (and lucrative) target for ransomware operations than some sparsely populated rural area. What may initially seem to be an interesting data point is thus reduced to basically reproducing a population heat map, a fallacy the NYT is neither the first nor the last in making.
Overall, the issue of disruptive operations masquerading as ransomware is a real concern, and reflects observations from the field of cybersecurity. Yet the projection and assertions in the NYT piece serve only to inflame fears and raise concerns rather than reporting on any known, proven interference in electoral operations.
Certainly such actions may occur between the time of this essay’s composition and the US 2020 election, but such actions would be forecasting and not reporting. As stated by journalists, reporting is not a threat intelligence report and should therefore stick to reportable facts and provable events rather than engaging in speculation and assessment. In doing so absent usual estimative language and assessments of confidence which is at the core of competent threat intelligence work, such reporting becomes alarming and needlessly inflammatory – doing readers a disservice by conflating speculation with observation.
