Others’ Opinion: Cyber security is worth buying
Published 9:35 am Monday, March 28, 2016
Minnesota Gov. Mark Dayton says it’s time for “Securing the State.” State government websites and computer systems are in need of upgrades, the Pioneer Press reported earlier this month, as the governor laid out a budget plan calling for $46 million in one-time funding to boost cyber security at state agencies.
When it comes to spending some of the projected budget surplus — ultimately to protect personal data on millions of Minnesotans in the hands of the state — the initiative belongs in the “need” column, rather than among mere “nice-to-haves.”
The threats are real and costly, explains Chris Buse, chief information security officer at MN.IT Services, the information technology agency for the state’s executive branch. “We’re working to beef up our systems, to beef up our cyber security capabilities” to help make sure threats don’t materialize. The agency, he said, supports 78 state government entities, each of which has data that could be valuable to hackers.
“Our goal is to protect all of that data and have defenses in place,” Buse told us.
“We don’t want to be selling the case for more security” after an incident, he said. “We want to make sure we do things proactively.” In addition to funding for MN.IT, the governor’s proposal includes improvements at several other state agencies. Dayton also has recommended a separate appropriation of $19 million for cyber security improvements at the University of Minnesota and additional funding for tech resources for tax-refund fraud protection at the Department of Revenue.
The measures are a high priority for Dayton, a member of the bipartisan Council of Governors, among whose issues is cyber security.
Our state government hasn’t fallen victim to a massive cyber threat, but the Minnesota court system website — mncourts.gov — was unavailable to the public for 10 days in December because of repeated hacker attacks from Asia and Canada, the Pioneer Press reported.
It was described as a “denial-of-service” incident, in which “someone peppers a website with enough traffic to jam it up for everyone,” according to reporter Jaime DeLage, who explained that attackers apparently didn’t try to access private data but did block legitimate users. Safeguards were installed and public access was restored.
Problems elsewhere, however, have made major headlines. In 2012, for example, a breach affected the state of South Carolina, with taxpayers’ Social Security numbers and financial information exposed after an international hacker gained access to a server at its Department of Revenue. It’s now estimated that about 79 percent of South Carolina citizens were impacted, Buse told us.
At the federal level, an incident last year involving the U.S. Office of Personnel Management reportedly compromised data involving more than 21.5 million people.
The threat situation is “significantly different than it was even a few years ago,” Buse told us. “That’s one of the main reasons cyber security has become such an important focus” for the state, other government units and the private sector.
A few years ago, threats typically came from “the kid in the basement,” acting against government and other organizations to gain notoriety.
Today, “threat actors” are motivated by money, trying to steal data for financial gain, he said. There’s also an element “that wants to impede government as an entity,” launching attacks like the one affecting state courts.
Hackers exploit vulnerabilities to get a foothold into your system, Buse explains. Then, they try to “move laterally” to withdraw data.
The courts incident also demonstrated the level of sophistication involved in the attacks government encounters, Buse said. “We basically were having a duel, for lack of a better word, with a hacker group that was really hell-bent on shutting down” the system.
In such a world, defenses matter. Lawmakers should act to protect Minnesotans.
Distributed by Tribune Content Agency