MNIT seeks funds to protect Minnesotans' data
ST. PAUL—Minnesota is inching forward on a yearslong major project to beef up security for everyone with a driver's license, tax form or Social Security number stored on a state computer.
So pretty much all of us.
The state needs $10.6 million — and has for several years — to get it done.
It's gotten $0 from the Legislature and Gov. Mark Dayton.
Members of the Republican-controlled Legislature and Dayton, a Democrat, have blamed each other for what has become, for three years in a row, a casualty of the often-political and often-acrimonious budget process.
Meanwhile, MNIT, the state's information technology agency, has quietly plodded ahead in small steps that began years before, with the hope, officials say, of staying ahead of a successful cyberattack, which could cost taxpayers millions of dollars, as well as untold inconvenience.
State computers contain tax forms (including Social Security numbers), bank routing numbers, driver's license data and sometimes passport information, to name some of the more sensitive data.
Here's how the state wants to protect it.
'This is not simple'
At the foundation of the state's efforts to protect sensitive information is the infrastructure itself — "data centers" that contain the physical hardware such as computer servers — where information is stored and accessed.
Like much of state government, for years those servers were scattered all over the state, the responsibility of each department, as Minnesota matured in the Information Age.
Some data centers were in decent shape. Others were in converted broom closets or storage rooms prone to flooding and electrical outages.
In 2011, when there were 49 data centers, lawmakers and Dayton approved legislation that established MNIT in an effort to centralize state information technology. The goal: Make it work better, cost less and improve security.
Software improvements would be needed, but updating and securing the hardware — by consolidating data centers — was essential. The broom closets would have to be replaced with modern facilities where the necessary power, air conditioning, fire suppression and security were built in, not patched together.
Funds provided: none.
"It's essentially an unfunded mandate," said Aaron Call, MNIT's chief information security officer.
"This is not simple," Call said in describing how to move a data center. He gave an example where servers from the Department of Natural Resources were moved from a storage room to a new data center. The work needed to be done over a holiday, backups needed to be created, and crews needed to haul a bank of refrigerator-sized servers to a new location. "That took three months to plan."
Call said information infrastructure is just that: infrastructure, although people may not think of it that way. "It's ludicrous to think you can just pick up a bridge and move it somewhere else on the river without interrupting traffic," he said. "Same for data centers."
'Espionage is real'
If data centers go down, computer systems go down, making them vulnerable to attack, aside from just not working.
And hacking isn't just done remotely. Call, who previously worked in the private sector, said he once came across a bundle of wires hanging out of a steel cage housing computer servers. "Someone had gotten into the area and actually fished out the wires to access them," he said. "Espionage is real."
Attacks are real — from Russian attempts to probe election computers (those systems are outside the purview of MNIT) to attacks that have brought down government computers in American cities. In March, Atlanta's city government was brought to its knees by a ransomware attack, wherein hackers take control of a system and demand money to relinquish it. Also in March, Baltimore's 911 center was shut down for nearly a day by hackers.
But shaky infrastructure can make systems vulnerable without attacks, such as what happened to the California DMV in 2016, when hardware failed and disaster-recovery systems weren't robust enough to get the system back up and running for days.
When it comes to issues of motor vehicle titles and tabs, MNIT officials know they have a credibility problem. One year in, MNLARS, a new computer system designed and launched by MNIT for more than $90 million, still isn't working properly. Those problems can't be blamed on servers stored in broom closets, but Call said they shouldn't detract policy makers from supporting the need for modernizing the underlying infrastructure.
What's at stake?
According to MNIT, the costs of a data breach are high.
The agency has analyzed what a scenario would look like if one system, SEMA4, which contains payroll information for 38,000 state employees, was compromised.
Aside from workers potentially going unpaid and being vulnerable to identity theft, there's the cost. According to a study by IBM, the average cost of each public sector record stolen is $71. The total cost for a SEMA4 breach would be about $2.7 million.
MNIT officials say the $10.6 million they need is easily worth it.
"The money we need to get this done isn't nothing," Call said. "But by comparison the cost of a breach ..."