How safe from a ransomware attack are Minnesota's government computers?

There are about 45,000 computers and servers, countless emails, numerous websites, and personal records of 5.5 million Minnesotans that are all under the watch of MNIT.

MNIT is Minnesota's Information Technology agency, in charge of everything tech-related for the state's executive branch, and also does work for more than 70 government��agencies and boards.

So if, say, a ransomware attack was crippling thousands of computers in countries across the globe, the defenses MNIT put up are what would keep the malware out of the state's computers.

"We have absolutely seen it knocking on our door right from the get-go," Andrew Call told GoMN.

Call is the director of information security with MNIT, and was talking specifically about the WannaCry ransomware (aka WanaCrypt0r) attack. Workers who started seeing it ramp up Friday morning began the analysis: What is it? How is it coming in? Are the state's computers exposed? How is it spreading?

"We were fortunate to have had some proactive boundary protection rules put in place, and a fairly close to complete patching in place," Call explained.

So while WannaCry may have been "knocking on our door" in Minnesota, it was kept outside. At least for now.

How vulnerable is Minnesota?

These thousands of computers (which include laptops and desktop PCs) are spread across offices and run the gamut of operating systems, including Unix, Linux and OSX. But the majority, Call said, use some version of Windows.

Windows of course is the operating system the WannaCry ransomware targeted. It took advantage of a security flaw, leaked by a group of hackers earlier this spring, to worm its way into the computer, encrypt all the important files, then hold them hostage until getting a bitcoin payment.

Microsoft issued a patch for supported Windows system, fixing that flaw back in March. But anyone who didn't download and install that security update – or is still using an old, unsupported version of Windows – was left vulnerable.

At MNIT, most of the PCs they oversee are using a supported version, meaning they would have been patched – Call said that's something they check regularly, usually once a week.

There are a few clusters of computers under MNIT's watch that are running older Windows versions however. For example, Call said there's some lab equipment that runs on embedded Windows XP. And some decades-old programs won't work on newer machines.

For those vulnerable computers, Call said the "layers" of defense they implement have kept this ransomware at bay. So far so good it seems, even as the WannaCry ransomware spreads.

"Right now we are not aware of any successful impact," Call said.

They want more money for upgrades

This high-profile ransomware attack comes at a time MNIT is fighting for more funding.

The agency already fends off three million malicious attacks every single day, spokesperson Cambray Crozier said. They asked lawmakers for more money – just over $22 million in 2018, with about $4.8 million each year after that – to make proactive upgrades.

For example, MNIT has 27 data centers around the state, Legislative Director Jon Eichten told GoMN. He said it's "impossible to secure" all of those from attacks with the current funding levels. So $14 million would go toward consolidating the servers, reducing the number of scattered targets.

Another goal: Get MNIT staffers working 24/7.

"The way the internet works is these attacks don’t just come in during business hours … they come in all the time," Call said. "We’re unable to react. We don’t have our eye on the ball at night."

As Jenna Covey, MNIT's chief digital officer, put it on Twitter:

But will they get it?

The budget bill that was finalized and passed by the House and Senate contained $0 in new direct funding for cybersecurity. Instead MNIT would get about $2.2 million each year, the same as 2016-17.

The agency also brings in money through chargebacks – they do IT work for other agencies, and those agencies pay MNIT for the services. But it's hard to take dramatic, proactive security steps under that decentralized model, Crozier argues.

That budget bill was actually vetoed by Gov. Mark Dayton, and he actually cited the lack of additional funding as a reason. So will a new, renegotiated bill bring in more money?

Rep. Sarah Anderson, who helped finalize the vetoed budget bill, told GoMN the bill directs MNIT to fully consolidate state agencies– a process that started back in 2011 but hasn't been completed she said. That lack of progress "impedes our ability to effectively protect against attacks," she said.

And Sen. Mary Kiffmeyer, who played a similar role on the Senate side, told GoMN via email the offer they're working on now will "likely" see more cybersecurity funding. But she's looking for more future-oriented plans from the governor than she said she's gotten so far.

"Hacking is not new. We had 'paper hacking' in the past. Always attractive to those with bad intents," she added.