Here’s a harrowing piece of trivia, courtesy of Thomas Baden, commissioner of Minnesota IT Services (MNIT).
In planning expansions of the fraud detection systems embedded in state government’s vast information networks, Baden assumes that all adult Minnesotans have had their personal data hacked — six times.
“Now the bad people can be you,” Baden said on Oct. 24 after testifying before the Senate committee on Government Finance and Policy and Elections. “They can come in, because they know all your data.”
They are making every effort. The Dayton administration says hackers probe state government IT systems more than 3 million times a day trying to disrupt services, steal data or just make political hay. Sometimes they succeed.
In June, for example, a state database containing email addresses and passwords to state Administration Department servers got hacked, and material was published online in protest of the Philando Castile verdict. The FBI has apprehended a suspect in that case, according to MNIT officials.
Meanwhile last December, the Judicial Branch’s website was taken offline for 10 days because of a distributed denial-of-service attack from Asia and Canada that bombarded servers with millions of simultaneous queries, officials said.
“We also worry about nation-state actors,” said Christopher Buse, MNIT’s chief information security officer, in testimony before the Senate committee. “Those are what you read about in the news with election-type hacking.”
Oddly, despite news in September that the federal Homeland Security Department listed Minnesota among 21 states where election systems were compromised by the Russians, Buse’s aside was the only mention of elections. No further testimony was offered, and senators asked no questions.
Afterward, Baden suggested that may be because MNIT is responsible for IT covering the 78 executive-branch agencies, boards and commissions. Election systems are the Secretary of State’s province. That is an elected, constitutional office not overseen by the governor.
“However, they ride on the network that we manage,” Baden said. “I would have been happy if senators had gone there.”
Lifting the veil
Instead, the committee focused on the “finance and policy” portion of its edict. That occasioned some back-and-forth sniping between the committee’s chair, Sen. Mary Kiffmeyer, R-Big Lake — a former secretary of state — and the governor’s office.
Kiffmeyer appeared briefly to raise the heavy curtain on secret budget negotiations between Gov. Mark Dayton and legislative leadership last May. After hearing how the state failed to meet MNIT’s budget request to shore up cybersecurity in 2017, Kiffmeyer put the blame squarely on gubernatorial obstinacy.
“I sat there in front of the governor’s representative — as a matter of fact, Commissioner Baden happened to be at the table at that time next to me,” Kiffmeyer said. “We offered to the governor a very serious offer — full funding — $27 million for cybersecurity.”
About half of that money was meant to keep MNIT on pace to reduce the number of state-government data centers from 22 to six. It also would have paid for more cybersecurity professionals to monitor against attacks. But that offer was rejected, Kiffmeyer said. “So we were really rather shocked,” she said.
Dayton’s press secretary, Sam Fettig, responded by pointing out that Dayton actually asked for considerably more than $27 million. “In his biennial budget last January, the governor proposed to the Legislature $125 million in additional funding for computer upgrades and cybersecurity improvements,” Fettig said.
“The Republican-led committees savaged those requests, cutting them by over $90 million,” he added. “It’s absurd for them to blame the resulting lack of funding on anyone but themselves.”
While the public is not privy to closed-door budget negotiations, we know Dayton went into final talks wanting more than $27 million, because he distributed copies of his offer to legislators. It drew red lines around two budget areas — the courts and cybersecurity — that he considered non-negotiable. His offer set aside $45.1 million for cybersecurity and $83.2 million for the courts.
While those talks came to nothing, later in special session the courts got some of the money Dayton wanted. Cybersecurity got nothing.
“Our funding levels were held flat,” said Jon Eichten, MNIT’s legislative director. “So we have the same amount of money this biennium that we got the last biennium.”
Much of MNIT’s money — about $700 million — comes from service charges it assesses on other agencies to maintain their networks, hardware and back-office applications. Direct legislative appropriations — the money MNIT says it needs to get out front of the cyber-threat — is about $2.6 million a year, Eichten said.
“In the past, there was a larger general fund appropriation for cybersecurity,” Eichten said. “That has dwindled over the years.”
Dayton, coincidentally, kicked off a national “Cyber Security Summit” in Minneapolis the same day that the Senate committee met. There he told reporters that he plans to push hard for more cyber-funds in 2018. He has yet to calculate how much he will seek, he said.
Behind the curve
Buse told senators that Minnesota is way behind the cybersecurity curve. Historically, he said, the state spends about 2 percent of its overall information technology budget protecting data from hackers—many of whom write customized malware specifically to crack into state systems. The federal government spends about 8 percent, he said. Industry often spends more than that, he said.
“There is simply not enough money put on the table to secure the environment as it exists today,” Buse said.
Dayton said he worries that lawmakers view cybersecurity as an abstraction — one that competes for scarce dollars to fund their district’s rundown bridges and wish-list snowmobile trails.
Part of the abstraction might come from the fact that MNIT is something of a Frankenstein’s monster. It launched in 2011 as the state’s attempt to consolidate IT operations under a single chief information officer. Part of its mission is to reduce the number of data centers scattered around the state — there used to be 49; there still are 22. MNIT also is in charge of normalizing IT management and procurement while protecting the whole system, holistically, from malicious attack.
Most states achieved that years ago with “upfront investment,” Baden told senators. Minnesota did not. Yet the percentage it spends on cybersecurity as a part of its overall IT budget is slipping. It fell to 1.8 percent in 2016 and 1.6 percent this year, he said.
Yet some agencies continue running their shops on archaic computer architecture and outmoded business software — some of which is so old that their vendors no longer supply security patches, he said.
Failure to shore up the state’s Swiss-cheese IT security infrastructure eventually could become catastrophic, Buse indicated.
South Carolina, for example, saw its Revenue Department hacked in 2012, resulting in the theft of 3.9 million online tax returns and the exposure of 387,000 credit and debit card numbers. The state was forced to purchase one year of free credit monitoring for affected citizens. If Minnesota ever got in that position, Buse said, it would probably require a special legislative session.
“We undoubtedly do not have the money to cover those kinds of losses,” Buse said.
Yet any damage done could be permanent. Local media reports in South Carolina suggest that taxpayers are at risk of fraud for life as a result of the 2012 breach. Speaking to reporters, Dayton said on Oct. 24 that he hopes the Legislature won’t wait too long to make long-delayed, needed cyber-investments.
“We don’t want to wait for a catastrophe to galvanize public concern,” Dayton said.