By Guy Page

The Vermont Legislature has given cybersecurity oversight of state government and private sector to a newly created board led by the secretary of an underperforming state agency in leadership transition.

That’s a glass-half-empty assessment of the Agency of Digital Services’ role in a cybersecurity board. At a press conference today, Gov. Phil Scott and ADS secretary presented a more positive view of the agency’s accomplishments and role in state government.

H.291, passed by the Legislature last month and signed by Gov. Scott last week, to create the Cybersecurity Advisory Council “to advise on the State’s cybersecurity infrastructure, best practices, communications protocols, standards, training, and safeguards” and “to develop a strategic plan for protecting the State’s public sector and private sector information and systems from cybersecurity attacks, evaluate statewide cybersecurity readiness, and conduct an inventory and review of cybersecurity standards and protocols for critical sector infrastructures.”

Chairing this new council is the state’s Chief Information Officer, a/k/a the Secretary of the Agency of Digital Services. Vermont has had two CIO’s in its brief history year, and the second one – Shawn Nailor – retires tomorrow, as announced June 22. The first – John Quinn of Berlin – left last September to take a private sector job. 

Turnover is the norm in the IT world. But in the case of Agency of Digital Services, the timing could be better. Yesterday, key state websites including the Department of Motor Vehicles were down for 10 hours due to a vendor mistakenly cutting a fiber-optic cable in Washington D.C., state officials reportedly said. In April, the State of Vermont suffered a 19-hour computer outage as a result of another cable error committed by the same company. 

And according to a report by Vermont State Auditor Doug Hoffer, ADS’s problems aren’t limited to careless vendors. Hoffer’s audit this May reviewed six Agency of Digital Services IT projects. Conclusion: “Despite comprehensive project management systems the projects generally cost more and/or took longer to complete than anticipated.”

So given the internal problems at the ADS outlined by auditor Hoffer, leadership transition, and repeat outages, is it wise, per H291, to give the ADS chief the lead role in cybersecurity not only for the State, but for the private sector?

“ADS is one of the best things we’ve done as an organization,” Scott said emphatically at today’s press conference. 

IT professionals are like baseball umpires – you only really notice them when things go wrong. But the agency he created as a new governor in 2017 has done so much right, Scott said: “Previous to having an agency oversee all the new tech, we did this in silos. They weren’t connected, they weren’t talking with one another. ADS has done an amazing job in bringing this together.”

Without ADS, “We’d be paying a lot more and have a lot more cybersecurity issues,” the governor said. After adding that the outages were “nothing that we have much control over,” he asked outgoing ADS Secretary Nailor to comment. 

“It’s been a point of pride to be a part of the creation of this agency,” Nailor, a retiring 35-year state employee, said. “The audit only was possible due to the transparency ADS has brought to state government.” 

He cited some ADS successes:

• Establishing a cyber security ops center – something impossible in the silo era. 
• $35 million in savings, elimination of a $7 million deficit. 
• Moving forward with new projects and successes. 

ADS will have two seats on the cybersecurity council, which will have no rule-making authority – at least for the present. Nailor emphasized that cybersecurity oversight is needed to ensure that “critical services – water, sewer, electric, hospital – are all protected to a certain standard.”

Scott emphasized that Nailor is retiring after completing a highly successful 35-year career that began as a ‘car counter’ for the Vermont Agency of Transportation.