Minnesota Governor’s Big Cybersecurity Spending Plan Gets Iffy Support in Legislature

Minnesota Gov. Mark Dayton delivers the State of the State Address at the University of Minnesota on March 9, 2016.

Minnesota Gov. Mark Dayton delivers the State of the State Address at the University of Minnesota on March 9, 2016. Jim Mone / AP File Photo

 

Connecting state and local government leaders

Debate about funding levels reflects national discussion about whether states are investing enough to keep computer systems and data safe from hackers and other threats.

A push by Gov. Mark Dayton to make significant new investments in state cybersecurity has not gained a tremendous amount of traction in the Minnesota Legislature, as lawmakers there work to hammer out plans for what to do with a projected budget surplus of $900 million.

Dayton, a Democrat now in his second term, released supplemental budget recommendations for the surplus in March. These called for around $20 million to be directed to Minnesota’s information technology agency, MN.IT Services, to beef-up cybersecurity. But budget measures that have advanced in the Legislature do not include anywhere near that amount.

An omnibus spending bill passed last week in the Republian-controlled House features a one-time appropriation of $500,000 for MN.IT to conduct a cybersecurity study. Legislation in the Senate, where Democrats hold a majority, includes $5 million in one-time cybersecurity spending for the agency.

“I think it really is one of the key issues this legislative session that's gone under the radar to some extent,” state Rep. Sheldon Johnson, a member of the Democratic-Farmer-Labor Party, said by phone on Friday.

Johnson, the lead member for his party on the State Government Finance Committee, believes the proposed study is unnecessary and that state IT staff and outside experts have already done the legwork to show why substantial cybersecurity investments are needed, and how those dollars should be used. “That $500,000 study is just a waste of money,” he said. “It’s kind of a joke.”

Millions of Probes and Scans

Asked if Minnesota would be more vulnerable to cybersecurity threats without the funding the governor has proposed, the state’s chief information security officer, Chris Buse, replied: “Absolutely.”

Buse explained that in recent years MN.IT has been carrying out an IT consolidation effort for “different agencies that ran their IT in silos for many, many years.” About $10 million of the spending Dayton recommended would go to cybersecurity initiatives tied to this work.

About $7 million would help pay for upgrades for the state’s centralized cybersecurity program, including new tools to help staff monitor, detect and combat sophisticated threats.

The remaining money, roughly $3 million, would primarily fund updates to in-house networks and “end-user tools,” like computers, at small and mid-sized agencies. Buse said outdated equipment and software has left these agencies exposed to greater cybersecurity risks.

Minnesota’s state computer systems, he noted, are constantly “probed and scanned by people across the globe” looking for weaknesses.

“We have millions of those probes and scans of our systems on a daily basis,” Buse said.

He added: “We think it’s important for us to proactively try to put the best controls in place that we possibly can, and not go ask the Legislature and folks for money after a disastrous event.”

‘Difficult Sell’

Debate about cybersecurity funding in Minnesota reflects broader discussions now taking place about whether states are spending enough to keep their computer systems and data safe.

“Let’s put it this way, the funding is not commensurate with the risk,” said Doug Robinson, executive director of the National Association of State Chief Information Officers. “That doesn’t mean the spend isn’t out there, but it may not be prioritized, it may not be targeted.”

He pointed out that in the private sector these days, companies tend to devote about 10 percent of their IT budgets to cybersecurity. According to information NASCIO has collected, the same figure for state governments averages around 2 percent.

Buse said spending in Minnesota was in line with that figure. He also emphasized that even if the funding the governor has proposed were to be approved, it is a one-time infusion of cash, as opposed to a sustained increase in annual spending.

When it comes to budgeting for cybersecurity, “there's no magic number,” Robinson said. “But clearly only spending 2 percent is not going to advanced the ball very much.”

The cybersecurity risks states face can be seen in places such as Montana, where a 2014 breach of state health records compromised social security numbers and other personal information for upwards of one million people. And in South Carolina, where in 2012 hackers stole millions of state taxpayer records, including thousands of credit and debit card numbers.

Minnesota has not had a major data breach, Buse said. “Knock on wood,” he added.

But, in late December, a state court website was shut down for several days due to what’s known as a distributed denial-of-service attack. Known as DDoS attacks for short, distributed denial-of-service attacks involve bombarding a website with information, causing it to crash.

Making the case for cybersecurity investments to lawmakers can be tough, Buse acknowledged. “People like funding things that deal with schools and veterans,” he said. “A lot of the back office issues, such as information technology and cybersecurity, they’re a much more difficult sell.”

One reason for this he highlighted is that a successful cybersecurity program is one where nothing very dramatic takes place, because threats are mitigated. “When you don’t see anything bad happening,” Buse said, “it’s very hard for people to understand the need to spend more.”

‘I’d Rather Do the Study’

Johnson, the DFL representative, said in the past he had not tracked cybersecurity issues closely. “When I heard testimony, and then when folks started coming to my office and saying: ‘this isn’t a joke, this is for real,’ that’s when I really became aware of it,” he said.

“I wasn’t aware that it was this potentially catastrophic right now,” Johnson added.

A common refrain when it comes to cybersecurity funding is that explaining risks to lawmakers can be complicated. But Johnson doesn’t see that as the case in the Minnesota House. The obstacle, from his perspective, is his Republican colleagues. “I don’t think it’s communicating the issue. I think they are just ideologically not spending money on essential needs,” he said. “They're just not going to touch that surplus. So, no, I don’t think it’s a lack of understanding.”

Multiple attempts to contact GOP members of the House last week willing to speak about the governor’s cybersecurity funding recommendation were unsuccessful. A spokesperson for the Senate Republicans said that she could not track down any lawmakers to discuss the issue, and that the caucus was more focused on transportation issues than cybersecurity at this time.

Minnesota’s House Public Information Services reported on April 21 that Republican Rep. Sarah Anderson questioned why Dayton’s administration did not include the cybersecurity funding request when the state’s budget was being put together last year. “I’d rather do the study than dump in money and hope for the best,” Anderson said, according to the report.

Also included in the governor’s supplemental budget proposal was a one-time $19 million appropriation for cybersecurity at the University of Minnesota.

The fate of that recommendation remains uncertain. An education policy and finance bill passed last week in the House did not mention cybersecurity. Senate legislation that does include the $19 million has not seen any action since April 4. And the only reference to cybersecurity in the omnibus supplemental appropriations bill in the Senate is the $5 million for MN.IT.

‘I've Been Convinced’

NASCIO’s Robinson advises that state cybersecurity teams discuss risks with lawmakers regularly to help make the case for spending. “It really should be an ongoing discussion,” he said. It can also be helpful, he believes, to focus these sorts of conversations less on the technical aspects of cybersecurity and more on what the consequences of a cyber attack can mean for the state. Legislators, Robinson said, should understand “what happens when we have a major disruption in state government activities” due to hackers. “There is a cost associated with that,” he added. “There is a cost to lost productivity, to our citizens.”

Johnson, the DFL lawmaker, seems to have heard that message.

His said he would not be surprised if legislators end up adopting a supplemental budget plan with the $5 million of MN.IT cybersecurity spending that has been proposed in the Senate.

Asked if he would be supportive of future efforts to shore up state cybersecurity funding, he replied: “I have been convinced that this is a need that needs to be addressed in a big way … It’s a huge state, national, international issue and it's not something we can just wave away.”

“So, yeah,” Johnson added. “I'll be a strong proponent of this going forward.”

Bill Lucia is a Reporter for Government Executive’s Route Fifty.

FEATURED CASE STUDIES
Powered By The Atlas
Integrated city systems, unified data, & automation drive 316% increase in field efficiency
Seattle, WA, USA
Improved Water Quality and More Field Time Due to a 97% Reduction in Office Admin Work
Marin County, CA, USA
Upgrading aging, underfunded water infrastructure in rural county
Mariposa, CA 95338, USA

NEXT STORY: State and Local Officials Stress Need for Better Coordination to Target Cyber Disruptions

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.