Why Cybersecurity Funding is Critical to the State of Minnesota | Technological Leadership Institute

Posted on
February 24, 2017
Cyber attack stock photo

Every resident of Minnesota has confidential data that they expect will be properly secured. Some of that data is at their bank, some at their physician’s office, or maybe with a financial or legal advisor. When we trust these service providers with our confidential information, we have a choice. If we lack confidence that those to whom we entrust our data are capable of protecting it, we can choose someone else with more capabilities. What about our trust in the services we receive from government entities? The ability to vote with our wallets just doesn’t exist for our state and local government service providers.

Last year IBM shared an alarming statistic. Halfway through 2016, government entities globally had experienced more stolen records than the three prior years combined. While not specific to state and local governments, the fact that government entities have become a common (and successfully exploited) target for cyber attacks should motivate us to take a hard look at the security of our government’s technology infrastructure in the state of Minnesota.

Minnesota Management and Budget Commissioner Myron Frans was recently quoted saying that “nearly every critical government service that we provide to Minnesotans is provided through our IT systems.”

This underscores the heavy reliance residents have on properly functioning technology infrastructure, not just to protect us from data theft and financial harm, but also from the impact of a security breach that goes beyond those traditional concerns. What happens when a city has no drinkable water for multiple days, or a waste treatment system is inoperable and residents can’t use their bathrooms, or a flood management system is targeted to release water and flood homes, or local law enforcement is hamstrung by not having access to their technology systems impacting public safety?

Clearly, it is imperative that the technology systems supporting our most critical services and hosting our sensitive data receive adequate resources and funding. The good news on this front is that Governor Dayton has included $125 million in the proposed budget to update and protect the state’s IT systems. This request includes funds to replace aging equipment, increase the layers of tools and controls protecting both networks and data, and augmenting staffing that is needed to properly manage the state’s technology infrastructure and security program.

Another positive step is the publication of the Minnesota High Tech Association 2017 legislative agenda, which includes multiple initiatives that support and improve state and local government’s ability to secure data. Among the many promising technology-focused goals is one critical to improving security infrastructure within the state — “Establish a legislative cybersecurity commission to develop legislation to support and strengthen Minnesota’s cybersecurity infrastructure.”

Why is this action so critical right now?

Failure to adequately invest in technology and security infrastructure creates a “catch up” condition. In the cybersecurity arms race between entities that hold something valuable (your data) and those that want to steal it (the hackers, terrorists and criminals), those that fall behind are easy prey for the opportunistic attacker.

Both business and government organizations, in an effort to control costs, often cut back on expenses that they perceive as not having an obvious immediate negative impact. One of the areas frequently impacted is funding for replacing aging software and hardware. In the world of IT and security, the old adage “if it ain’t broke, don’t fix it” has significant potential repercussions. Outdated or unsupported systems very often contain security vulnerabilities making them more easily compromised by malicious actors, and a vulnerable or compromised system may provide an attacker with sensitive data or the ability to disrupt critical services.

This funding challenge doesn’t just impact the IT infrastructure for State of Minnesota systems. Many of Minnesota’s cities and counties receive varying levels of IT services from the state. This dependency actually increases the risks to state systems as each connected local government client is a potential access point for a malicious actor to reach valuable state IT systems. If these local IT systems aren’t properly protected, they represent an easier target than a state-managed system and could ultimately result in the compromise of state systems. Funding for baseline security controls in all Minnesota government entities, with centralized direction from the State of Minnesota to ensure effectiveness and reduce unnecessary redundancy in spending, is a needed step in catching up on cybersecurity investments.

Over the last month I have had the opportunity to work with both the Minnesota Counties Computer Cooperative and the Minnesota City/County Management Association, increasing awareness of cybersecurity risks and also providing training on improving security controls to reduce the likelihood of a breach in local government systems. All participants in these training exercises were eager to learn and driven to improve the state of their IT and security systems, but the lack of staffing and funding resources is an impediment to needed progress.

In order to move forward and continue to protect Minnesota citizens and preserve availability of critical government services, we need an effective partnership between state and local IT and security managers. I am hopeful that the state legislature will see the wisdom in supporting appropriate investments in these assets, and in making the needed progress to stay ahead of the hackers and criminals in order to minimize the negative impacts that result from a security incident.

For more information about how you can shape tomorrow’s cyber, physical and virtual security systems, explore our M.S. in Security Technologies (MSST), graduate minors in Security Technologies and Cyber Security, and non-degree short courses. Learn more about the MSST degree program by attending an information session.

About the Author

Photo of Mike Johnson, director of graduate studies for the M.S. in Security Technologies and James J. Renier Chair in the Management of Security Technologies

Mike Johnson

  • Honeywell/James J. Renier Chair in Security Technologies
  • Senior Fellow
  • Director of Graduate Studies - MSST

James J. Renier Chair in the Management of Security Technologies

Mike Johnson serves as the director of graduate studies for the Master of Science in Security Technologies degree program at TLI. He also develops, teaches and administers graduate level courses in security technologies innovation, management and leadership, as well as participates in the development and delivery of customized short courses and professional development programs in response to industry needs. He brings more than 25 years of professional experience in security risk management, formerly serving as CISO and Operations Risk Director at Bremer Bank, and has gained broad skills in the areas of IT and information security risk management in a heavily regulated industry.

Failure to adequately invest in technology and security infrastructure creates a “catch up” condition. In the cybersecurity arms race between entities that hold something valuable (your data) and those that want to steal it (the hackers, terrorists and criminals), those that fall behind are easy prey for the opportunistic attacker.

Stay Informed

Subscribe to receive the latest TLI articles, news and events

Stay Informed

Stay Connected