Dayton wants big boost in cybersecurity funding; lawmakers won't click

Christopher Buse
Christopher Buse, the chief information security officer for the state of Minnesota, holds a copy of a recently updated strategic plan on Tuesday. Gov. Mark Dayton's request for $46 million to upgrade cybersecurity in state government has been whittled back by lawmakers.
Brian Bakst | MPR News

Spear phishing, botnet armies, cyberdisruptors — that's just a sampling of the attacks creating constant worry for Christopher Buse, Minnesota's chief information security officer.

Countless times a day, hackers try to find and exploit gaps in Minnesota's vast state government computer network, hoping to steal sensitive information or gum up operations. The system also encounters state employees wading into data pools where they probably do not belong. There's a lot of data behind state firewalls and a lot of it — tax returns, health records and licensing databases — is sensitive

"Every day computer hackers find new vulnerabilities in software," said Buse. "The onus is on us as security professionals to proactively find and fix those issues before they could potentially be exploited."

Minnesota, he believes, needs to step up its defenses. That means more-advanced intrusion detection software, continuous scanning for anomalies and better training of state employees.

Create a More Connected Minnesota

MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.

Gov. Mark Dayton is seeking more than $45 million from the Legislature this session to help state agencies shore up cyber defenses, including $20 million for general cybersecurity upgrades and $25 million more toward extra safeguards at agencies with an acute need. Under Minnesota's current budget, about $435,000 is set aside next year specifically for cybersecurity.

IT officials struggle to explain the magnitude of threats or actual breaches without exposing specific weak points. Cybersecurity tends to be largely invisible to the general public, which makes it harder sell than dollars for school classrooms, new highway miles or caregiver pay. At least one key lawmaker is skeptical of Dayton's plan.

The cybersecurity pitch has so far failed to win over House State Government Finance Committee Chair Sarah Anderson, R-Plymouth. While she's voiced concern about cybersecurity, she says major state computing projects of late give her pause, primarily the buggy MNsure health insurance exchange. Her panel has confined its allocation to $500,000 for a security study.

"It's easy to use buzzwords that alarm people," she said. "We just need to be more thoughtful when it comes to technology as a state. Hopefully, this study will put us on the right foot because I don't want to have a situation where we blow through $20 million and haven't truly addressed the problem at the end of the day."

Other parts of Dayton's technology proposal have come up empty in the House. In the budget plan of the DFL-controlled Senate, less than one-third of the administration's overall request is funded.

And neither chamber has gotten behind a separate appeal for $19 million for the University of Minnesota to make its own cybersecurity enhancements.

The university is in the midst of a $78 million computer network overhaul and hopes the state will chip in. Either way, the security features are essential, said Bernard Gulachek, the U's interim vice president and chief information officer.

"We have private student data in all of our systems that range from course content to grades to transcripts. We have financial aid information in those systems. And we also have students' health care information," he said. "Each one of those data types are extremely private and some of them have pretty stiff regulatory penalties if they are not protected in the right way."

Minnesota's debate mirrors those playing out across the country. Since 2012, cybersecurity and risk management has ranked as the top concern in surveys conducted by the National Association of State Chief Information Officers.

In 2012, South Carolina's tax agency saw a major breach that exposed Social Security numbers of 3.6 million people. State leaders there have since put more than $27 million into fortifying networks and monitoring the credit records of those affected.

State IT professionals were spooked by South Carolina's experience, but even now most states lag the private sector in updating data control policies and paying for security, said Doug Robinson, the national association's executive director. Nationwide, only about 2 percent of state IT budgets go for cybersecurity compared with 14 percent for the federal government and about nine percent in the financial services sector, he added.

"States aren't keeping pace from the defensive side. And that's really what they're doing. They're playing defense," he said. "You're the catcher and you have somebody throwing 90 mph hour fastballs at you but it's not coming from one spot, it's coming from all across the baseball diamond."

Increasingly, spear phishing attempts are targeting specific state employees or units. The aim is to trick workers into providing sensitive information or backdoor access to protected networks.

Buse recalled a recent security scare where hackers hoped to trick state employees into entering a site made to look like Buse's agency, MN.IT.

"Employees were enticed to log in and put in their credentials at fictitious websites that look very much like our MN.IT services websites trying to get them to put in their credentials for their email accounts," he said.

Spending a lot more on cybersecurity "does not guarantee that you won't have any incidents," he added. "But it's necessary today because the adversaries are more advanced. They're more sophisticated."