Long gone are the days when the biggest threat to the state of Minnesota’s computer systems were “script kiddies” – young hackers sitting in their basements using programs developed by others to attack networks and deface websites for notoriety.
Today, state government computer systems are targeted by sophisticated individuals and scanned millions of times a day for potential weaknesses. Hackers are hoping to get at the volumes of data that state agencies maintain, some of it personal. Others want to steal agency bandwidth for their own uses, while some anti-government groups simply want to disrupt state systems.
“The threat landscape has changed tremendously,” said Chris Buse, the Chief Information Security Officer with MN.IT, the state’s information technology agency. “We are now in a world where we are barraged with advanced and persistent threats. Now we are seeing a lot more attacks on the state of Minnesota specifically.”
That’s part of the reason why DFL Gov. Mark Dayton has proposed spending a whopping $46 million in his supplemental budget bill Tuesday to improve cybersecurity at state agencies. For context, that’s about as much as Dayton proposed spending on local government aid for cities and counties across the state, and more than he proposed spending on things like the court system and corrections. For MN.IT, that money will go toward updating old systems, adding new security features and solidifying response plans in the case of a data breach.
The Department of Corrections and the Minnesota Department of Education would also get individual attention to enhance cybersecurity under Dayton’s budget. On top of that, Dayton has proposed spending $19 million in one-time funding to upgrade the University of Minnesota’s network. That would help protect student, staff and faculty data from a potential breach.
“This would be first investment in this infrastructure in a long time,” Minnesota Management and Budget Commissioner Myron Frans said Tuesday. Dayton is hardly the only government official trying to address the issue: It has come up at several meetings of the National Governors Association, which is pushing to make cybersecurity a top issue in all states.
Though a lot of attention to cybersecurity has been focused on private companies like Sony and Target getting hacked, governments aren’t immune. In 2012, the state of South Carolina saw 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses hacked and stolen from the Department of Revenue. And many state government computer systems lag far behind more advanced networks because of a lack of funding for upgrades.
Minnesota hasn’t had a major data breach yet, but Buse said there are still incidents monthly where malicious programs enter into the state’s networks. The state’s judicial branch website shut down to the public for 10 days late last year because of “distributed denial-of-service” cyber attacks. Those attacks can overwhelm a website with so much traffic that it becomes inaccessible. Those attacks originated from Asia or Canada, but they didn’t result in any data breach.
For all that, though, spending so much money on cybersecurity could be a tough sell to the Legislature this year, when there are already so many issues competing for the available $900 million budget surplus. But Dayton said his proposal is just the beginning of what needs to be done to protect the state’s computer systems.
“This is not a complete ask in terms of the scope of the need, but we’re so far behind and we are so vulnerable,” Dayton said. “Even with the best of these advances, the technology will continue to advance and the technology of the criminals trying to access these will continue to advance. We’ve got a lot of catching up to do.”