State Government

IT outages, performance issues challenge state agency charged with expanded cybersecurity role

By Guy Page

The Vermont Legislature has given cybersecurity oversight of state government and private sector to a newly created board led by the secretary of an underperforming state agency in leadership transition.

That’s a glass-half-empty assessment of the Agency of Digital Services’ role in a cybersecurity board. At a press conference today, Gov. Phil Scott and ADS secretary presented a more positive view of the agency’s accomplishments and role in state government.

H.291, passed by the Legislature last month and signed by Gov. Scott last week, to create the Cybersecurity Advisory Council “to advise on the State’s cybersecurity infrastructure, best practices, communications protocols, standards, training, and safeguards” and “to develop a strategic plan for protecting the State’s public sector and private sector information and systems from cybersecurity attacks, evaluate statewide cybersecurity readiness, and conduct an inventory and review of cybersecurity standards and protocols for critical sector infrastructures.”

Chairing this new council is the state’s Chief Information Officer, a/k/a the Secretary of the Agency of Digital Services. Vermont has had two CIO’s in its brief history year, and the second one – Shawn Nailor – retires tomorrow, as announced June 22. The first – John Quinn of Berlin – left last September to take a private sector job. 

Turnover is the norm in the IT world. But in the case of Agency of Digital Services, the timing could be better. Yesterday, key state websites including the Department of Motor Vehicles were down for 10 hours due to a vendor mistakenly cutting a fiber-optic cable in Washington D.C., state officials reportedly said. In April, the State of Vermont suffered a 19-hour computer outage as a result of another cable error committed by the same company. 

And according to a report by Vermont State Auditor Doug Hoffer, ADS’s problems aren’t limited to careless vendors. Hoffer’s audit this May reviewed six Agency of Digital Services IT projects. Conclusion: “Despite comprehensive project management systems the projects generally cost more and/or took longer to complete than anticipated.”

So given the internal problems at the ADS outlined by auditor Hoffer, leadership transition, and repeat outages, is it wise, per H291, to give the ADS chief the lead role in cybersecurity not only for the State, but for the private sector?

“ADS is one of the best things we’ve done as an organization,” Scott said emphatically at today’s press conference. 

IT professionals are like baseball umpires – you only really notice them when things go wrong. But the agency he created as a new governor in 2017 has done so much right, Scott said: “Previous to having an agency oversee all the new tech, we did this in silos. They weren’t connected, they weren’t talking with one another. ADS has done an amazing job in bringing this together.”

Without ADS, “We’d be paying a lot more and have a lot more cybersecurity issues,” the governor said. After adding that the outages were “nothing that we have much control over,” he asked outgoing ADS Secretary Nailor to comment. 

“It’s been a point of pride to be a part of the creation of this agency,” Nailor, a retiring 35-year state employee, said. “The audit only was possible due to the transparency ADS has brought to state government.” 

He cited some ADS successes:

  • Establishing a cyber security ops center – something impossible in the silo era. 
  • $35 million in savings, elimination of a $7 million deficit. 
  • Moving forward with new projects and successes. 

ADS will have two seats on the cybersecurity council, which will have no rule-making authority – at least for the present. Nailor emphasized that cybersecurity oversight is needed to ensure that “critical services – water, sewer, electric, hospital – are all protected to a certain standard.”

Scott emphasized that Nailor is retiring after completing a highly successful 35-year career that began as a ‘car counter’ for the Vermont Agency of Transportation.

Categories: State Government

3 replies »

  1. Another useless wasteful committee. Cybersecurity moves too fast for this type of setup. Plus it’s another govt intrusion into private enterprise. ADS is the biggest offender in cybersecurity in the state with them punching holes in the tax dept firewalls. Plus they need to immediately cancel and rebid all contracts boneheaded Quinn did

  2. There is no such thing as cybersecurity. Secretary of State, Hillary Clinton had a wide open server in her bathroom, a hammer, and acid wash. 10% Joe Biden’s special global reach cellphone paid for by Hunter. The Dept of Defense and other federal agencies cyberhacked not long ago. Many businesses and municipalities hit with cyber ransomeware attacks. Our electrical grid vulnerable to cyber attacks because they are all connected. Cables running across the oceans subject to be cut (don’t think the Nordstream pipeline attack won’t solicit a payback attack?) Every PC, smartphone, or server manufactured in China has chips installed for surveillance. With all that, Vermont leadership has the audicity to pretend data collected and stored can be secure. The whole thing can be brought down in an instant. All IT is reliant on third-party vendors – there is no soverign control of data – a majority of it is stored in the “cloud” which they have no control over at all. Fairytales and lots of money wasted.

Leave a Reply