The theft of private information on millions of people from a federal database has triggered another debate on whether we’re losing the war against hackers.
Every day seems to bring more embarrassing details about the hack of the Office of Personnel Management: warnings ignored, vulnerabilities unfixed, 11 of its 47 IT systems operating without a mandatory security authorization.
These revelations tend to emerge only when something goes terribly wrong. Until that happens, anyone trying to find out about the security of the government’s IT systems quickly runs into a firewall of secrecy.
Take, for example, MN.IT Services, the agency that oversees state government’s computer operations. It coordinates security of the vast databases that handle billions of dollars and store volumes of sensitive information on patients, drivers, students, vulnerable citizens and others.
In April, my Star Tribune colleague, data specialist Jeff Hargarten, made a public record request from the agency: the number of cyberattacks against state computers over the previous five years.
At first, it looked as if the agency would hand over the information. A staff attorney for MN.IT, Michelle Klatt, asked Hargarten for a clarification of cyberattack. He said he wanted data on both “targeted” and “arbitrary” attacks.
Twelve days later came the bad news: That information was nonpublic, because the state considered it “security information.” That allows it to withhold any data whose release “would be likely to substantially jeopardize the security of information, possessions, individuals or property against theft, tampering, improper use, attempted escape, illegal disclosure, trespass, or physical injury.”
So Hargarten tried again. This time he asked for the number of security incidents involving critical infrastructure and state IT systems for each year from 2010 through 2014. No details. No names. Just 10 numbers.
Even that was too much to ask.
“Government entities, as well as entities in the private sector, restrict access to security data because it can be used by hackers to fingerprint potential attack targets,” Klatt wrote in an e-mail rejecting the data request. “Even summarized data, such as vulnerability counts, can be used to glean information about the susceptibility of all or certain parts of the IT environment.”
The people at MN.IT (pronounced “minute”) are willing to talk about the issue, to a point. “We certainly every day face attempts and threats that are out there, from actors across the globe,” said Jon Eichten, legislative director for MN.IT. Are they on the upswing? “The volume and complexity of threats over time has continued to grow,” he said.
But for more details on how well Minnesota is defending against those attacks, Eichten referred me to the Office of the Legislative Auditor. The auditor regularly evaluates the IT systems of various agencies.
Last year, the auditor found room for improvement in how MN.IT protects its mainframe computers from unauthorized use. In 2013, more serious security gaps were identified in the Minnesota Department of Education’s computers, which store private information on students and manage billions of dollars in school funding.
Eichten said it’s too early to know whether the breach of federal personnel information has lessons for Minnesota. Massoud Amin, director of the University of Minnesota’s Technological Leadership Institute and an authority on cybersecurity, said he has confidence in the leadership of MN.IT, and that it has ensured the state’s computers do not share the exposure of the OPM.
“They do the fundamentals right,” Amin said. “In Minnesota, I’m pretty sure those types of risks do not exist.”
That may well be true. But hiding even the most basic data about cybersecurity in Minnesota won’t do much to stop hackers. It just stops the public from joining the fight.
Contact James Eli Shiffer at firstname.lastname@example.org or 612-673-4116. Read his blog at startribune.com/fulldisclosure.