Yesterday I attended the Minnesota Broadband Task Force meeting. The biggest news? The Governor signed the Broadband Development Fund – as part of the larger budget. It happened without a lot of fanfare – but it happened – and it all started with recommendations made by the Task Force. The Task Force members seemed to be energized and ready to go to make more recommendations.
They also learned a lot about security based on presentations made and arranged by Mike O’Connor. I know the members’ recommended preparation for the meeting included the video below of Mike O’Connor so I thought I’d plug this in here too.
The speakers Mike brought to the meeting were interesting. The good/bad news is that Minnesota could become a hub of cyber security if we got businesses and education together preparing the workforce. The bad news is that the reason we’re so well poised is that the need throughout the US is great. But we need that partnership to make it work. Students must get hands on training from practitioners. If I were a lot younger and looking at career options – I might have to look at cyber security for the money, the demand and it looks pretty interesting.
Here are the notes from the presentation. Careful readers will recognize the content from the original Minnesota Task Force report. It still holds up!
I listened in on the Infrastructure Subgroup (notes below) but specifically asked that I invite anyone with good ideas to let them know about them. So if you have ideas, feel free to leave them in the comments here or contact Dick Sjoberg or Bill Hoffman directly.
Read on for more complete notes…
10:00-10:15 Welcome/Introductions/Approve Minutes from April 29, 2014 Meeting
Welcome to new Task Force member Angie Palmer – IT Director at Lake County and representing Lake Connections, which is working on FTTP.
Welcome from Century College –
10:15-10:30 Update on Office of Broadband Development—Danna Mackenzie
The Legislature and Governor signed the Broadband Fund into law earlier this week. So now we need to work on getting that done. We have been preparing. DEED said a timeframe for getting something like this started is 6 months. We are striving to get it done faster. We hope to get something together by June 9, when DEED is planning a road trip.
Are there things the Task Force could be doing to support the Task Force?
We will be here for Admin support. We would like help setting up presentations for future meetings.
We are working on finding out more about funding from the Feds.
10:30-11:30 Subgroups Meet (Rooms E2311, E2322, and E2555)
Discussion on what the new group might focus on
Mobile access and affordability
Funding mechanisms – such as CAF
Streamlining permitting processes
Develop best practice list – what are other states/communities doing
We want to aim higher. Success from the last session shows that the state is behind some of our efforts.
We need to figure out what we want to ask for and what analysis we want to do to support it.
Interesting to see that the broadband $20 million is wireline. And wireless if OK with that. $20 million just doesn’t make a dent in the $500 million even just one company has spent in the last few years.
No industry invests more in this country that telecom – wireless and wireline.
We could look at expanding definition of telecom (outside plant) for tax exemptions. We’re the only industry that doesn’t have a capex type tax exemption.
Maybe we can look at tax implications of state money coming via grants too.
After talking to policymakers – it seems that there’s an appetite for more funding in the future. We could talk to politicians about what they are thinking. There might be an opportunity for the Task Force to make a bold move.
The OBD hopes to get the grant projects decided in early winter so that people can plan to deploy as soon as possible in spring.
What would AT&T like to have to be easier to do business?
Each day is different. Different states have different rules. We’re 2 years into a build. The problem doesn’t seem to be permits in MN. But phone companies might say something else. This unsession just removed telegraphs from the bills. That’s telling. Knowing where MN stands in terms of over/under regulation would be helpful. Indiana recently overhauled/modernized their legislation.
Is there anything specific?
It would be helpful to see if there is research on the topic.
Do we want to look at legislation that positively impacted broadband expansion?
Maybe there are some telehealth applications that are being fostered. It’s helpful to see what’s allowed and what’s not. Other states are allowing a lot more. Is it a policy issue, a technology issue, just a matter of looking at it again?
Do the hospitals have access to the MNIT network?
No. Not even public health folks have access. And we’re behind on EHR.
Maybe we need to look at that.
Are there challenges with low income adoption in terms of policy?
Affordability is the big issue.
If someone can’t afford a $30 connection – maybe we can work on a subsidy.
We’re doing Connect 2 Compete and Blandin projects. We have companies that will give computers – but they are XP. But now Microsoft won’t support XP. How do we deal with that? Can’t we put something together to help with upgrades – to aggregate need we might get better deals.
Can we support libraries too? They have a great draw on who they can serve especially in terms of minority populations.
We should think of community-based organizations too.
We could ask for a grant program where organizations could ask for the support they need – be it computers or software or other support.
Medical reimbursement for telehealth would help too. MN is not there; other states are. We could make that a recommendation.
Are there recommendations for school baseline connectivity? We could ask OET to look into it. Schools are working to get faster. E-rate is looking at a Gig to every school. Is the state looking at this? Is there someone at the state looking at E-rate issues? And what do you do when the school and buses are connected and the students aren’t connected at home.
We need to look holistically at getting homes served as well.
Has there been a study on best practices? We might see if there are some solutions we can borrow. We can look to Connect 2 Compete to see if they have any info.
Where are we lacking infrastructure and what can we do to reach them?
Connect Minnesota has a new report coming out next week.
What are some things we could lead with?
So far outside plant exemption (maybe only for unserved areas) seems like the best fit for this subgroup. Or maybe we need to look at un- and underserved areas.
Medical Reimbursement is a topic worth pursuing.
Should we have phone calls every two weeks?
There’s a special request for ideas – so if you have any ideas, please pot them as comments or contact (Dick Sjoberg or Bill Hoffman)
11:30-11:45 Subgroups Report Out (Decided to do that in writing later)
11:45-12:00 Legislative Update (Happened earlier)
12:00-12:30 Lunch (on your own in the cafeteria)
12:30-1:00 Overview of Security, Vulnerability and Redundancy by Mike O’Connor
In 20009 we were thinking about: Security, Vulnerability and Redundancy
Today we are only talking about cyber-security. When we were thinking about it was a community approach.
Goals: Distinguish MN as a secure and reliable place to work, play and innovate on the Internet.
Ensure that the middle-mile broadband infrastructure in the state has “no single points of failure” in the event of disaster
Ensure that there are multiple diverse high-capacity routes for “commodity” Internet traffic entering and leaving the state.
Ensure redundancy for public safety
Explore peering strategies and the degree to which they can contribute to our security, vulnerability and redundancy goals
Ensure that there are mechanisms to protect the confidentiality of sensitive information
Ensure that there is a robust ongoing multi-stakeholder collaboration in regard to security, vulnerability and redundancy activities statewide.
In 2009 we thought the Task Force would provide leadership and/or air cover – not that the Task Force would be the doers.
Success Story: MICE (Midwest Internet Cooperative Exchange) www.MICEmn.net For Minnesota peering traffic uses to 20 Gig bits per second today.
1:00-1:20 MN IT presentation
78 orgs under our control. We provide all IT serves – infrastructure on up – such as the MNSure site. We have 2200 IT professionals. Looking to consolidate IT serves (recently released . cyber security plan)
Today the pipes we have are primarily infrastructure – but rarely include security.
When we buy connectivity (we manage 200 routers and thousands of circuits for our WAN) we don’t get security out of the box. Very little security is built in.
12 core services including:
What we do
3-4 monitoring tools – but the detect bad stuff that has already happened
Each month we do 100 investigations
The most vulnerable piece of the equipment is the personal computer
Netflow analysis tools
Security info and event management aka SIM technology (brings logic to system)
Federal Einstein systems
Enterprise vulnerability management
Malware can install almost anywhere online
SO we assess electronically all devices always
The goal of providing broadband is great – but maybe we need to focus on “secure” broadband. At the State we can spend the time and money to operate safely, but that’s probably not happening in small businesses and homes.
Are there things we can do to move the ball uphill?
As more government services go online, how does that challenge the State?
We always assume the outdoor world is dirty. We assume that everyone is compromised and we architect the system so that we can deal with folks from the outside without getting dirty ourselves. Across the state we spent about 2% on info security; private sector spends about 5%. How can we provide secure browsing?
We are looking at Man in the Middle attacks, heart bleed and all concerns.
What are you doing with social engineering?
We have awareness campaigns – including education and public messaging. We also offer s service called Securing the Home. It’s a broad-based security system. But I still question the effectiveness of the training because malware is not distributing from any website. The best way to distribute malware is purchase an ad.
Cryptobit is what we do with ransomware. We don’t pay ransom. We rebuild the machines. We are also trying to trap those folk with honey pots.
Panel: Overview of Minnesota’s Information Security, Vulnerability and Redundancy Landscape and Critical Policy Issues
Moderator: Mike O’Connor
Panelists have been invited from public, private and educational sector.
Panelists will provide a 5-7 minute background/overview and then respond to questions.
Bruce Lindberg (MNSCU)
Our mission – produce a more extensive technology workforce. We work with faculty on new program development and curriculum updates. We do a lot of outreach in K12. We do professional development.
The need for security spans all occupations. We have a shortage of security skills – and we need then in lots of places. In the last 90 days – we had 20,000 positions posted that had some security skills listed.
We need security skills embedded in programs – not just offered as standalone classes.
Israel Aladejebi (MNSCU)
We started 8 years ago with computer forensics. We realize now that our graduates weren’t prepared for the field because faculty lacked the necessary training. There’s a gap between student readiness and positions open. SO we revamped the program with hands-on experience. We need more people working in the field to help us teach. We need our instructors to gain recent experience in the field.
We are also looking at national certification. That provides a standard for recent graduates. We just did DOD accreditation. It’s difficult to get/give security interns. College should not be a place to get credit. It’s a place to demonstrate knowledge.
Scott McCoy (Thomson)
Has worked in a number of places doing security. CISSP – is required for most jobs but the curriculum they teach is dated. Over 80% of compromises happen from preventable incidents. We used to try to drive down accidents; we want to focus on prevention.
OSI (7 stack layers) – but the 8th layer is the user. The bad guys have gotten really good at getting people to click. The 8th layer should really be IT. IT is measured by how quick they get things done and number of calls. Be careful what you measure. Maybe you don’t need quicker, but better.
4 areas of IT security:
You must prevent – but it’s futile. You need to use tools available to detect, investigate and remediate. There are very few people who do this well. We need better training – which is often peer training.
Kristy Livingston (Best Buy)
Graduated from computer forensics program; worked for government agencies and other places. Work in e-discovery – a connection between tech and litigation.
From DEED’s perspective – this is a bigger industry than people think – can you think of the best place you folks collaborate with peers and customers?
Upper Midwest Security Alliance – professional associations, Advance IT and others and we host an annual meeting. We also do workshops (mostly online) all year. It’s a good public-private partnership. We get 90 vendors involved.
We try to fill the gap with middle size businesses – the security is too expensive for them. (Security folks make at least 6 digits.) We teach curriculum for free or at discounts – that helps us provide professional development with school classes.
The security world is discombobulated but there are sector-based ISACs. They were spun up after 911. It brings people together to share treat information. It comes together at the Nation’s Cyber Security Center. Bad events happen daily – we send them all up to the center. SO we share actionable intelligence. It includes people from all sectors.
There are some groups specific to forensics – often with a law enforcement leaning. They try to tie cases together. We use LinkedIn – but there aren’t actionable items in those groups.
What do you do with mandatory reporting? Does it help or hinder?
Lots of times it’s too late.
There’s federal rules. And it’s different based on the information compromised. CISSP teach how to calculate risk – likelihood is a big factor.
Not every state has a law. Minnesota does have breach notification laws and we’re pretty strict. There are different laws based on government versus private. And the appropriate law to apply is the state where the breach originates. But that requires people to know lots of different laws.
There are end user security education programs out there for people looking for it. Maybe nice to know what community ed classes are out there. There’s a website called Smartedz.
Reporting is a big issue nationally. Obama wrote an editorial on the topic. We shouldn’t mandated – there are too many issues and it won’t work. Yet I participate in a very good reporting structure that isn’t mandatory. We need a reporting structure that provides value to them. It’s peer supporting and education. There were efforts to give immunity to corporations that reported; but that was controversial.
There’s a gap between training and need – are there bottlenecks or policy that would help?
It takes employers 3-6 months to find someone good and that usually involves cannibalization of the staff of others. The demand is high; the supply is low. Education and employers need to work more closely together.
We take students from 8-10 universities and create a simulation with corporate folks to get real world experience. A cyber dense project. We need more interactions – via competitions. Site visits, internships…
We produce about 1,000 graduations – we need between 10-30,000 graduates. One of our big problems – is the problem with faculty.
Are there any organization where this is being discussed more broadly? Is there a place for MN to be a leader?
Does MIT give their state a competitive advantage?
We need to do something. We revamped the program in the last year. We need something that is broad, deep and rigorous.
MN Cyber Security Jobs Consortium is a more formal and systemic way to bridge education and employment. If we want to become a top 5 state, we need talent. Employers know where the talent is.
How is Minnesota doing compared to other state and/or US doing from global perspective?
Our report card grade would be a top 10. But we play in a bad neighborhood.
Pay grades are an issue.
What do we need for the next meetings?
The subgroup reports will be sahred via writing.