Minnesota has unveiled a five year strategic plan to enhance cybersecurity amid increasingly sophisticated cyberattacks on the state’s aging computer systems, and a lack of urgency on behalf of lawmakers.
The plan, released on Friday by Minnesota IT Services (MNIT), addresses concerns by MNIT’s leaders that the state’s spending on cybersecurity is not keeping up with its defensive needs. The strategy consists of a broad range of projects intended to strengthen security while increasing awareness and education on cyberdefense.
The state’s budget for fiscal year 2019 would allocate $19.7 million to cybersecurity.
“It’s a good start,” said Aaron Call, Minnesota’s chief information security officer, “But it wont set us up forever. What we really need is to get past the politics and agree on how much we are willing to spend on cybersecurity.”
Minnesota spends about 2 percent of its IT budget on security, compared to an industry standard of 8 to 10 percent. And while state lawmakers on both sides of the aisle have called for increased spending, disputes over when to increase security funding and by how much have hampered progress. Republicans have called for incremental increases, while Democrats urge for immediate remediation. Republican State Rep. Jim Nash has been pushing for a boost to cybersecurity funding for several years, but only a modest one — an increase to just 3.5 percent of the total IT budget.
Going forward, one of the biggest costs outlined in the state’s plan will be replacing Minnesota’s oldest computer systems, which are most vulnerable to attack. Some of them are nearly 15 years old.
“In many of these applications, their age prevents you from patching the software,” said Call. These lapses in upgrades can often be exploited by attackers.”
And the attackers are getting better. Minnesota’s infrastructure is the target of 3 million attacks per day, according to officials. But it’s not the volume of attacks that has Call concerned.
“The quality of these attacks is really ramping up,” he said, “a few years ago we could knock the majority of them out with basic defenses, but that’s no longer the case.”
IT Commissioner Johanna Clyborne noted in a statement upon the plan’s release that the “cyber threat is growing more sophisticated, more skilled, more organized, and more professional.”
One of the top priorities and biggest projects in the five year plan is education.
“Phishing is still the first and foremost way that attackers gain access to systems,” said Call, “and we need to educate the users of our systems in basic cyber hygiene, which includes spotting phishing attempts and being careful online.”
Call also cited technical controls, like advanced endpoint protection, and the secure development of applications as other top priorities in MNIT’s plan.
When asked how he would advise other states looking to ramp up their cybersecurity, Call said to plan for failure.
“An example is ransomware attacks, something that we see constantly. States and organizations need to have a layered defense that assumes failure and plans for it. We’re dealing with highly motivated and well-funded adversaries,” he said, “so backup your information.”