I just got back from the latest MN Broadband Task Force meeting where they talked all about security. The bad news? The experts agree there’s no way to build a security system that will keep everyone out all of the time. We don’t have enough people who are doing cyber security and the feeder channels aren’t full either. The good news? This is an area where Minnesota could excel, with schools and students poised to be qualified for well-paying positions in cyber security.
Policy makers ought to be taking a closer look at what’s going on. Maybe Minnesota needs a Cyber Security Task Force. Maybe the legislature needs to look at supporting the Office of Broadband Development to look deeper into it.
Also everyone is following what’s happening at the Legislature. The Senate is proposing $85 million for broadband; the House is proposing $35 million with some strong influence on how that is to be spent.
Read on for full notes and video:
Welcome, Introductions, Approval of Minutes
Welcome from Target – Thad Hellman, Director of Government Affairs
Update from the Office of Broadband Development and Update on Legislation/Hearings
Next week is a big week at the Legislature:
- On Monday the House will hear the Omnibus Bill. They are underfunded at $35 million.
- The Senate came out with $85 million and the details are different
We will have new maps by July 15, 2016 through Connected Nation.
- Dave Baumgartner, Vice President, Cyber Security, Target
- Scott Charleson, Sr. Security Risk Engineer, Red Wing Shoes
- Dave Notch, Director Cyber Security at KPMG
- John Marinho, VP Technology & Cybersecurity for CTIA —The Wireless Association
- Jim Moeller, Managing Partner, Moeller Ventures
What is the status of security today?
Security threats are getting more creative. It’s impractical to think that you can guard against every threat. The best plan is to have a plan for getting rid of intruders and limiting what you can access.
You have to proceed on the assumption that you will have someone on your network that you don’t want there. Small and midsized companies are as in jeopardy as largest firms build higher fences. As Targets beefs up their security, intruders will look at other targets. We (at Red Wing Shoes) look at leveraging outside expertise.
We are used to real world response to an alarm – it goes off and we assess whether an intruder is in. It’s not that easy with cyber security. We don’t always know when something bad is happening. The hard part is recognizing when there has been a breech. Most organizations are testing themselves – or outsourcing testing. There’s a big push for information sharing and hope for pooling resources as an industry.
From the home-based user – the concern is even more challenging. I set up an FTP for my kids and it took 24 hours for a hacker to find the open ports. They weren’t successful at getting in but clearly a robot (from China) had found the potential hole and was working on it.
The criminals are opportunistic – they aren’t targeting any one person or business – they will just throw out a net and see what comes back. That is especially true now that larger businesses are locking things up tightly. One issue is that the hacker might not be getting to your files – but they are using your broadband connection for last mile connection to create larger havoc.
ATO is a hack technique that gets a password from one account (on a computer) and use it in another place. That’s how the hacker might make the hacking profitable. Security can help the issue – otherwise you can get hacked simply from malicious ads, which capture usernames and passwords via keystrokes.
There’s a website (Showdan) that tracks all of the unprotected home/business cameras. https://www.shodan.io/ An indicator of how many home computers have security holes. The Internet of Things will open this up even wider.
What more can policymakers be doing on cyber security?
Does security sharing happen now?
Within industries – yes. But not for home users.
How far are we from using a barrier other than passwords for protection?
We had issues on hardware. Some folks are using a series of hurdles along with passwords. But it’s difficult for someone to use.
There are some ways to track how someone uses their phone to differentiate with an eye for authentication.
There’s a device that some people use like a biometrics barrier (but not biometric) that can be used as a secondary authentication barrier.
Do we have policies in place to support law enforcement?
I used to investigate breeches. In many cases the first question was about could we figure out who the culprit. It’s a growing field. We’ve seen successes at the federal level but they don’t want to get too much publicity and risk sharing too much info on the processes they use.
A big issue is figuring out what’s going on in the investigation and how can we make sure that this doesn’t happen again.
What are you doing with Denial of Service Attacks (DDOS)?
We have seen an uptick in attacks. We are working on it. MNIT, MNSCU, TIES, UofM are working on documentation for DDOS attacks. There is a free DDOS attack website where students can go and watch an attack on their school.
What is the potential cost of foreign and domestic attacks?
We can find it.
Do you have the talent you need to move forward?
In Red Wing we’ve been creating opportunities for kids to get interested. There are other things going on too.
We need more. We need more STEM opportunities.
We also need to teach kids (all kids) that security is important.
The military is putting out some people with the right kids.
We need more diversity in the field – gender and ethnicity.
Presentation: Carrier Hotel Risk – Mark Feil, Management Consultant, CO2 Partners
What is a carrier hotel? A secure physical site or building where data communications media converge and
The problem in MN is that most fiber traffic goes through the 511 Building in Minneapolis.
Built so that CLEC could transfer traffic cheaply and efficiently.
Rep. Pat Garofalo, National Council of State Legislatures Executive, Committee Task Force on Cybersecurity
He was not available
Task Force Discussion of Cybersecurity
We need to increase education and increase interest in encouraging more kids/people to go into cyber security.
We should recommend that the legislature hear from the same cyber security panel. This could be the biggest issue for economic development and public safety. We need the providers, government and education sources to work together to warn people of the dangers.
Maybe we need a task force to focus on cyber security.
We need a consumer focus too.
Maybe we can do a scan of what other states are doing.
We agreed as a State that the Office Broadband Development was important. Research shows that it makes a difference when s State has an office. We might encourage legislature to recognize the need and fund OBD appropriately.
Like Police protection – what is the State’s duty in protecting citizens from cyber attacks?
This is on MNIT’s agenda. It’s difficult for small counties (and others) to address security given the simple capacity of staff time and experience.
We heard from Century College that there’s a gap of people in the security field.
There are jobs out there for people with the skills. How can we encourage more people to go into it?
MSP Win is looking at pathway work – getting students to get a taste of a job and the choices you have to make to get to a career. Seattle has been doing a good job of this.
Libraries are well poised to offer digital literacy lessons to the general public.
Follow-up/Recommendations on Task Force Discussion of Adoption: Follow-up from March 17th meeting
It would be great to hear from Tech Learning Centers
It’s helpful even to go visit places.
It would be helpful to talk about affordability too. Maybe a future meeting could focus on that too.
Right now there’s $500,000 set aside on House Bill for programs that focus on low income areas.
We were getting pushback from urban legislators not seeing their areas getting pushed forward but the affordability proposal seems to reach out to them.
Update from Subcommittees
Accessibility – looking at state regulations like Dig Once. First meeting is scheduled for June.
Looks like there are 304 things going on – at least since 2012.
We can tell folks that they should be looking at telecom regulation.
Right now there is a railroad bill in the legislature that is moving forward to standardize railroad interactions.
Wrap Up, Plans for May Meeting