Minnesota’s new CISO says he will continue to fight for cybersecurity funding

After being named the state’s interim chief information security officer in November, Aaron Call of Minnesota IT Services (MNIT) has assumed the role as a long-term replacement, officials confirmed to StateScoop this week.

Call replaces Chris Buse, who served MNIT for 10 years before returning to the state’s Office of the Legislative Auditor. Before his appointment as CISO, Call served the three years prior as MNIT’s director of information security, responsible for managing the Enterprise Security Office, and essentially serving as Buse’s deputy. 

Call told StateScoop that although he doesn’t plan any immediate changes to the security plan established under Buse, a to-do list of more than 100 items — including preventing intrusions like one made public earlier this month — is keeping the office busy. An unknown person took over the Facebook page for the state’s tourism office for approximately five hours on Dec. 4, using the opportunity to post about 25 links to fake news stories with titles like “Morgue employee cremated by mistake while taking a nap.”

MNIT hasn’t shared how a password held by the sole administrator of the account was compromised, but Call told StateScoop it was one of the usual methods seen in similar incidents. (Typically it’s a targeted email phishing attempt.) Now, he said, his office is working to provide state employees with new capabilities and tools like password managers to mitigate risk.

“We are working toward a multi-layered defense to make that either harder for attackers to do or to diminish or remove the value of stealing employee credentials,” Call said.

Call said the tourism office was lucky because a more subtle attack in which users were fed malware could have potentially continued unnoticed for months on end.

Getting the tools, systems upgrades and training in place to prevent incidents like this one is part of MNIT’s broader push for increased funding from the state legislature, Call said.

In the state’s 2017 legislative session, MNIT and Democratic Gov. Mark Dayton asked the legislature for $125 million to improve the state’s IT security. This would be done through new staffing, software upgrades, and continued IT consolidation. Since its formation in 2011, the state’s IT office has consolidated 49 data centers into 27, but the state still aims to reduce that number to six as facilities remain scattered across dozens of locations in the state.

The department also strives to increase the approximately 60 cybersecurity employees across the state — a number MNIT officials say is insufficient.

Though the state had a $1.65 billion surplus, the request found resistance. Rep. Sarah Anderson, Republican chairwoman of the House State Government Policy and Finance Committee, said she didn’t want to commit funding if agencies weren’t ready to cooperate in consolidating.

Republican leaders continued resisting the request in the special legislative session. Republicans said they offered about $22 million in cybersecurity funding to the governor, but that instead of using it for security, he used it to maintain staffing levels. Democrats said Republicans forced Dayton’s administration to choose between agency staffing and cybersecurity.

Though navigating the politics of state IT security is “definitely not easy,” Call said, MNIT is better positioned today to get funding than they were in years past.

“A lot of the work that was done the last couple years was to set that foundation to help bring legislators into an understanding that this is a real thing,” Call said. “There is real impact. And there is real risk the state is accepting by default by not keeping up with the threats.”

Call said he will continue fighting for funding, as he takes on a long-term IT security plan that consists of about 100 objectives. Most of the list is not public because it would reveal the state’s weaknesses, Call said, but one of the big items is finding staffing to operate MNIT’s security operations center around the clock. Though they are experimenting with automation and new scheduling practices, there aren’t enough resources to maintain all of the usual security operations during the night shift, Call said.

The office still needs all the things they asked the legislature for, Call said — more software, newer IT systems and more staff. And though they face a difficult challenge, the state’s IT security is improving, he said.

 “I see in my past role and my current role in what ultimately amounts to a tremendous amount of progress happening,” Call said. “Moving a mountain an inch isn’t very far, but you’re moving a mountain, and that’s impressive.”