The theft of private information on millions of people from a federal database has triggered another debate on whether we're losing the war against hackers.
Every day seems to bring more embarrassing details about the hack of the Office of Personnel Management: warnings ignored, vulnerabilities unfixed, 11 of its 47 IT systems operating without a mandatory security authorization.
These revelations tend to emerge only when something goes terribly wrong. Until that happens, anyone trying to find out about the security of the government's IT systems quickly runs into a firewall of secrecy.
Take, for example, MN.IT Services, the agency that oversees state government's computer operations. It coordinates security of the vast databases that handle billions of dollars and store volumes of sensitive information on patients, drivers, students, vulnerable citizens and others.
In April, my Star Tribune colleague, data specialist Jeff Hargarten, made a public record request from the agency: the number of cyberattacks against state computers over the previous five years.
At first, it looked as if the agency would hand over the information. A staff attorney for MN.IT, Michelle Klatt, asked Hargarten for a clarification of cyberattack. He said he wanted data on both "targeted" and "arbitrary" attacks.
Twelve days later came the bad news: That information was nonpublic, because the state considered it "security information." That allows it to withhold any data whose release "would be likely to substantially jeopardize the security of information, possessions, individuals or property against theft, tampering, improper use, attempted escape, illegal disclosure, trespass, or physical injury."
So Hargarten tried again. This time he asked for the number of security incidents involving critical infrastructure and state IT systems for each year from 2010 through 2014. No details. No names. Just 10 numbers.