Securing the State
As part of Minnesota IT Services’ efforts to protect Minnesotans from cyber-threats and protect the State’s sensitive data assets, Commissioner Baden’s continuing top priority in 2017 is to implement our five year strategic cybersecurity plan. The plan prioritizes initiatives for the management, control, and protection of state systems and data to protect the privacy of all Minnesotans.
What is the Threat to Minnesotans?
Minnesota IT Services supports more than 35,000 users and secures the private data of 5.5 million Minnesotans. We also serve Minnesotans by connecting all 87 counties, 300 cities, and 200 public higher education campuses across the state. At this moment, information security is facing unprecedented challenges and extraordinary opportunities. Advanced attacks are becoming more sophisticated and more common, testing the limits of existing capabilities. The push to digitize government compounds this problem, significantly expanding the volume of sensitive data vulnerable to attack.
- We must secure Minnesota’s IT systems. Our technology systems keep state government running. If they go down due to cyber-attacks or other issues, millions of Minnesotans’ private data, over $28 billion in annual transactions, and over 300,000 daily transactions are at risk.
- A major cyber-attack could jeopardize public safety and significantly disrupt Minnesotans’ daily lives. Nearly every critical government function and service relies on IT systems. Outdated or unsupported technology puts essential functions at risk. If these systems were taken down by individuals and groups determined to disrupt operations in Minnesota, state government would be unable to effectively deliver critical services.
- Minnesota IT Services’ plan to solidify the State’s cyber-defenses must be funded and implemented aggressively. Minnesota IT Services’ plan is to reduce the attack surface by consolidating state systems in highly-secure enterprise-level data centers and implementing advanced security and monitoring tools in a shared environment. This plan was vetted by private sector cybersecurity leaders in Minnesota who all agree the plan must be implemented as soon as possible.
- The cost of doing nothing is too great. The cost of failing to bolster our cyber-defenses could be staggering. A “South-Carolina-sized” breach would require the state to pay millions in identity theft protection costs, lead to millions of dollars in consumer fraud losses, and significantly diminish public trust in state government.
State Government is a Target
Minnesota’s systems are probed for vulnerabilities and attacks are attempted more than 3 million times each day. Fortunately, our state has not yet experienced a major attack that has exposed Minnesotan’s private data. However, Minnesota has experienced incidents that have exposed state systems and data to significant risk.
Denial of Service Attacks
- During a dedicated denial of service (DDOS) attack, hackers bombard websites with so much traffic that the site cannot be accessed by legitimate customers.
- In the last year, the Minnesota court system’s website was targeted by Anonymous Legion, and was brought down and unavailable to the public for 10 days because of reported hacker attacks originating from Asia and Canada.
- DDOS attacks are now a tool of choice for hacktivists, subjecting Minnesota state government to complex attacks each week.
- During a ransomware attack, hackers encrypt data and then extort money from their victims, who must pay to get the security codes to recover their data. In most cases, hackers destroy the data after a short period of time if the victim fails to pay up.
- Several state government agencies have been targets of ransomware attacks, often after employees open malicious e-mail attachments.
- Though no ransoms have been paid out, rebuilding compromised systems and restoring data from backups is extremely costly.
Internet Attacks against State Agencies
- Hackers routinely attack computer systems that are connected to the Internet. On average, state systems that are accessible from the internet are probed over 3 million times daily from over 150 countries.
- Systems with exploitable vulnerabilities are often compromised within minutes. Once compromised, hackers almost always move laterally to exploit other targets within the first 24 hours. Approximately 50% of software vulnerabilities discovered by hackers now become full exploits within 30 days.
- Earlier this year, hackers compromised one state system that had outdated and vulnerable software. In two other cases, errors made by employee exposed sensitive data to hackers. Investigating and recovering from even small security breaches is extremely costly and results in lost worker productivity and damage to reputation.
Internet Attacks against State Vendors
- Vendors now operate many critical systems for state agencies, and hackers often target those systems.
- Last year we became aware of a vendor hosted solution with serious security vulnerabilities that exposed sensitive data to extreme risk. The solution needed to be immediately taken down, leaving the state agency without a function that it relied on to conduct its business.
- With the expanded use of hosted solutions, public and private sector entities now must have strong security programs to vet the adequacy of vendor controls. Even though state agencies use vendors more than ever, government leaders need to understand that they are accountable for breaches that are caused by vendor security shortcomings.
Learn more about Securing the State of Minnesota
Defend Yourself Against Cybercriminals
To help educate Minnesotans about the importance of cybersecurity, Minnesota IT Services will be working to share important cyber tips for businesses, families, students, educators, government, and all Minnesotans. Please join the effort by sharing the importance of cybersecurity with your coworkers, friends, and family.