Even before a cybersecurity breach was discovered at the Minnesota Department of Education (MDE) last month, the Minnesota legislature already authorized $107 million to protect state and local governments from cyber attacks.

“That threat landscape, if you will, will continue to change and continue to evolve,” Minnesota’s IT Commissioner Tarek Tomes told members of the Legislative Commission on Cybersecurity.

The regularly-scheduled meeting comes less than a month after the cybersecurity breach was discovered at MDE. In that case, hackers gained access to a server using software called “MOVEit,” a file transfer program.

 “The scope (of the breach) was fairly limited within Minnesota,” said John Israel, MNIT’s chief information security officer. “The bad actors were in that server for about 15 minutes, were able to access 24 files.”

But those 24 files contained information on more than 95,000 Minnesota students. Still, that’s much smaller than the 750,000 people impacted after a breach in California’s Public Employee Retirement System that also used “MOVEit.”

“The threat continues to evolve and grow throughout our nation and throughout the world, specifically when it comes to cyber risks,” Israel told lawmakers on the commission.

The Minnesota Legislature already earmarked more than $100 million for cybersecurity in the recent 2023 session. The funding includes $33 million to help cybersecurity efforts across the state, $34 million for data cloud security and $40 million to modernize and enhance apps the public uses to access government services.

Rep. Jim Nash, R-Waconia, who works in cybersecurity in the private sector, says hacking of government systems is just a fact of life no matter how much the legislature spends on enhancing security. 

“This never ends,” Nash said. “It’s a very profitable enterprise for the people who do this, and it is not something we are ever going to get out from underneath. No amount of spending will get us where ‘we’re immune,’ It just doesn’t work that way.”

All those remarks were made in a public portion of the commissioner’s hearing. They later went into a private session to learn more about the MDE security breach.