State IT officials stay ever-watchful of threat

Published 3:12 pm Saturday, April 4, 2015

ST. PAUL — With an ever-growing trove of sensitive information to safeguard, state officials have taken last year’s string of high-profile hacks into major companies to heart.

Minnesota’s network holds the same kinds of personal information unleashed by hackers at Target, Home Depot and other retailers — and then some. There’s credit card information, social security numbers, tax and health care information, birth records and disease tracking. The list goes on.

To protect it, the state obscures key data through several layers of encryption, constantly monitors for intruders and searches out potential weaknesses in its network. Minnesota officials communicate with other states and the federal government about potential threats.

Email newsletter signup

It’s a never-ending effort.

“We have to be right all the time, 100 percent of the time, and (hackers) only have to be right once,” said Christopher Buse, the state’s chief information security officer.

 Search and protect

Protecting sensitive information starts from the beginning as officials design in and build a network system that’s shielded from outsiders.

Take the state’s new health exchange, MNsure, which Office of MN.IT Services Commissioner Tom Baden called “one of the most sophisticated applications we have in the state.” Baden described dozens of layers of firewalls, encryption and other safeguards that would make even a techie’s head spin.

But the protections across state government span well beyond the initial setup.

Each of the 150,000-plus access points into the state’s network — think computers, mobile devices and even video projectors — could be a hacker’s avenue into the system. That’s why IT officials constantly scan through those portals, some as much as three times a day, to root out possible weaknesses.

“We know the bad guys will find them and exploit them if we don’t fix them on our own,” Buse said.


But Baden said their most important step to boost cybersecurity was a massive effort begun in 2011 to bring the various state agencies’ IT systems under one roof. Under the old approach, “the attack surface was just too big,” Baden said.

“That is our most important line of defense against the thing that keeps me up at night,” he said of the change.

Another crucial element in boosting security is replacing old computer systems that could be the most susceptible to hacks. Gov. Mark Dayton proposed using $9 million over the next two years to replace aging computer systems used for workers compensation and another system that law enforcement and correctional facilities use, among other improvements.

“The threats are growing exponentially here the last several years. Government is not immune to those attacks,” Baden said.

Inside access

It’s not just outsiders that cause concern.

Several state employees have been found improperly accessing databases, such as a 2013 case in which a Department of Natural Resources employee looked up driver information on more than 5,000 Minnesota residents.

Buse said the state has boosted some of its monitoring to watch for that kind of access, and the state keeps a detailed log of all movement on its network to track them down.

Across state government, officials have to strike a delicate balance in granting access to employees. The more employees who have access, the more potential for abuse. And employees can could still misuse data that they’re properly cleared to see.

“That’s one of the toughest problems to solve,” Buse said.