Minnesota IT Service unveils first-ever statewide cybersecurity plan

(KSTP) – Minnesota IT Services (MnIT), alongside a task force of stakeholders, unveiled a first-ever statewide cybersecurity strategy on Tuesday.

The $23.5 million plan, which includes federal and state funding, set a minimum cyber-security standard for 3,500 government entities across the state and increase information sharing and reporting of cyber incidents to MnIT.

“And I think this ‘Whole-of-State Cyber(security) Plan’ really takes a strong first step in that direction,” said Minnesota Chief Information Officer Tarek Tomes.

“We work with all 87 counties today. But not all entities and local governments, including cities, school districts, or others report those events up through us,” added Minnesota Chief Information Security Officer John Israel.

The state’s central IT organization tracked more than 1,000 cybersecurity incidents at state and local government agencies last year, Israel said.

“We know there’s many more, because we haven’t reached and maintained those partnerships and relationships with all the local government entities throughout the state,” he said.

“And that’s what we’re trying to solve here.”

Within the first 90 minutes of the launch, roughly 200 out of 3,500 agencies they’re hoping to reach had signed up or at least requested more information, according to Israel.

“I think our education systems, both public and higher education systems have amongst the most complex and difficult tasks as it relates to protecting the technology that runs those institutions,” Tomes said.

Sitting next to Tomes during the roundtable interview was Nicole Pruden, the Network and Security Administrator at ECMECC. She represented the education sector on the task force that developed the plan.

Asked how many Minnesota school districts are equipped with the baseline level of protection, Pruden said, “I would say, not very many. A lot of the school districts that I work with are very small. We’re talking a tech team of one person managing, you know, 1000s of devices.”

Participation, including reporting incidents to the state, is not required under this iteration of the plan, Tomes said.

Once agencies sign up, MnIT will first take an assessment of the cyber resources each has or doesn’t have. The next four years will be spent strengthening those systems and the communication between them.