Opinion editor's note: Editorials represent the opinions of the Star Tribune Editorial Board, which operates independently from the newsroom. This editorial was written on behalf of the board by Star Tribune Opinion intern Noor Adwan, a 2023 graduate of the University of Minnesota.
In the wake of recent high-profile hacks on state agencies, the ever-increasing threat of cyberattacks has many Minnesotans on edge. In response, Minnesota IT Services (MNIT) rolled out a four-year, $23.5 million cybersecurity plan Sept. 12 to give public entities the tools they need to defend themselves.
Under the Whole-of-State Cybersecurity Plan, MNIT will work on updating state organizations' cybersecurity, expanding existing programs, improving intelligence-sharing capabilities across the state and building critical infrastructure's resilience against cyber threats. The funds will be available to public entities in Minnesota including local governments, school districts, tribal organizations and government agencies.
"It's safe to say that threat actors and the types of threats facing organizations are continuing to increase," MNIT Commissioner Tarek Tomes told an editorial writer. Because of this increasing threat level, Tomes said investment in cybersecurity is necessary. The plan's unveiling follows a number of data breaches of state agencies this year, including attacks on the Departments of Education (DOE) and Employment and Economic Development (DEED).
The plan uses a combination of federal and state funds: $18 million from the State and Local Cybersecurity Grant Program (SLCGP), which was established by Congress in 2021, and a $5.5 million match from the Minnesota Legislature. A quarter of the funds is earmarked for rural areas, where resources to address cybersecurity concerns may be fewer than in urban areas.
These funds will in part be used to bring smaller organizations' cybersecurity capabilities up to speed with more well-resourced organizations by providing them with resources and tools they may not have otherwise been able to access. "Those tools are generally quite expensive, and require a lot of sophistication to implement," Tomes said.
They will also be used to improve communication and collaboration across the public sector. Often, Tomes said, organizations keep cyberattacks under wraps unless they're required by law to report them. This leads to threats being underreported, which can impede the state's ability to defend against future attacks. Creating a mechanism for reporting cyberattacks would help the state better understand and respond to threats, Tomes said.
The plan is not a mandate, so participation is not required. But Tomes said MNIT plans to do everything possible to ensure as many organizations as possible are on board. "The more people that participate, the safer we're all going to be," he said.
Because the state's cybersecurity chain is "only as strong as the weakest link," as the plan notes, eligible organizations should opt in as soon as they are able in order to protect Minnesotans' private information from bad actors.
Thankfully, Tomes said there has been early interest. KSTP reported that, within the first 90 minutes of the plan's launch, about 200 of the more than 3,000 organizations MNIT hopes to reach had signed up or requested more information.
And the agency hopes to see a steady uptick in opt-ins once it begins rolling out more individual cybersecurity services, like Endpoint Detection and Response, a cybersecurity technology that detects and addresses threats like malware and ransomware. Minneapolis Public Schools was a victim of a ransomware attack in February that leaked some student and employee information to the dark web. The group that claimed responsibility for the breach demanded $1 million.
While Tomes said he can't be sure the Whole-of-State plan could have avoided such hacks as those that affected MPS, the DOE and DEED, "there would be a significantly reduced likelihood," of those attacks succeeding had the plan been in place at the time, he said.
Once the plan's four-year term is over, Tomes said he's hopeful there might be more opportunities to receive federal funding for cyber defenses in the future. But MNIT does not expect the new program to be renewed, which makes it especially important that state and local governments develop sustainable funding strategies for cybersecurity programs that outlive the four-year grant.
"This whole-state plan is going to prove to be a crucial and significant first step to keeping public sector throughout Minnesota more safe and more secure," Tomes said. But the cyber threats facing state governments aren't going away any time soon. "This is simply the beginning of a journey that doesn't end."