On July 25, St. Paul declared a state of emergency. A deliberate, coordinated digital assault forced the city to shut down library networks, Wi‑Fi at City Hall, and online payment systems. Mayor Melvin Carter described the attack as the work of a sophisticated external actor and said the city cut off its networks to contain the threat. Gov. Tim Walz activated the Minnesota National Guard’s cyber protection team. FEMA and the FBI joined the response, underscoring the attack’s seriousness.
The episode did not just inconvenience residents. It exposed what still isn’t fixed. Minnesota’s digital infrastructure is robust on paper yet brittle in practice.
We know the threats; we just don’t act on them
This year’s incident followed a troubling pattern. In 2021, more than 5,800 Minnesotans reported losses exceeding $82 million from internet-enabled crimes. In October 2023, a ransomware attack crippled a document-management system used by 17 counties, compromising social-services data. Minnesota responded by modernizing its statewide monitoring initiative, providing counties and tribal nations with advanced detection tools and a Cyber Navigator program. Lawmakers passed a law in 2024 requiring public agencies to report cyber incidents within 24-72 hours. Yet the St. Paul attack shows that policy reforms and new software don’t replace discipline and practice.
I learned this lesson early. After the 9/11 tragedies, I directed all research and development on physical and cyber security for North America’s power sector. Our central finding was that every system fails; what matters is how quickly problems surface and who has the authority to act. When we designed the Master of Science in Security Technologies (MSST) at the University of Minnesota in 2008-09, we built it on that principle. The 14-month program blends methods, policy and applications, from cyber and infrastructure to supply chains and public health. About 30 students graduate per cycle. Students explore a range of topics, from grid resilience to food safety, and work on real-world projects. One group, for example, analyzed vulnerabilities at Target Field and designed counter-intrusion simulations. Alumni now serve in utilities, technology firms, and government agencies. They prove that Minnesota can lead in both information technology and operational technology risk management if we apply what we know.
How Minnesota can strengthen its defenses
- Surface risk early and empower responders. Systems must be designed so failures are visible and responders have the authority to act. Too often, alerts are buried in logs or routed through administrators with no crisis authority.
- Support local capacity. Many counties still run IT operations with a handful of staff. The state’s Cyber Navigator program is a step forward, but we need sustained funding for regional drills and on-call support.
- Design for failure, not just uptime. Resilience means a hospital or a substation can operate while under attack. That requires redundancy, manual overrides, and practice in degraded mode operations, not only cloud backups.
- Practice under pressure. Treat cyber incidents like snowstorms. Shutting off networks isn’t a security strategy; it’s a last resort. Regular exercises — like the Minnesota National Guard’s participation in international cyber‑defense drills with partners from Croatia and Norway — force teams to coordinate across language and legal boundaries.
- Report failures publicly. Minnesota’s new reporting law increases transparency. Every incident should produce a short, public review of what failed, what was fixed, and what remains unresolved. This isn’t about blame; it’s about readiness.
A legacy worth building on
Minnesota has long punched above its weight in technology. Much of the early internet’s core plumbing — distributed protocols, layered security models — was shaped here. The state built one of the first statewide cyber operations centers for government IT. It developed strong policies through Minnesota IT Services, the Bureau of Criminal Apprehension’s cyber‑crime unit, and the National Guard’s cyber teams. The Cyber Security Summit, now in its second decade, grew from this foundation, bringing together utilities, military, public safety, and private sector leaders to ask a simple question: Are we ready?
Higher education has reinforced that legacy. The MSST program I developed launched a pipeline of leaders who understand both IT and OT risks. Metropolitan State University runs one of the strongest applied cybersecurity programs in the Midwest, preparing students to defend real systems under pressure. These programs complement the Minnesota National Guard’s international partnerships. For more than a decade, the Guard has trained its Croatian counterpart in cybersecurity, a model of readiness built on clear structure, shared knowledge, and steady relationships. In 2024, Minnesota Guardsmen and eight Croatian service members drilled side‑by‑side in Slovenia, simulating malware intrusions and joint response. Earlier that year, Minnesota cyber forces trained with Norway’s air and cyber defense units and participated in the Locked Shields exercise. Such cross-national cooperation builds muscle memory before crises hit.
A discipline, not an app
Cybersecurity is often portrayed as a purely technical problem. It isn’t. It is a discipline of attention, communication, and governance. Minnesota has the right people, deep technical knowledge, and decades of leadership in securing critical infrastructure. What’s missing is disciplined execution: rehearsing responses, empowering local officials, and ensuring that when an alarm rings, someone answers without waiting for permission.
Most public systems now depend on digital control — power grids, water plants, traffic signals, and medical records. Damage will spread quickly if an attack hits the control layer during a storm or blackout. You cannot fix that after the fact. A focused system surfaces problems early, moves fast, and holds under pressure. An unfocused one stalls, drifts, and collapses. Minnesota has built leadership in this field for decades. It can still lead, but only if it acts now.
Massoud Amin is the chief technology officer at Renewable Energy Partners and the chairman and president of Energy Policy & Security Associates. He is also a professor emeritus and the former director and Honeywell H.W. Sweatt Chair of technological leadership at the University of Minnesota.
