Minnesota's State of the State when it comes to cybersecurity... poor and getting worse

The PioneerPress recently ran an article about MN.IT, the state agency in Minnesota responsible for IT services, which also includes cybersecurity. The article, MN government computers are attacked 3 million times a day. Here’s what the state wants to do about it, sheds a bit of light on the current situation in terms of what the executive branch has done and request for the future, and what the legislative branch has done so far.

“We’re actually falling behind” — Aaron Call, CISO for the state of Minnesota

Here's my summary: both sides are playing the blame game, and meanwhile the state's systems are getting older, the cybersecurity function continues to be underfunded and sidelined as an IT issue, all the while attackers continue to practice their craft and improve their tools. MN.IT has unveiled a five-year cybersecurity strategic plan to try to get ahead, but given the current climate — and past behavior on the part of the legislative and executive branches of government in Minnesota — we're unlikely to see this effort get full support nor full funding.

Part of the plan seeks "$19.7 million to minimize the state’s risk exposure by migrating business systems to upgraded, modern, secure data centers." You can read the full plan here (or in PDF), but the short version is that the plan regroups 18 major strategies into four areas:

1. Proactive Risk Management
2. Improved Situational Awareness
3. Robust Crisis and Incident Response
4. Partner for Success

The parts of the plan that have been shared publicly make a lot of sense. The need to be proactive, the need to understand the security posture across the state systems (starting with systems that house the most sensitive or critical data), the need to have a well-trained and well-equipped incident response capability, and the need to continually improve, which is where partnerships can be very beneficial. But as the plan notes, "on average state governments spend about two percent of their IT budget on cybersecurity, as opposed to the five percent or more that private sector and federal government civilian agencies spend." As the Pioneer Press article mentions, one legislator would like to see it mandated that "3.5 percent of state IT dollars be spent on cybersecurity." Meanwhile, we're still waiting for actions to be taken — remember that actions speak louder than words — to support and improve Minnesota's cybersecurity posture.

It is concerning that both sides have let this issue come to this point, this sad state of affairs. I hope that a compromise can be reached soon, but will it be reached ahead of a major event? Unfortunately, as is often the case, it appears that Minnesotans will have to suffer some kind of significant negative cyber event — a major data breach — in order to get the level of security and privacy that our data deserves. When that happens, I hope we all remember that all sides were responsible for being asleep at the wheel, focused more on their political grandstanding than in protecting our data or our election process.

So I leave you with the picture of a wreck, one that we could see coming, but did little to stop.

For those interested in keeping up, here's a customized Google search that will pull up news stories from the past month dealing with MN.IT and "funding."