top of page
mirs_logo_no_text.png

Michigan Information & 

Research Service Inc. 

State Fights Millions Of Daily Cyber Attacks — But Experts Say Weak Spots Remain

  • 14 minutes ago
  • 6 min read

(Source: MIRS.news, Published 04/27/2026) Michigan's cybersecurity team is fending off roughly 4 million attempted attacks a day — but even with layers of protection, experts say the state's data systems are far from bulletproof.


Recent audits and outside experts point to a familiar problem: the state can build a strong front door, but hackers often find another way in.

computer hacker

"We're basically on a treadmill, and the bad guys control the speed," said State Chief Security Officer Rex Menold. "If they accelerate, we have to accelerate."


The Department of Technology, Management and Budget (DTMB) oversees cybersecurity for 20 state agencies, protecting everything from driver's license records and tax filings to unemployment, medical and education data.


Menold described the state's approach as "defense in depth," meaning multiple layers of security designed to stop intrusions before they reach sensitive information. He said the state also uses a "zero-trust" model, requiring constant verification before anyone can access data.


Still, some of the biggest risks don't come from inside the system — they come from outside partners.


Michigan relies heavily on third-party vendors to manage parts of its IT infrastructure. Those vendors must meet federal security standards like FedRAMP, but Menold acknowledged the state ultimately has to trust they're doing what they claim.


"We don't get access to their system to verify those things," he said. "We sort of have to trust them."


That trust is where experts see danger.


Recent audits — including one that found 11 unidentified users accessing a state system and another that flagged weak oversight of $6.6 billion in IT contracts — highlight how vendors and contractors can create openings for hackers.


Cybersecurity specialists say those weak points are often the easiest to exploit.


"They're not attacking the front door," said consultant Noah Kenney. "They're slipping in through the back door."


Ferris State University cybersecurity director Greg Gogolin pointed to another issue: "creeping authority," where employees change jobs but keep access to old systems. Over time, that can create hidden pathways into sensitive data.


He also warned that data breaches are so common that most people's information is already circulating online.


"We're actually just playing the lottery," Gogolin said. "It's just a matter of misfortune whether something happens to you."


Experts say gaps between systems — especially older "legacy" systems connected to newer technology — can also create vulnerabilities that no single agency or contractor fully controls.


At the same time, enforcement and accountability can be murky. Contracts with vendors aren't always tailored to specific risks, and when something goes wrong, responsibility can be unclear.


Despite those concerns, Menold said he hasn’t identified any major vulnerabilities in the state’s core systems and credited the Legislature for keeping cybersecurity funding strong enough to adapt to evolving threats.


But even experts who praised Michigan's efforts agreed on one point: perfect security doesn't exist.


"You can reduce risk," said cybersecurity expert Kayne McGladrey. "But nobody out there can be perfect. It's an unattainable goal."


For a state holding millions of residents' most sensitive data, that means the job is never finished — and the margin for error is always zero.


Gogolin also said that there have been so many data breaches over the past two decades that everyone has some data that has been thrown out for sale on the black market.


He said most companies don't know when they've been hacked and information has been compromised.


He said any fines levied against companies because of data breaches has also just become another cost of doing business to some organizations.


Gogolin said vulnerabilities of third-party vendors can also be hard for the state government to track, and are ripe fruit for hackers looking to gain access to a system, but it also depended on the type of hacker that was looking to access the system.


He said many third-party contracts don't have technical people that help craft the language, so boilerplate language isn't always well suited to every situation.


"The arrangements for the portals, to a large degree, are only as strong as the contracts, but to a large degree, those contracts are only as strong as the people that are party to it," he said.


He said the layers behind the vendors is also more complex than what most people think, with multiple organizations being part of a larger organization, or running software from other organizations, which is in itself "ripe for problems."


Kenney said many of the security holes come from the gaps between the different systems, so from a previously unknown software vulnerability.


He said an audit looks at the gaps, as those vulnerabilities could end up being where the two systems come together.


"There's a lot of cases where no one party is entirely responsible for that vulnerability, because the vulnerability is really just a gap between the two different parties that are not communicating closely enough together or collaborating closely together," Kenney said.


He said some of the incursions aren't cyberattacks, but end up being someone accidentally misusing their access or authentication permissions, which can be a side effect of authority creep.


"We're seeing it a lot in cyber because there's not clearly defined guidelines for a lot of these things," he said.


He said without federal policy, businesses and state governments were left to define the appropriate controls by themselves.


"A lot of times the technology is moving faster than the policies, and so you need that access increased," he said.


He said from the side of the vendor there isn't comprehensive privacy or security laws in the United States either. Enforcement of breaches is hard, unless it is done in a grossly negligent way.


To get around this, he pointed to FedRAMP and said there was a checklist for vendors that helped avoid litigation.


Kenney said being able to keep getting government contracts was the incentive to continue doing cybersecurity as a third-party vendor, which can end up being outsourced to subcontractors.


He said Michigan is much more centralized than other states, which has its own pros and cons, but he said those hackers aren’t attacking the data fort’s front door. They’re slipping in through the back door.


Kenney said organizations as large as the state have the unique problem of being large, but also not having a universally agreed set of standards.


He said the contracts can end up not being clearly defined, leading to gaps not being minded and, at the point a problem happens that is when finger pointing starts, because no one wants to take the liability risk.


Kenney said the biggest problem with state government ends up being the legacy systems they are working on, which are often connected to the newer systems creating their own problems.


"Until we see the majority of these legacy systems upgraded to something that's more secure and modern, because they all connect and talk to each other and so if you upgrade one, and you don't upgrade the others, you're still going to have risk and vulnerability that comes into play," he said.


He said many of the problems can be solved by each department doing what they can to make sure their system is secure.


"If everybody would solve the issues they were capable of solving, the vast majority of the surface area is covered, and so that, to me, is where it starts," Kenney said.


McGladrey said he tends to think of cybersecurity in terms of risk; sometimes the risk is increased, and some things decrease risk.


He said after a data breach two things tend to happen.


"The breached entity issues a letter that often smells of white Italian shoe leather because it says almost nothing and presents people with some options for identity theft monitoring," McGladrey said.


He joked that he's probably got 27 years of free identity theft monitoring at this point.


If the data breach is big enough, then the lawyers come out of the woodwork and lawsuits and civil penalties start being thrown around.


Then people start getting fired, and more chaos is sown into the system, despite the CISO trying to do their best job. They are pulled into court and have to worry about pulling items for discovery rather than doing their job protecting data.


"It's an opportunity for well-timed threat actors to do additional attacks to either exacerbate their level of access that they have to increase it or otherwise make off with even more interesting information," he said.


He also said it is the reason states end up carrying insurance that covers cyberattacks.


McGladrey said a FedRAMP certified vendor means more reliability because the hoops that are needed to jump through to get the certification, and those certifications are updated all the time.


He said FedRAMP isn't quite as stringent as what is asked for by a Fortune 500 company.


The best cybersecurity was manual control, but doing things in triplicate on the old carbon copy wasn't nearly as efficient as the digital solutions that are being used now.


He said the risk assessment of where the most harm could happen needed to be looked at, with public health and human safety at the top of mind.


bottom of page