Connecting state and local government leaders
Debate about funding levels reflects national discussion about whether states are investing enough to keep computer systems and data safe from hackers and other threats.
A push by Gov. Mark Dayton to make significant new investments in state cybersecurity has not gained a tremendous amount of traction in the Minnesota Legislature, as lawmakers there work to hammer out plans for what to do with a projected budget surplus of $900 million.
Dayton, a Democrat now in his second term, released supplemental budget recommendations for the surplus in March. These called for around $20 million to be directed to Minnesota’s information technology agency, MN.IT Services, to beef-up cybersecurity. But budget measures that have advanced in the Legislature do not include anywhere near that amount.
An omnibus spending bill passed last week in the Republian-controlled House features a one-time appropriation of $500,000 for MN.IT to conduct a cybersecurity study. Legislation in the Senate, where Democrats hold a majority, includes $5 million in one-time cybersecurity spending for the agency.
“I think it really is one of the key issues this legislative session that's gone under the radar to some extent,” state Rep. Sheldon Johnson, a member of the Democratic-Farmer-Labor Party, said by phone on Friday.
Johnson, the lead member for his party on the State Government Finance Committee, believes the proposed study is unnecessary and that state IT staff and outside experts have already done the legwork to show why substantial cybersecurity investments are needed, and how those dollars should be used. “That $500,000 study is just a waste of money,” he said. “It’s kind of a joke.”
Millions of Probes and Scans
Asked if Minnesota would be more vulnerable to cybersecurity threats without the funding the governor has proposed, the state’s chief information security officer, Chris Buse, replied: “Absolutely.”
Buse explained that in recent years MN.IT has been carrying out an IT consolidation effort for “different agencies that ran their IT in silos for many, many years.” About $10 million of the spending Dayton recommended would go to cybersecurity initiatives tied to this work.
About $7 million would help pay for upgrades for the state’s centralized cybersecurity program, including new tools to help staff monitor, detect and combat sophisticated threats.
The remaining money, roughly $3 million, would primarily fund updates to in-house networks and “end-user tools,” like computers, at small and mid-sized agencies. Buse said outdated equipment and software has left these agencies exposed to greater cybersecurity risks.
Minnesota’s state computer systems, he noted, are constantly “probed and scanned by people across the globe” looking for weaknesses.
“We have millions of those probes and scans of our systems on a daily basis,” Buse said.
He added: “We think it’s important for us to proactively try to put the best controls in place that we possibly can, and not go ask the Legislature and folks for money after a disastrous event.”
Debate about cybersecurity funding in Minnesota reflects broader discussions now taking place about whether states are spending enough to keep their computer systems and data safe.
“Let’s put it this way, the funding is not commensurate with the risk,” said Doug Robinson, executive director of the National Association of State Chief Information Officers. “That doesn’t mean the spend isn’t out there, but it may not be prioritized, it may not be targeted.”
He pointed out that in the private sector these days, companies tend to devote about 10 percent of their IT budgets to cybersecurity. According to information NASCIO has collected, the same figure for state governments averages around 2 percent.
Buse said spending in Minnesota was in line with that figure. He also emphasized that even if the funding the governor has proposed were to be approved, it is a one-time infusion of cash, as opposed to a sustained increase in annual spending.
When it comes to budgeting for cybersecurity, “there's no magic number,” Robinson said. “But clearly only spending 2 percent is not going to advanced the ball very much.”
The cybersecurity risks states face can be seen in places such as Montana, where a 2014 breach of state health records compromised social security numbers and other personal information for upwards of one million people. And in South Carolina, where in 2012 hackers stole millions of state taxpayer records, including thousands of credit and debit card numbers.
Minnesota has not had a major data breach, Buse said. “Knock on wood,” he added.
But, in late December, a state court website was shut down for several days due to what’s known as a distributed denial-of-service attack. Known as DDoS attacks for short, distributed denial-of-service attacks involve bombarding a website with information, causing it to crash.
Making the case for cybersecurity investments to lawmakers can be tough, Buse acknowledged. “People like funding things that deal with schools and veterans,” he said. “A lot of the back office issues, such as information technology and cybersecurity, they’re a much more difficult sell.”
One reason for this he highlighted is that a successful cybersecurity program is one where nothing very dramatic takes place, because threats are mitigated. “When you don’t see anything bad happening,” Buse said, “it’s very hard for people to understand the need to spend more.”
‘I’d Rather Do the Study’
Johnson, the DFL representative, said in the past he had not tracked cybersecurity issues closely. “When I heard testimony, and then when folks started coming to my office and saying: ‘this isn’t a joke, this is for real,’ that’s when I really became aware of it,” he said.
“I wasn’t aware that it was this potentially catastrophic right now,” Johnson added.
A common refrain when it comes to cybersecurity funding is that explaining risks to lawmakers can be complicated. But Johnson doesn’t see that as the case in the Minnesota House. The obstacle, from his perspective, is his Republican colleagues. “I don’t think it’s communicating the issue. I think they are just ideologically not spending money on essential needs,” he said. “They're just not going to touch that surplus. So, no, I don’t think it’s a lack of understanding.”
Multiple attempts to contact GOP members of the House last week willing to speak about the governor’s cybersecurity funding recommendation were unsuccessful. A spokesperson for the Senate Republicans said that she could not track down any lawmakers to discuss the issue, and that the caucus was more focused on transportation issues than cybersecurity at this time.
Minnesota’s House Public Information Services reported on April 21 that Republican Rep. Sarah Anderson questioned why Dayton’s administration did not include the cybersecurity funding request when the state’s budget was being put together last year. “I’d rather do the study than dump in money and hope for the best,” Anderson said, according to the report.
Also included in the governor’s supplemental budget proposal was a one-time $19 million appropriation for cybersecurity at the University of Minnesota.
The fate of that recommendation remains uncertain. An education policy and finance bill passed last week in the House did not mention cybersecurity. Senate legislation that does include the $19 million has not seen any action since April 4. And the only reference to cybersecurity in the omnibus supplemental appropriations bill in the Senate is the $5 million for MN.IT.
‘I've Been Convinced’
NASCIO’s Robinson advises that state cybersecurity teams discuss risks with lawmakers regularly to help make the case for spending. “It really should be an ongoing discussion,” he said. It can also be helpful, he believes, to focus these sorts of conversations less on the technical aspects of cybersecurity and more on what the consequences of a cyber attack can mean for the state. Legislators, Robinson said, should understand “what happens when we have a major disruption in state government activities” due to hackers. “There is a cost associated with that,” he added. “There is a cost to lost productivity, to our citizens.”
Johnson, the DFL lawmaker, seems to have heard that message.
His said he would not be surprised if legislators end up adopting a supplemental budget plan with the $5 million of MN.IT cybersecurity spending that has been proposed in the Senate.
Asked if he would be supportive of future efforts to shore up state cybersecurity funding, he replied: “I have been convinced that this is a need that needs to be addressed in a big way … It’s a huge state, national, international issue and it's not something we can just wave away.”
“So, yeah,” Johnson added. “I'll be a strong proponent of this going forward.”
Bill Lucia is a Reporter for Government Executive’s Route Fifty.