By Guy Page
The Joint Information Technology Oversight Committee today stopped a sensitive briefing from the state’s top cyber-security officials because of concerns that bad actors could access the meeting on Zoom.
Three committee members – Sen. Chris Pearson, Rep. Seth Chase, and Sen. Randy Brock – attended the State House meeting in person. Three others – Reps. Martha Feltus, Laura Sibilia, and Sen. Tom Chittenden – attended via Zoom.
After reporting on how they assess risk to the state’s IT system, Agency of Digital Services Secretary John Quinn and Chief Information Security Officer Scott Carbee were ready to provide more sensitive, specific information in “executive session,” AKA behind closed doors. Information on data security is specifically exempted from the state’s Open Meeting Law. That’s when Brock, a Franklin County Republican, raised a concern:
“I’m uncomfortable doing this on a public platform,” Brock said. “Certainly if we were dealing with national security information, you wouldn’t do it on Zoom, would you?”
“I would not,” Carbee agreed.
“We are talking about information that I suspect would be useful to a bad actor, who might be interested in attacking or doing something nefarious regarding the state system,” Brock added.
Still, losing half of the committee members due to their Zoom attendance meant the loss of a quorum. A Legislative Council advisor said the meeting could proceed with the three members physically present on an informational basis, but no decisions could be made without a quorum.
Brock asked the three Zooming lawmakers for their opinions on how to proceed. Chittenden said he was okay with the meeting proceeding without him. Both Feltus and Sibilia were unable to comment due to technical problems. After several minutes, Feltus was able to comment, agreeing with Chittenden that the meeting could proceed without her. Sibilia still could not comment. Instead she texted Pearson, requesting she be able to participate. When finally able to speak live on Zoom, she strongly requested a meeting of all members in person.
After hearing from Carbee that none of the information was time-sensitive, the committee agreed to meet in person in late September.
No-one at the meeting disputed that discussing cyber-security on an accessible platform like Zoom might be too tempting to cyber-crooks. The threat is real. The State of Vermont lost email service briefly during the Solar Winds hack, and all present knew about the UVM Medical Center lost virtually all internet services for many weeks after a “ransomware” attack last October.
Categories: State Government