Minnesota’s IT Services unit (MNIT) recently launched a five-year plan to upgrade its aged IT infrastructure to ward off cyber attacks. The state, which hasn’t been seriously victimized by hackers so far, nonetheless repels about three million probes daily sprung by hackers in 150 countries.
It’s only a matter of time, state officials say, until a successful debilitating attack hits Minnesota. Just ask Atlanta and other state and local governments that have suffered costly security breaches.
Eager to improve its cyber stance, Minnesota's Information Security Strategic Plan prioritizes initiatives to manage, control and protect the state’s data and lays out year-by-year milestones based on the existing budget. The blueprint categorizes Minnesota’s cyber-strategic approach into four different areas (in the state’s words): proactive risk management, improved situational awareness, robust crisis and incident response, and partner for success.
Four Pillars for Cybersecurity
Officials believe that the four categories cover what actions Minnesota needs to take to modernize its cyber defenses, including:
- Developing secure applications.
- Conducting continuous risk assessments.
- Detecting and responding to security incidents more quickly.
- Educating employees and government leaders about risk management.
In total, the plan identifies 18 major strategies that the seven-year old MNIT hopes to achieve over the next five years, depending, of course, on the state’s budget. Officials acknowledge that solving its cybersecurity problems will require policymakers and business leaders to get on the same page, not always the easiest thing to accomplish.
In introducing his FY2019 budget, Governor Mark Dayton said that even though Minnesota “has so far avoided a major data security breach like those that have impacted many major American companies and their customers…we need to take action now to improve our cybersecurity measures, upgrade our technologies, and protect Minnesotans from attacks.”
Dayton has proposed the state invest $19.7 million to upgrade its systems and data centers, replace unsecured networks, fund new cybersecurity software installations and add managed security services. In addition, his budget would allocate funds to flesh out the state’s IT security team.
Two of the four initiatives Dayton outlined directly point directly at cybersecurity hacking: 1) Safeguarding the state from cyberattacks and, 2) protecting its elections from hackers. Apparently, there’s evidence that hackers targeted Minnesota’s elections website in 2016. The governor supports a $381,000 investment in FY2019 to implement recommendations from the U.S. Department of Homeland Security for updating and modernizing Minnesota’s statewide voter registration system.
Mostly Safe -- But For How Long?
Minnesota has been hit with a few minor cyber attacks of late. In January, a New Mexico man pleaded guilty for launching DDoS attacks on the Minnesota State Courts and Hennepin County sheriff’s office. And, a year ago, a Minnesota state government database was stolen and published online in an apparent protest of a high profile police shooting. Another attack last December saw a hacker hit the Explore Minnesota Facebook page in a sophisticated phishing trick.
A comprehensive strategy to upgrade Minnesota’s IT systems and services may be long overdue. As of a year ago, the state’s Security Operations Center (SOC) was staffed by nine people “working in staggered shifts,” according to the MinnPost. The nine staffers are part of a total team of only 61 people who work in cybersecurity statewide.
In 2011, lawmakers created MNIT as an umbrella state agency run by the state’s CIO. The idea was to consolidate the IT systems of nearly 80 state agencies, boards and commissions into one agency. Since then, the agency has pared 49 different data centers in the state into 27 centers, MinnPost reported. But budget fights have reportedly hampered the state from enacting a unified cybersecurity platform. Last year, Dayton requested $125 million to update the state’s old computer systems. An additional $74 million was slotted to hire more cybersecurity professionals and install new cybersecurity software. The funding got waylaid in legislative infighting, the MinnPost said.
“Every day we see both in the news and across Minnesota’s digital networks that the cyber threat is growing more sophisticated, more skilled, more organized, and more professional,” said commissioner Johanna Clyborne. “On behalf of the people of our state, we need to shore up our cybersecurity defenses against those intent on stealing our personal information or disrupting the services on which so many Minnesotans rely.”