By Mark Lanterman
This past August, Gov. Tim Walz issued Executive Order 22-20, Directing State Agencies to Implement Cybersecurity Measures to Protect Critical Infrastructure in Minnesota.1 The order states:
“The critical infrastructure that protects the health and safety of Minnesotans is facing increasingly sophisticated cyber attacks. Addressing this risk requires both the public and private sectors to coordinate our efforts and harden cyber defenses. Ongoing geopolitical conflicts and the proliferation of organized criminal networks engaged in nefarious cyber activities means that we must strengthen our cyber defenses across our critical infrastructure. We must do all that we can to enhance cybersecurity, especially for critical infrastructure in both the public and private sectors.”
This order echoes the same sentiments as President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity.2 Heightened criminal cyberactivity has necessitated a renewed focus on cybersecurity, private and public sector cooperation, information sharing, and the establishment of the Cyber Safety Review Board (CSRB). As discussed in my recent article “The Cyber Safety Review Board’s first report and the impact of Log4j” (B&B Sept. 2022), the CSRB’s first report aimed to explain the Log4j vulnerability and the steps that organizations ought to take to counteract its impact. The creation of this board, and its subsequent investigations, provide opportunities for teamwork between the public and private sectors in managing largescale cyber events. The Log4j vulnerability was an ideal topic for the board’s first report given how many organizations were affected and the potential for long-term consequences.
Similarly, Executive Order 22-20 looks to this kind of cooperation to improve the security of Minnesota’s critical infrastructure. The order stipulates new requirements for state agencies and the need to understand their current security postures and unique risks. These new standards call for extensive cooperation between specified state agencies, the Department of Public Safety, Minnesota’s Department of Information Technology Services, the FBI, and the U.S. Department of Homeland Security. Among many new requirements, state agencies are being tasked with monitoring cyber risk, assessing current vulnerabilities, increasing defenses, preparing for possible attacks, and utilizing appropriate tools. The order outlines deadlines for compliance and indicates that currently unincluded entities should still consult with MNIT to follow best practices (and that more formal instructions will be provided in February 2023).
Just as the nation at large finds itself at increased risk of international threat actors and an increase in cybercrime, so too does the state of Minnesota. In a recent interview, Minnesota FBI Special Agent in Charge Michael Paul explained that cybercrime in Minnesota is on the rise: “According to the FBI, there were more than 6,000 victims of cybercrimes across the state in 2021, which is a 50 [percent] increase since 2019.
The total financial losses for businesses and individuals was $82.15 million.”3 Many attribute this elevated level of cybercrime to the changes brought about by the pandemic, especially regarding the prevalence of remote working environments.
Social engineering attacks and targeted spear-phishing scams have proliferated, prompting many organizations to refresh their policies and update training procedures. A social engineering attack may involve tricking an individual into providing personal information, credentials, or even a device. This past September, I was interviewed about a cell phone theft ring in Minneapolis. The perpetrators would steal victims’ phones after making sure they were unlocked and proceed to access applications, transferring cash and cryptocurrency from victims’ accounts.4 It is advised to never give an unlocked phone to a stranger (think someone asking to borrow your phone), to log out of apps that have sensitive data, and to take a moment to create extra passwords and set accessibility controls for key applications (such as screen time settings on the iPhone).
As is typically the case, implementing security measures now is certainly worth the saved time and money down the road. In addition to the financial losses associated with cybercrime, reputational and legal damages are also common and can be difficult to quantify at the time of an incident. In the case of critical infrastructure, the immediate risks of an attack may be devastating. The order issued by Gov. Walz is focused particularly on critical infrastructure and ensuring “the life, safety, and property of all Minnesotans,” but all organizations and entities can benefit from assessing their security postures and determining how best practices are being applied.
Since critical infrastructure and the technologies that make up the internet of things are interconnected, our approach to security should be similarly integrated. On a national level, on a state level, in the public sector, and in the private sector, open communication and collaboration are essential to most efficiently protect the assets on which we all rely. Executive Order 22-20 provides a game plan for improving our state’s ability to protect its critical infrastructure. Thorough cyber assessments and evaluating risks lay the foundation for strengthening defenses and sharing information.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.