 Good morning. How are you? I'm fine. Scott Carvey, Deputy Chief Information Security Officer for ADS. And are we expecting Secretary Quinn? Yes. Do you want to wait? Do we... He's right out there. I think this portion is all we're talking about anyway. The one person I am laying on is Josh Diamond to provide you some... Right, but we have a little time for that. Okay. So I just want to make sure... So I think first we want to hear from you about the Cyber Directive, 1902. And what I think would be helpful is for you two to talk to us about... Just help us understand why that came to be, what that is in response to, and kind of how that's being rolled out, monitored, and assessed. More than the minutiae of it. Help us understand the big picture here with regard to this and how it's going to affect our Vermont systems and Vermonters. Sure. For me, this is all about outcomes from the risk and vulnerability assessment that we had with VHS. So we're looking at... And I know that Josh and I are going to talk about that here in a few minutes, in a little bit either way. But for us, the outcomes of the RVA assessment are what have driven this Cyber Directive. And what it basically means for us is that we always anecdotally knew that we had vulnerabilities or risks within our systems. But the RVA assessment helped us sort of narrow that down and provide evidence-based activity that somebody... And I apologize, sometimes I'll just wander around in my head a little bit. But you can look at a system and you can know that a system is vulnerable when you have a certain level of experience within that system. But there's a tendency to say, well, we've never been hacked, intruded, attacked or otherwise. So maybe it's not really a vulnerability or maybe the risk isn't high enough. The risk and vulnerability assessment really gave us that evidence by having a trained team come in and do the penetration test and say, yeah, actually you really are and here's a list of all of the things that we recommend the unit changes on. So that's just a little bit of background as to how we get to building out the Cyber Directive. And remind us again when that assessment took place. Sure, that assessment occurred the last week of April and the first week of May. It occurred in two phases, both an external off-site assessment where they blindly just attempted to intrude upon our network. We know input or verification from us of what was or wasn't in place for protections. And the second portion they came on site and internally we gave them access to our internal systems. Not privileged access but access to basically plug computers into the network and begin working on the internal assessment. Legislative access maybe then. No, actually I think Kevin can address that. But you guys have protections between our systems and yours and as well within the rules we gave when we discussed with them certain areas that we didn't want them intruding upon. I just had a question. You said they were trying to penetrate our network and see where we were vulnerable. Did in the process, did the systems we have in place or protections we have in place attacked any of those attempts? Yes. Well that's encouraging. Somebody's trying to get in. Not all of them. No, I assume that's true. But there were certain ones that were obvious. Intrusion attempts that our edge devices immediately were like, hey it looks like an attack. And these systems that we use often detect and prevent an attack by just, it has the right parameters to it and it just shuts it down. So often all we get is an output report of these are all the ones that I blocked for you today. Well you mentioned that you gave them certain guidelines as to areas that they could not examine the legislature presumably being one of them. Does that suggest then that there are areas that are concerned that we still don't know the kinds of things that we've learned from the DHS project? I would say that the answer to your question is yes because we did not, this was a limited to weak engagement. The output from the team chief himself was like, wow we could spend 30 or 45 days here if you really wanted us to dig down deep. What they did was they did an overall assessment, found some areas of vulnerability, demonstrated to us what those areas of vulnerability were so that we could take action. And basically in that case it's trying to ensure that the enemy of the good isn't the perfect. Making sure that we can raise our security posture with a minimal amount of effort rather than placing maximum effort on that last 20 percent. Well the question that I've got though in terms of risk assessment is is there included in that 20 percent something that could be a nuclear explosion in effect. In other words have we looked at the areas that are of most significant risk to the state or are there areas that we haven't looked at that represent a major risk? So I'll answer your question in saying that primarily what we looked at with this assessment were normal regular hygiene type issues. So we did not do a specific penetration test on any one system to assess the depth of the vulnerabilities of any one system. We did an overall assessment on the system as a whole to assess issues such as password security and patch management and those are that lower 80 percent. If you put the effort into you've really, I like to say we give ourselves a B minus if we can successfully meet all of those and a B minus is better than an F any day. I'm not sure if I answered your question. Not really. Okay. I'm really asking is in terms of prioritization there's some systems that could bring the state to a halt. For other systems if they failed we wouldn't really care about. It's those things that would bring us to a halt that I'm concerned about and whether or not those have been the kinds of things that have been assessed or are there some of those that haven't been looked at at all. And so you know I want to just kind of go in between these two pieces here. So I think what I'm hearing what I've heard characterized before is basically you've checked to see if all the windows and doors are locked. Yes. And you did not go in to see if the access to the you know heating system was safe or you know vulnerable. It's more you know have we prevent anybody else from getting in to check on. Yes to some extent what we're really trying to do and I will answer your question here in a second senator. What I'm really trying to do is get to a point where overall we're confident in our security right. We're not having to have somebody stand at every window and look at every possible person that walks by on the street and wonder are they the guy who's going to try to steal my TV or you know to continue the metaphor. What we haven't done is those deep assessments on systems. But we can't but I can't tell you that that they haven't gone unlooked at because we do have federal compliance audits that we do on a periodic basis. Periodic. Mostly three year three year rotations and I know secretary Quinn may be prepared to talk about some of this later. But Social Security Administration IRS Centers for Medicaid Medicare Services require periodic audits of the of those systems. And if you want to start thinking about privacy and vulnerability issues those are some of the key places. We've also as you may be aware not aware partnered with the grad school at Norwich and every year during their annual week of residency. We choose a system for them to do a penetration test. So that we had one done in the AHS arena last year. We had one done in the resources arena this year. I will say that they're somewhat limited engagements because they're very time limited. But they do give us some nuggets to look at into attempt to remediate. To follow up on Senator Brock's question is there's someone who has have we identified that these are really crucial systems. And if they in fact are brought down would have very significant impact. You know maybe the agency of AG wouldn't rise to the top. If you can't execute financial transactions for example or you can't distribute benefits to thousands of remoners the first of the month. I'm just doing these out the top of my head. Then the implications of having those systems down are very serious and very pervasive. I'm just wondering if we were to identify or heavily these are the most critical systems in that 20%. And I do know the human services certainly any of that data with IRS. So I just I'm just thinking we have a wide range of systems out there. Some are you know someone probably love to have a function for a day or two. So has that been done. I guess that ties into you what's in that 20% that you know if that would put this state at greatest risk or have the greatest implications if we actually had that system brought down. So I'm not. And I wouldn't want you to identify them. I just want you to hasn't. Yes, please do not. No, but really I think I don't think the legislative I'm sorry it system would be atop of the list. They could take my email any day. But there are other systems that. So the one thing that I haven't stolen. I'd like to sort of circle back on is that overall there are systems that are sensitive and what we attempt to do is we prioritize systems of criticality right now based on the compliance models that we have to work with whether it's you know as I mentioned Social Security and IRS and Centers for Medicaid to roll in. Can you stop and say that again please. You. Right. So we we know that there are critical systems and right now those systems are prioritized based on. Those key pieces of federal privacy compliance are met. So anything having to do with the IRS. Social Security Centers for Medicaid Medicare. Those are some of our primary ones. DPS is concerned with sieges compliance, which is criminal justice information. But what I don't particularly know and I'm not trying to I'm not trying to hide anything or it's that we don't know what we don't know is critical because I'm an I'm an IT guy right. I work in the IT space. I understand my business and information security, but I don't know that there isn't, you know, one computer sitting somewhere with a critical piece of information that could bring down significant portion of benefits being paid or otherwise. Just for instance, one example that was given to me yesterday was what if the, you know, what if milk production logging was just stopped from all the farms. That's something I wouldn't have considered. Right. Like how would farmers get their milk to market? How would we know who's getting paid? How would we I don't I don't there are hundreds of systems probably in state government that have small and critical pieces to them. And I don't want to go back and not give you an answer your question, Senator, but I'll just go back to saying the basic hygiene is really what we need to work on those issues that this RBA assessment helped us identify, make all of the systems more secure than they are now. Once we have hygiene taken care of and out of the way, it'll be easier for us to go through and start identifying those smaller, more targeted critical systems. Well, I guess what I was asking you is it was there is there a risk-based process that exists that prioritizes the things that are most important to protect? I think you've answered that question. Okay. For me. It's federal privacy compliance. Well, that's federal privacy. Privacy, the federal government doesn't care if we don't pay our employees. Correct. But that's not where we're at. But our prioritization might be different than theirs. It might certainly include the federal compliance requirements, but there may be some things that are much more specific to us. And it doesn't seem to me that we have a risk-based process of actually identifying those. Now, also to follow on to the issue that you raised about blocking all the doors and windows. It just brings back an old story from the Army of this barracks that had a problem with barracks thefts during the day when the troops were out. And so a directive comes down to lock all of the barracks' doors and windows. But then they found that one NCO had to get into the barracks during the day. And so the order was changed. We're going to lock all the barracks' doors and windows, except we're going to leave one door open. That's what I'm asking. We have that situation. I would say that, yes, we do. But what we're trying to do, and some of the, you know, and I don't know if you guys are interested, you guys, I apologize. If you are interested in hearing what our sort of plan of action is a bit with the cyber directive, which might also help you answer some of those questions. Well, we definitely are. And that is what we want to have you testify on. The, I do want to ask, do you have a, you know, I hear you about, we don't know, we don't know. I understand the, you know, 80% makes some sense to me. Is there, how are you, is there a system in place where you're trying to get to that, to no more? Or are you really focused on, right now, just like cleaning up? We're really focused right now on getting that first 80% cleaned up, you know, and, you know. So, so I just, just to clarify, so we're not really looking for any of those in any kind of systematic way, deeper issues on some of our critical systems. We are not. I would think that also would be a much broader conversation than digital services. This would really require the managers of those functions in state government to participate and set, you know, set that, do that assessment of what falls in. Because everybody's going to say my system's critical, right? And so pretty soon the 20% is 80%. So I just think that that is probably a discussion that would have to involve at the cabinet level, frankly. That also answers your question a little bit about what we don't know. Because as you said involving other agencies would help us also identify what they consider critical, so that we can set an overall. But that gets into that whole process that you're talking about that is disciplined and consistent across all agencies. So, do you want to, let's go to the cyber security directive and just to tell us also who is under this, how this was issued, you know, how it will be, compliance will be measured, etc. Okay. So primarily the purpose for the cyber directive is to address the issues that were identified in the risk and vulnerability assessment. Apologize, I forgot the acronym for a moment. And this is going to affect all systems that either fall under the authority of ADS or are connected to ADS systems. So in some cases we have relationships now with the treasurer's office, we have relationships with the auditor's office, we have relationships with the judiciary, we have relationships with other constitutional officers. And those systems as they connect to our systems will also need to be brought into compliance and honestly that's the right call. One of our concerns about keeping it either just within the agency of digital services or just within what I'll call like the core executive branch functionality is that we do provide valuable services to other areas of state government and we really shouldn't allow one area on our network to be more vulnerable than another area. So do we have any areas of state government that are not falling into this? I will not be doing anything with the legislature unless Kevin and I want to talk later. Yeah, exactly. But we won't be doing anything with the legislature and the Secretary of State's office maintains their own systems. They sign on to the risk and vulnerability assessment and were assessed at the same time as we were and John Welch, their IT director and I had a couple of conversations as well as Secretary Condos about better communication between us. But right now we will not be subjecting their systems to our directive. Yes. I need to ask you, you're using the term directive and we have this document, cybersecurity strategy. Does the strategy report a product of the direct, could you just clarify for me the words and the documents that we have here? So we have these cybersecurity directives that we've begun issuing under Nick Anderson who you guys met a couple of times. He left. He went back to the district. And oh, trust me, I know. We went back to the district and what his strategy was was for us to rather than try to come up with this overall umbrella of everything that we should be doing before we do anything is to target individual areas. It's sort of like our IT projects. We used to do everything and it would all fall of its own weight. Correct. And nothing happened. So now you're chunking it out. Right. And chunking it out is a great way to put it. And so the reason that this cyber directive is, so the first cyber directive you may remember was the, the Huawei and Kaspersky directive that we put out so that our vendors are not using vulnerable equipment or software in the support of state activities. And that speaks to supply chain management. That speaks to, again, vulnerabilities of another piece of somebody attaching to our network that may be causing issues. This directive that, you know, and I will tell you it's in draft form now. So it's not ready for crime time yet. We're still working with the AGO's office on. Okay. And it still hasn't been pushed out. There may be some draft copies out among our leadership and some of the other IT managers, but that's more in preparation for them to understand. Because there is a fairly short timeline once the directive begins, you know, things like 45 days to have all systems that are connected to our network identified. And that's a 100% requirement. So we want to make sure that if there is something that is going to take longer than that, that we get good feedback from people and have them say, well, I'm going to need another 15 days or however long it's going to take them. So that's what the directive is. So actually it's going to be a series of directives. There will be a series of directives. It's not one single product. And those directives will be in support of the information security standard that is also pretty much, I mean, right now I've kind of got them both sitting at the edge of publishing. And so the directives will support our information security standard, which will be issued to everybody will be able to see that to know what our standard is so that they will know how to behave and act with our systems. So, I lost track of. I'm sorry I just was trying to understand that. Yeah, yeah. Okay. So, not issued yet, but will be addressing. And who, so this will go across the systems. And with the exception of the Secretary of State's office in the legislature. Correct. And these are, can you describe the types of, not specific, but the types of activities that this is looking at? Yeah, I've broken it down into four primary activities that we're going to address. Patch management, password policies. I apologize, I have to look. Web services and our susceptibility to fishing and spear fishing. And as you guys recall, you had a witness in here last month who began talking about all the different types of fishing and spear fishing, and I think he introduced you to the term whaling at one point. And so we, like any organization, are susceptible to that as well. We're not as bad as some and we're not as good as others. So that's another area that we would like to target. And I can be a little bit more specific on each of those if you'd like. That'd be great. I'd like you to be as specific as you can be, actually. Sure, okay. So let's talk about, I'll start with patch management. So it's a process that helps us acquire and test all versions of the software that runs within the confines of our network enterprise for an easy way of saying that. Basically what we need to do is we need to regularly scan those systems. We have a centralized vulnerability management system that scans, runs against its database, tells us what systems are vulnerable and what systems are not vulnerable. There's weaknesses in that system that you can already imagine. What if you don't know what you're supposed to be scanning? Are we scanning 100% of systems? And the answer is no. We've gone from approximately 30 to 40% of systems a year ago to somewhere in the low 90s now. But it constantly amazes me and you'll forgive me for maybe speaking in metaphors, but it's like moving out of a house and you say, okay, we're done. Let's just go back and do a cleanup and then you fill the trunk of your car and another trailer full of stuff boxes and stuff. Every time we think we're just about there, we find another little piece or another block and so the directive is meant to target that. Target the remaining. Target the remaining. That there is no, we need people to positively report what they have versus us trying to discover what they have. And so the directive will have people positively reporting to us. Like we notice you've given us a scan that has 300 systems on it. I am actually tracking that I have 325 systems and these are the 25 you're missing. That allows us to put them into the scanning system, vulnerability management system and track those vulnerabilities. So that's the why and the how where we get to with patch management. And I mentioned we wanna have 100% of our systems scanned and patch status reviewed. We run our scans weekly or monthly based on the load that it would put on the network. But most systems are scanned weekly. The patches are applied according to severity. So highs and criticals will have a much shorter timeline to remediation than moderate and low vulnerabilities. And if you're not familiar with that, I mean everybody's familiar with IMD and low grading scale, but that is high and critical is two distinct categories at the top of vulnerability management scale. And then it moves down to moderate and low and what are called informational at the very bottom. Can you define patch? Because I know vendors will provide patch, and I assume patch could be something that your staff does to respond to a particular situation. So can you? Sure, a patch isn't so. Like patching a tie, right? It's like, you know, you certainly wouldn't wanna, you know, I mean, how often have they all done in-house or they've done. Band-aids on top of band-aids on top of band-aids. You don't want that. So patch management is actually in cooperation with both, you know, vendor-identified vulnerabilities and industry-identified vulnerabilities where code changes are input into an application of our system. So are some of those patches actually developed and provided by vendors? They're all developed. They're all developed. You're not being done in-house. Only time that we would provide our own patch to a system is if it was an in-house developed system. And in most cases, we would use whatever the methodology was of the industry-identified vulnerability. So for instance, if it was a, you know, a male client that was running on a database that shouldn't have been running there, the industry would have identified that those systems were vulnerable and we would have our developers go in and write the code to remove that email server vulnerability on that system. So patching, I agree, patching can often sound like it's a little haphazard, but it's actually changing the code to ensure that the system is no longer vulnerable. So it's, if that helps with that. Yeah, Nabi's just trying to sort out how much is done by staff, state staff versus vendor, but it sounds like mostly it's done by the vendor. Yeah, so applying the patches is all done locally, right? The only time a vendor would apply a patch to a system is if it's a vendor hosted and vendor managed system. So, and the key reason for this patch management, I think you can all understand is that systems that we miss, either in the inventory or miss patching create gaps in security and every chink in the armor, every door in the barracks that's left open is one more way for somebody to intrude upon our system. So, the closer we can get to 100% on our patching and patch management, the better off we're gonna be. So, the second area is web services and as I said, the RVA from DHS, the risk and vulnerability assessment they did. Identified externally that we had web servers that were vulnerable to some, I don't wanna say common, but manageable attacks from the outside. So, what we wanted to do was in this case, the software that they identified that was vulnerable and forgive me, a lot of these have some overlap to them as well, but insecure web services either due to a lack of a patch on the web server or the opening of ports and services on a web server that shouldn't be open for the function of that web server. So, in other words, if you have a pencil and a pencil's meant to write in a race, you don't need to have a flashlight on the side of it and add all kinds of extra things that are never gonna be used. You want it to write in a race. So, that's what we want our web servers to do. Whatever the identified function of the web server is what we want it to perform for functions and we don't want it to have any other functionality. This is a question triggering dark web. I don't even know how you would access the dark web, but it's, when you're talking about this, it's a dark web just totally a separate issue of concern. In other words, I don't even understand the dark web. That's not a great question. That was a great question. Well, we don't have any of our systems within the dark web. That's, I think, a bonus. What is a dark web? Yeah, so. I mean, I think of it as obviously something that is very dark. It has weapons, it has terrorism, it has this or that or pornography or whatever. So. Yeah, I'll define it as a distinct and separate area of the internet. That you need to use certain methodologies to access it. And mostly that is through a system of browsers called core browsers. Do we allow that on our state system? We do not allow that on our system. All right, I guess that was really part of my answer. No, we would prefer that our users are not browsing the dark web. Would you be able, would your surveillance systems detect that? Absolutely. Okay, all right, thank you. So, I was on web services. So, but with to tang on to the senator's question here, do we monitor the dark web ourselves for states? No, man. The, it's a. To see if we have any kind of state information or is there any kind of. I do subscribe to a few services. There are services that aren't out there a lot. Some of them are not for profit systems. Others are profit systems that they scan the dark web and alert you to certain things. So on occasion, I will get an email from a service that says, you know, we've discovered 20 at vermont.gov email addresses listed on this server. And so in that case, we, you know, typically go in and we identify the users and we quite often they're well out of date. They may no longer be employees or if they are employees, the cycle has passed since that compromise or since that listing occurred. That their passwords are no longer valid based on the username and password that was given on the dark web. But in any case, we still have them change their password. We do have some employees that actually are investigators. I think they might be at the attorney general's office, their surveillance for pornography and other illegal activities. Would they be using dark web too? That's part of their, just their normal job duties. Not. And then they could get permission or. Not that I'm aware of. I can't imagine doing that job day after day. No, I can't do that. So is there a standard best practice for states in terms of that kind of monitoring? Not that I'm aware of. It's, I would, and I'm just guessing, I'm guessing that we could probably subscribe to a service that would do that for us. Dig in and try to find whatever was out there. It certainly wouldn't be, I just don't think it would be necessarily a good use of a state employees or a team of state employees' time to be just browsing through, looking to see if they stumble across something. It would be more prudent, I think, to find somebody who knows that area of the internet better and knows what they're looking for. Okay. You learn something new every day. Thank you for that. Great question. So I was talking about our web services and if you'll remember my example of the pencil or the eraser and what it serves as or for, but also any server that is vulnerable and using that vulnerable software, in some cases that software vulnerability is because the software vendor no longer exists or is no longer updating that product, but it's a web server that we've had that's been performing a function for state government for years, sometimes a decade or longer. Others are just unpatched versions of current softwares, which again gets me back to the patch management piece, but the directive will talk about, immediately patching those systems, the directive will talk about migrating to new systems, if that's an expired or a no longer supported system. And in the short term, migrating whatever services we can from insecure servers to secure servers. What percentage of our servers are insecure servers? That is, let's not have that discussion right now. Is that an unknown or? I would say that I could probably bracket a percentage for you, but it's not a large percentage. It's probably in the 10 to 15% range. We don't have a tremendous amount of edge level externally facing web servers. And it tends to be the secondary tier that would have that level of vulnerability once you've already browsed into a state system, then finding a level of vulnerability there. And these are nothing, what I'm saying is nothing that isn't like a new screen known sort of owner of the world. This, we're not the only ones out there that have this issue, whether it be a lack of using secure protocols on websites or unpatched softwares or updated softwares. That's, we actually do quite well. In that regard. But this is most of this, like would you say that 10 to 15% is known to you? Yes. So the next block is a discussion around password policies and one of the, there's some shifting guidance within standards on passwords. Some organizations are moving toward doing away with passwords entirely in favor of hardware tokens, behavior-based- What is a hardware token? A hardware token. You may have seen somebody at some point carrying around a little fog for their key chain and it's got a set of digits that continually updates on it. That's a hardware token. Or people have USB keys now that can act as their password. Either of you have one or Jeff? Kevin? When I actually was in the judiciary, anybody with privileged access had an RSA token. Do you have, like, could we see it? So we've actually migrated to using apps on the phone that serve the same purpose. We're still doing that kind of authentication. So that's the second, that's those tokens can either be a hard token, a physical device or a soft token, which is an application that runs on your registered smartphone. And so it provides a secondary factor of authentication for you to get into a system. Kevin? General speaking, for the record, Kevin Moore, Deputy Director for IT for Legislature. General speaking, I believe what Scott's getting at is multi-backer authentication. It comes in a variety of forms. The general guideline is something you have, something you are, something you know. You can use two of each of those at any given point in order to authenticate to a system. A hardware-based token or software-based token is something you have in your possession. And then you add another factor, such as a password or an ID of some sort, a username. It's a way to harden that initial access to come into that system. So can you, not to get super in the weeds, but I'm really fascinated by this token. Like, how does it work? Is it like, you know, like a biometric hang or something like that? If you might, Scott. Not sure. For the record, Jeff Lower from the Judiciary. This is the software version that's mimicking what the little fob we used to use. So every 30 seconds, that number changes. And what happens when I try to log on to resources from our network, which we share the network with ADS, it actually gives me a message on my phone and says, are you trying to do this? Okay. Oh, sort of like your credit card. Are you purchasing this? It's much like the credit card that texts to a number now. That methodology is not as secure as this methodology. Do you use a password, then you don't have to remember a password? I'm still using a password as well for the network. This is a second level, like Kevin said. It's another level of authentication that ensures your access. So for our Judiciary staff, anyone who wants to access a file in the network who's not plugged into the network has to go through this method. It's one more thing we can do. I'm envisioning this in the legislature. What about those of us that don't even use a cell phone at all? I'll be out to lunch, of course. There are other ways. You can manage your life. It's better to use it in the legislature. Yes. I think that, and I didn't mean to sidetrack by talking about what emerging doctrine is within passwords. Let's talk about what we do currently. And Jeff illuminated that quite well. So we attempt to use wherever possible two-factor or multi-factor authentication. So you know your username, you know your password, then you're prompted through either an application or a token for you to authorize that connection. What that would keep from happening is if you weren't logging in, but somebody had your username and password, they could just log in. But you would then get a prompt on your phone that says, thanks for trying to log in to the Microsoft server. Are you really trying to do this? Yeah. And if you say, if you don't answer, it treats that as no. So you have to answer in the affirmative in order to be able to get through and for it to log on. So the supposition is that if you manage your username and password and you get the prompt and you say yes, then we've now verified a second factor. So that, we currently use that for external facing systems, but we don't use that on our internal systems. And what the DHS assessment team found was that our passwords in some cases were guessable or crackable. Password cracking is basically just decrypting or figuring out what the password is. You've all seen that on the movie somewhere where somebody's running a password cracker and it slowly begins to populate their password. That's a bit of a misnomer, but it illustrates the point. So our passwords were, some passwords, not all, were easily guessable or crackable. And they then use those credentials to continue moving deeper into the system. If we had multi-factor authentication incorporated across all of our internal systems, that would be less likely. In the interim, what we plan to do is to increase, and I can hear every user in the room right now starting to groan a little bit, but we have to increase complexity on our passwords and we have to shorten the duration that those passwords are good for. That is how we're going to bridge the gap between now and when we do eventually put in a multi-factor system internally. Okay. And then I already alluded a little bit to this. Our last sort of rock in the load with the directive is our susceptibility to spearfishing. Spearfishing is fishing, you know, emails that are sent to you for a purpose of either trying to gain information or gain access to your systems. Spearfishing are more targeted. So maybe you would target members of the legislature or they would target executive members of the administration trying to find figuring that people with certain levels of privilege within their job position might also have levels of privilege within their network. And so we found that during that assessment, the spearfishing portion of the assessment that we had about a 9% susceptibility rate. What does that mean? That means that 9% of the users that we sent the spearfishing email to clicked on it. It's a clicked on an attachment. Clicked on an attachment and that's what it was. And the attachment had a malicious payload and that malicious payload was meant to also provide credentials and access to the risk assessment team. That seems really high to me. It's actually not high. It puts us pretty much about in the mid range. Of what, the states? Well, these are industry level statistics. So a good percentage is considered down in the low single numbers, two to 3%. A poor number is considered in the high teens, 17, 18%. There are organizations that are based on just workplace culture and trust and otherwise some of those organizations are even more susceptible to that kind of spearfishing. So the directive also has us, we're going to institute a new type of security awareness training, which is more constant, shorter modules more often rather than once a year sitting down for an hour and a half. Once every two months you can sit down for 15 minutes and you'll get another lesson. But also as part of that service from that vendor, we will be conducting spearfishing assessments more often and that's one where I can speak directly to measurements. We have a measurement, we know we were at 9%, and what we want to do is to institute that security awareness training and then the spearfishing campaigns internally so that we can assess, are we getting better or are we not getting better? And we can then train the security awareness modules more toward what our vulnerabilities are. So we're legislators part of that assessment? No. We left you out of bounds for our assessment. Are you assessing the spearfishing? We do pretty well. We do pay attention to fishing campaigns, the fishing campaigns that happen throughout the legislature, but we do not, as you know, have the same ability to enforce security awareness training across the board as the executive official branches. But you're dealing with 180 legislators who are not under your direct supervision. I never liked it. So there are challenges to the overcome within the legislature as far as enforcing those trainings. However, again anecdotally at this point we do monitor those in-house, we pay attention to those and we do fairly well as an overall organization. So I don't have a percentage or a percentage range for you. I would be interested in that in the future, but just in terms of thinking about that, I mean that's a, what kind of damage will, what kind of threat factor is the legislator to our state systems? The number one threat right now to, within malicious payloads is ransomware. So for those of you not familiar with what ransomware is, basically it executes an encryption program on your computer when you click on the attachment. It begins to encrypt your files and any files that you have access to or any other files that it determines it can gain access to and locks them up until you either pay a ransom or wipe out your encrypted system and restore it with an unencrypted system. And if there's, that is one, that is one nasty piece of software that keeps me awake. Because it really only takes one compromised person. There are ways that we can mitigate it and we do have systems in place to help us mitigate privilege level of access if you need, if you need a certain level of access to execute programs, you know, to execute or install a program. We try to not give that to people who don't need it. In other words, we wouldn't give you full administrative access to your computer because then every file on your computer is something that you have access to when you click that encryption algorithm. And of course within networks and otherwise we wanna make sure that our system administrators, our network administrators and other folks that have those administrative credentials are not using their administrative credentials as part of their normal login process. They have their own user account that is an unprivileged user account and they have their privileged account that they need them to log in with to manipulate systems with that higher level of privilege. We have a couple of other systems that can also assist with limiting the damage once it's begun. Most of you should be familiar with the security operations center that we're in the process of standing up. We're at, we're actually doing quite well with that at this point. We're getting- That's at Norwich. That's with Newar, yes, the Norwich University Applied Research Institute. I guess it's institutes. But they are generating security operations center incident reports and sending those to us now that, so they're detecting anomalies within our system. These are ransomware attacks. I can't say we haven't had a ransomware attack since we've been running the SOC, but that's, you know. Is there any wood down there? Yeah, exactly. There's no, that's not a, that's no bonus, that's not thanks to the system, that's in spite of the system, I would say. And endpoint protection is another, I don't even wanna say emerging, but it's become quite common. What is endpoint protection? Endpoint protection is basically an agent, a small piece of computer code that's placed on a computer that begins to recognize what normal patterns of behavior are for the user. And if abnormal patterns of behavior occur, it can either stop that activity until it's unlocked by an, It's like an artificial intelligence. It works a little like that. Detecting patterns of, yeah. It works a little bit like that, but endpoint protection isn't as sophisticated as an artificial intelligence-like system. It just recognizes, it goes into its little algorithm and says, you know, representative civilian never logs onto a computer at four o'clock in the morning on a Saturday. Not true. Not true? I'll see if you're going. But I can say that I don't, so I'm less directed to, so it would detect that as abnormal behavior and it may help us say why is this person logging on at this time and block it? So I see that we have Josh here from the Attorney General's office and I want to be respectful of your time. I know we're a little bit over and I also want to give Scott just a moment to take a breath because I think he's going to be joining us in the next piece. I don't even think I'm getting enough, I think I'll just. Are you okay to keep going? Yeah, absolutely. Okay, so in terms of the cyber director which has not yet been issued, I have found this description of what that is and what it will be tackling to be really helpful. I think you've broken it down in a way, at least for me, that was easy to understand so I thank you for that. Do we have any other questions from committee members? Oh, like just in summary, it's going to be issued soon and they're going to be these four areas you're going to concentrate on and you're going to say complete these tasks in 60 days or something like that. Right, the range is anywhere from 45 to 120 days based on what the area is within the, and some of this is just, some of the directive is literally just to report. We understand that the actions to remediate can't even occur until we know what we should know. So many of the actions in the directive are just to report. Great, thank you very much. Okay, so this testimony here, we had, if the committee remembers, we had John Quinn come in, we had a discussion with him about the assessment that was done by Department of Homeland Security and he went over a number of how that had happened and gave us some of the findings of that. We were in executive session and one of the questions that was asked, I believe out of executive session was, how do we ensure that when the feds came into our system that they didn't take data that they are not supposed to that is prohibited in statute out? And so that was several months ago, I think. We, at that time, I think ADS had said to us that the Attorney General had reviewed the contract with the Department of Homeland Security and that perhaps we would have them come in. And so we have asked Josh to come in and I really thank you for bearing with us as we tried to describe what it was that we were looking for. And so this is just a conversation. Help us understand just the mechanics of these things with our systems and how we're monitoring those types of things. Great. I'd like to do a couple things if you can. Yeah, fantastic. So that is for our members of the committee. Good morning, my name is Joshua Dunn and I'm with the Attorney General's Office. And I'm glad I've got Mr. Carby here joining me today because I think at the end of the day your questions really go to how this contract was implemented. And we're giving you copies of the, I guess, the non-confidential section of the contract that lays out, and I will draw your attention, sections 3.2 and 3.7, which I'll talk about in just a second, but just as an overview, to explain what our role generally is, which is to review contracts for form, that's the role that the Attorney General's Office generally plays, which in a nutshell means we're looking at a contract to make sure it's not illegal, that the agency has the authority to enter into the agreement. If it's a procurement contract, are the provisions of Bolton 3.5 being complied with. And in this agreement between Homeland Security and the State of Vermont, I'll draw your attention to sections, I believe 3.2 and 3.7. And if I understand the questions that came from the committee, it is within the context of Act 5, which was passed I think in 2017, shortly after the executive orders that were issued by the Federal Administration dealing with the travel ban and concern over Muslim registries, or registries based upon religion. And so section 3.2 and 3.7 design a system whereby the State of Vermont has a site monitor who will work with the Department of Homeland Security to ensure adherence to the State of Vermont's policies and standard operating procedures that could have an impact on the scan activities and the information systems being assessed, as well as to identify the Department of Homeland Security in advance any categories of data which may be encountered by DHS during the selected services that are sensitive in nature or protected from disclosure by statute regulation or other authority, including personal identifiable information. And we'll provide DHS instructions on how to identify and handle such data encountering or encountered by the team from Department of Homeland Security. So the contract had the operative mechanisms for that, how they were implemented, can't speak to that, the client agency is the one who implemented the contract. So here's a, this is helpful to see, thank you, this is the first time we've seen this, I believe. So would the Attorney General's office have been looking just, is that part of your role based on our statutes to ensure that those were in there? Again, hopefully or? When we are generally looking at contracts, we're looking to make sure that they're legal and agreements. So making sure that personal identifiable information is addressed or protected, I think is something that would be in the common course of the business. Okay, okay. So one of the concerns was, if in fact they did somehow in the process of join the work, obtain information that was protected, there's a provision that they would notify, Mike, did that happen? Actually, I would tell you the only issue that we had and Kevin was involved in this. We did not give them specifically prohibited email, I'm not email, but IP address ranges. We told them what our ranges were and that's what they were supposed to scan. So can I, just give me a second. You're gonna need to go back and explain what you just said. Sure. I just, I often feel like I need to tell people when you're sitting, for me anyway, not for the Senator, you know, I wasn't saying you were spending a lot of time there. For me, I always feel like I wanna say to the witnesses, please present your testimony, you know, witness, testimony for donors. You know, presume that we don't know anything. And I would not at all suggest that I have more knowledge or expertise than other people at this table. So there were specific network areas that we entered into an agreement to have them check. Okay. And those specific network areas, they were checking. In the course of that, they found some other network that we had neither excluded nor included. And they were scanning that network. And at that time, Kevin's team, somebody from Kevin's team notified ADS that they were receiving a significant number of attempted intrusions on their edge devices. So that device between the executive range and the legislature. I contacted the site monitor in the room and said, hey, if they're scanning this range, tell them it's out of bounds. And immediately they backed off and your traffic went to pretty much nothing from there again. So about a 20, 22 minute interaction. Yeah. And so that piece, when you ask like, you know, did that piece work? That's exactly how it was meant to work. Okay. Somebody said, hey, it looks like something strange is going on here. We went through our normal notification process, but knowing from sitting in my office that we're doing a full network wide scan and assessment. I said, I have a pretty good idea of where that's coming from. And we confirmed with the DHS team and the site monitor that that was actually the case. So it worked exactly the way it was supposed to work. Did you have? No. Okay. So with regard to taking information, retaining information. Sure. So typically in a, and I will try to make sure that I don't use too many acronyms or terms of arc here, but typically in a penetration test, we set out a methodology. How will the tester test our systems? What will they test? What's the scope of what they'll test? And how will we verify the results of that test? There are two. So Scott, are you able to monitor what they're doing? Like that they're staying in bounds? So that's kind of what you were just talking about, I think, but how are you monitoring that they're in bounds? So as I said, the member of my staff who pretty much camped out with them for the week, I won't say he was in the room a hundred percent of the time, but he was pretty much with them for the week, was always there for them to ask questions. So it was a human monitor, literally. And there were times where our actual systems that are meant to catch these kind of attacks did trigger on activity, but we were there and it was a cooperative test. We want them to continue to dig, so we would just log and then note that we'd seen that and allow them to continue on their way. We knew what address space they were coming from. So had that... So you could see their path afterwards. I would not say that we monitored every transaction that they did on our network. That would just be impossible. And I was gonna get to this point. There's sort of two ways that you verify the testing outcomes. One is using what they call a calling card methodology. I get into a database and I put an entry into the database that basically tells you hi, I was in your database. The other way to do that is when I get to your database at the login screen or at the first screen behind the login, I take a snapshot picture that proves that I was at that database level and that's the way they did it. We didn't want them altering any of our databases or any of our file system or otherwise. So when they got to a point where they felt that they could verify that they had intruded on a system, they took a screenshot and embedded that in the output of the report that they gave to us. Okay, so we would know also if there was a federal activity trying to get data from our system. Not as a part of that activity, but just... Well, so one of the protections that we look very closely for on a minute by minute basis is something called data exfiltration, which is basically somebody comes in, grabs a database and just tries to move the contents of that database outside our system. I will say we're not fail-proof on that, but certainly any exfiltration of data while they were hearing on site, we were watching for that. And secondarily, any large exfiltration, whether it's from somebody we would consider a trusted partner or somebody that we don't even know is in our system, should flag at our edge protection devices that large amounts of data are going out of the city. So getting back to the Attorney General's office, I mean, the review of the contracts, certainly, you have the language in here. If for some reason they fail to fulfill it, it's with the federal government. What kind of legal action in fact would we... You know, I realize it's sort of maybe a cows come home kind of question, but in some regards, if the requirements of provisions of this contract were not complied with, what recourse in fact would we have with a federal agency? It's a great question. We see the federal government all the time, as you know these days, sometimes successful, sometimes not. So it's certainly injunctive relief as an option that could be available. Do we have other questions? Yeah, I have a question about exfiltration. Oh gosh, my vocabulary. I just didn't learn about the context of it. Oh my God, the people with integrated eligibility, they've got a whole new vocabulary of things that we would like, you know, use other terms for. Does that mean that actually that data, all this data is, you have backups and so forth. So even if they took it. Was that a statement or a question, Senator? No. Because it sounded like a statement and I might have a question. Well, I have a question, if exfiltration should occur, that data would have been backed up and be, in other words, it's not lost. It's just that they have taken it out and are using it for some sinister purpose maybe, but that data wouldn't be lost to our system. And I guess that's what I'm saying. Typically, they're taking a copy of that data. Yeah, okay, that's what I was. And yes, but the system of record is often still there. There are attacks where they would go in and they would exfiltrate the data and then delete the data behind them so that they've got the only copy of the data. That was those. But if you have it backed up, don't you? Exactly, it's a very haphazard. I would almost consider that a fairly amateur attack at this point. Do we have any other questions? Anything else you think we should know about that? It feels like this was really complicated to try and get an answer to this, but I don't think we do. I think, no, I think that, I think we cover everything. We had just wanted to make sure that there were protections in this contract that would protect the state of Vermont from somebody taking that information, specifically the federal government, and doing something else with it. And that was the whole purpose, that is not the whole purpose of the contract, but that's where it was covered in this about that contract, okay. And the secretary of state did join in on this review? Did join in on this review. They signed a separate agreement with the federal government. But he let us say you did not. It's the same agreement. The, we leveraged the, we on the executive branch side or the ADS side, let's say, we leveraged both the security of our systems and the security of the elections system. And so the secretary of state controlling the election systems by combining together, we became a higher priority. For this assessment team. And so we got ourselves bumped up on the assessment by months. Schedule. Schedule-wise by combining, rather than asking for a separate elections assessment and a separate overall state infrastructure assessment. Makes sense if you're here. And so Scott, I think we've previously heard from the judiciary and from the legislature that there might not have been the communication in advance on that, is that correct? Yeah. And so, but you all have talked to, so now I'm asking, I guess, Jeff and Kevin. Have we gotten to a place where the next time this happens that there are systems in place for that? No. Okay. So. I didn't hear you answer. I'm sorry. We still have not seen the results of this study. And I don't know how it'll affect the judiciary. Similarly, with the other topic of Director 19.2, even though I currently heard today, we'll be subject to it. We have not been part of the development of it. So I would say that there is still improvement that can happen. So, Jeff and Kevin, do you have anything to add? The legislature was not involved in the last assessment. Have we had communication in place early? We probably would have joined that assessment. The way we found out about it was, as it was actively happening, which was unfortunate at the time, but I think it's a hard lesson learned and I'm hopeful that in the future we can join those assessments. So your question really was in the future, taking what happened here. Yes. How to make sure that you have that, that the legislature has that opportunity to sign on the statements of Secretary of State or our judiciary. So I guess that's really the question for ABS, is it to do something like this again, how to make sure that the other branches. Yeah, is there a reason for that? And maybe, I don't know if that's a question for you or the Secretary. It may be a question for the Secretary. I would defer to the Secretary. Oh, I don't believe it's in here. But, Becky, is there any reason, so could we compel that? Compel the federal. Judiciary? The, you know, for assessments of our system that, you know, the judiciary, the legislature and the executive are all, that I guess maybe that's a question for. I mean, I don't know enough about what the federal government program is to know if it's required for the judicial and legislative branch. I don't know if it's a program that's just offered. Department of Homeland Security. It's more of an internal protocol. It was an offered, and I would agree that it is an internal protocol and the one cautionary that I would add is if you decide that, you know, we have to collaborate, you know, with the legislature and judiciary, I'm perfectly fine with that. But one problem that I would have is if the legislature and the judiciary could, you know, change the scope of what we're doing because we have to be able to fully assess the scope of our responsibilities. So this is, you know, just to be clear with what I'm thinking about here, it is not clear to me how the three branches of government best work together to protect Vermont's systems and Vermont's data. And, you know, they are three distinct branches of government and the executive is in charge of maintaining, you know, protecting all of the systems. But, you know, it seems to me that there has to be interaction, you know, and of course I am keenly interested in what the legislature's role is in that and so this is an aspect of that. It certainly is not everything, you know, but where is that line? And so this I think is a good, actually a place to focus on. You know, how can we, what are the right ways for notification? How does that happen? You know, was there a notification afterwards that it had happened? I mean, you found out, because you were being. Until I asked the question in this committee, we did not have formal confirmation that we were part of the assessment. And I would also add that our work with ADS is governed by a service level agreement that's renewed every year. I'm not an attorney, but those who have read the service level agreement would argue that we should have been notified by that. Also, the Homeland Security contract has a portion that talks about notifying folks who are involved. We weren't notified through that anymore. So I think the pieces might be in place. They were just not executed. That's helpful. I think that before this committee asked the question that the leaders of IT of the three branches were not communicating regularly with each other. They were not meeting with each other. And I think that is something that we've accomplished that. I think it's a positive thing. And I would hope that all of you would agree with that. I do agree, Senator. And I was just reflecting yesterday that in the days of DII, we actually were part of many meetings with senior leadership and since the formation of the agency, that hasn't happened. So I do look forward to improvement in that area. Maybe that is perhaps part of the subject matter for service level agreement. Now, one of the things is we talk about three branches of government, yet we have the Secretary of State. Is that a fourth branch of government? Right. From an IT perspective. And does that suggest, and this is one of the questions, where we started doing the inventory of systems to identify what's being looked at, what's being covered by information, security agreements, et cetera, and who's responsible for what. I hope that when the Secretary Quinn is back that we, in effect, get an update. Is that process continuing? Is that complete? Because my concern is, is there anything else out there other than the Secretary of State that's sort of off the reservation? And that goes back to the question we asked of what wasn't being looked at in the DHS assessment. What's in that 20%? So would that get into the elected office and like the auditor's office and the Treasury's office? No, as far as we know, there aren't any systems there, at least in the first pass of that assessment. And the Attorney General, yes, actually. But there certainly was the Secretary of State, and I'm not sure was there anything in the Attorney General's office that was off the scope of that matrix as well. That may have been. Yeah, that is another, we have that. And I know you're not prepared for that. So I'm not going to put you on the spot. Thank you. We have an embedded IT person in our office who can speak to that issue. Is that Ryan? No. No. Okay. Okay. The manager of IT systems. So while you're here, I will explain to you what it is that we've been trying to understand that Senator Brock will correct me when I misspeak. You know, we did inventory. We had actually ADS inventory for us, the state systems and the level of service that the various departments were getting around. Cyber security and et cetera. And we wanted to hear, we've asked, and we've had taken testimony from a number of different entities, the judiciary, the legislature, some of the other offices, Secretary of State, how that interplay goes between the agency of digital services and your office around cyber security and cyber services. So just getting, just for our education so that we're understanding today. And I can't again speak to the details, but I can tell you, maybe Mr. Carmine confirmed, we actually were in the last 12 or 18 months of migrating our servers to ADS and taking advantage of the opportunities that person got. Okay, so that you would have a service agreement then as part of that, hopefully? I'm presumed so that I can't pop it off my head. Yes, and Secretary Quinn says you do have one. Yeah. Secretary Quinn, can we, have you come join us in the hot seat for a minute? Sure. Thank you. Which one's the hottest? I don't know. What we've been talking about is with regard to the contract between Permanent Homeland Security and the state and notifications, so with the judiciary and with the legislature when that happened, with that testing happening. And then how that went, and we had heard in the past, you've been here, from the judiciary and from the legislature that, oh, we didn't know, maybe we fixed that or think about how we're doing that in the future. And so the question was, and I think it's more of a question for you from me, are we thinking about how we would do that in the future with the judiciary and the legislature? Is there any sense of, are we talking with them? And it sounds like we're not yet, but could you tell us about that? So we haven't done another assessment, right? We're still looking at remediating the findings from the first assessment. So before we do another assessment, we and Pat talked of just us, the court administrator, and we agreed that I would give her a heads-up that we were doing something like that and what the scope would be. And what we heard from Jeff is, in fact, you were required to give the heads-up based on, service agreement. No, I don't think so. No, it was based on, I don't have the language in front of me, but if we were sharing data or, and we weren't sharing data, we were doing an assessment of our network, which they buy services from us for. So maybe we need to have clarity in that service agreement then. What you're, and obviously you're executing your responsibility to maintain the security and the integrity of this system. That it's serving multiple parts of state government. And what that requirement and protocol is around notice, which seems to be the issue that's been raised and seems like that's more of that time, that would best be addressed with those agreements that you negotiate. Yeah, right. And we've talked about this. You know, a keen sense for me of how are the three branches, you know, interacting with us because they all have different roles. So do we understand now, what are the communication mechanisms of those roles? Right. So what the court administrator, I talked about with, you know, one of the lawyers in the room, was that we would, the court administrator would come up with an MOU to pass by us to start to work on, you know, what exactly we could do and what we couldn't do. You know, I'm fairly black and white in this area. They buy a service from ADS and I need to protect the entire network. And I can't let one customer hold up the security of the entire enterprise because of, you know, because of an important issue of separation of powers, but at the same time, they're buying a service from us. And if they, it sounds more harsh than I mean it to you, but if they don't want the service, that's okay. I'm not forcing them into the service. They need to get their own because I can't jeopardize the Attorney General's office, human services, the tax department because of an argument over separation of powers. But we're working through those things through an MOU and I'm pretty confident that we can come to agreement on how we notify and how we determine the risk. So the next time you decide to do an assessment, you would have this groundwork set. Say you would have an agreement with them. Yes. No, I endure an agreement with the legislature as well. Well, yeah. And how to execute it. Yeah, the legislature was supposed to be out of scope from the very beginning. The IP address has got added in accidentally. And so was that, so was there prior notification? Like, was there a prior agreement to keep the legislature out of scope? Like with the legislature? Not with the legislature. Okay. An internal discussion. Because we really have no service, we offer no services to you besides a cable, so to speak, to the internet, right? So we don't do any, you don't have any server support with us, you don't have any desktop support with us, you have your own cyber security people, you have all separate. So in our eyes, there was really no need to look at that piece because we have no service, you guys have no service through us besides the wire, so to speak. Interesting, but we have a lot of, okay, it's just, it's a lot to, it doesn't seem like the legislature is completely disconnected though from the state networks. So the legislators, you know. You have your own email system. Yeah, I mean, I think we would agree that the legislature as a branch probably needs a vulnerability assessment as well. And that if it could have been done in conjunction with yours, and maybe in conjunction with Judiciary as well, it would make more sense to do it all in one big fill. So it's a vulnerability, but. Sorry, could you say, no, I didn't. I just didn't want to interrupt. The legislature has previously conducted vulnerability assessments from third parties as well. We do periodic internal vulnerability assessments in order to make sure that we're going to invest with our internal resources, the resources we do have. However, it is an industry best practice to have third party, third party entities come in and conduct both credential and non-credential security assessments periodically. Periodically is subject to interpretation. So who just, we've got the Attorney General, the ADS and the legislature and everybody here. But Kevin, who would see that assessment? Who would see the assessment? Previously it was sanctioned by the IT departments. Specifically, provided the results provided back to the IT department. I was not the head of IT for that last one, the last big one at the party. So I'm not sure if it made it to the legislative IT committee or the legislative council committee as an executive summary. I believe it did, but we are due for another one. Okay. I would just say by us using Department of Homeland Security for this assessment, we saved, I think, $85,000. I, you know, the free assessment that they offer rather than going out to a contractor. Is there a best practice standard for how often your system should be assessed? Oh, I'll refer to Scott to answer. I would, so going back to when I discussed federal compliance, they test every three years and that sort of to some extent become the industry standard. There are stages within the development of new projects where you may do sort of microtesting security-wise as the system is being built. And we also like to build in with our non-functional requirements and a lot of contracts that a security assessment has done on a system when it's put in place. But if you're talking about these broad-based assessments, yeah, once every three years is about all you can manage. We spent months planning the first one and we're still spending months remediating the last one. Oh, really? Yeah. Okay. Similar result from us. It takes a long time to go through those results and not mitigate those issues. We have reached the end of that cycle more or less on our end, which is making sure we're due for another one. Yeah, I mean, it just, correct me if I'm wrong, but when we're doing these assessments, it doesn't seem like the other branches are disinterested parties. I mean, would anybody disagree with that? Would you disagree with that? Oh, no, absolutely. We all have the same goal in mind, to protect the state network and protect state information. So we're very interested in working together. And I think the secretary's statement is very clear. If you're purchasing a product, it's with assurances around the integrity and the security of that system. So that's kind of inherent in that, but then how you negotiate that relationship, I think, and the information's kind of been the issue that is percolated, but it seems like it can be remedied. Advantage of doing it is it gives a lesson. Well, we find it internally with our own departments, especially with legacy stuff. There's no way that we can do that. There's no way. So there's a labor process where we determine the amount of risk for the system. Some of these systems are 30 plus years old, and we do the best to put as many, we call them firewalls around them to ensure the maximum amount of security that we can offer is around those things. But every system needs that kind of assessment. If someone wants a waiver, it can't be, well, we just don't have enough time, so you're gonna have to wait, you know. Oh, yeah. I mean, I think. And that's the firm stance that I've directed Scott to take is internal, external. This is very serious to the entire state, and we need to make sure we're articulating that. And we do have some other systems. I think DMB's still on call one of them. Yeah? Some of their systems. Yeah, if you know. The whole access system is on AdaBase, which is 30 years old. If you know of any one of the programs in that language, we're hiring. Yeah. Either one of them, yeah, I bet. Yeah, yeah. Uh-huh. Okay. Well, not a I, you know, nor a I. Any other questions from the committee? Is there anything else that you think we should be thinking about with regard to this contract? Okay. Great. Kevin's gotta stand up again. Kevin, sorry. You can't see that. You have to get higher. I'll reverse the contract. I just wanna put a plug in there that operationally speaking, I think that the ADS security team and our security folks with the legislature operationally speaking, I think we interact very well in the event that ADS has had issues that potentially pertain to us, that notified us, and we do the same vice versa. If we come across information that is of value or of areas of concern, we certainly notify them as well. So it's another avenue approach, just in case their teams haven't seen it or our teams haven't seen what they've seen, we certainly operationally interact as necessary. Great. I know at one point the three had met and I think Kevin was out on family. I really am keenly interested, again, I will say in the legislature's role here with regard to cybersecurity. And so, is that something that you all are planning, meeting on any kind of a regular basis? Is there any value to that in terms of, do other states do that? Do we know, do other states do that? I don't know if that was a question that we asked. I haven't asked in there, I don't know. We have that NCSL inventory of all the legislation, which I confess, I have not gone through since last night. Since last night. Not a serious matter. Well, you know, actually I made one. I came in early. But maybe that's something to look at. I'll go, my screener's sideways and I don't know enough. Everything I've got is sideways. No, I'm too lazy. I don't mind reading it this way, but this might be something to look at in terms of what other states have done. And I think, so we're ending the day talking with Becky really about these items and what recommendations we may have going forward and what we can do, what we might want to have some more research on if we want to do anything to make any kind of recommendation. So, okay. All right, we're going back on the record. And is Darren here? Yes. Okay, okay. So we are going to get another update as had been planned at our last meeting on that integrated eligibility project. Since our last meeting, we did provide a memo. We've had several discussions with ADS and UCAS. Thank you. Just Senator Brock and I around that memo, some concerns that you had about our memo, concerns that we had. So I think maybe if you can start from there and then provide this update, that would be great. I would simply say joint fiscal met this week and did authorize the release of the funding and we're very pleased about the progress that was referenced. I guess I got an email that CAS had been in contact with the chair and co-chair on that. So that was great news. But just to let everybody know, joint fiscal did authorize the expenditure. Okay, so for the record, CAS Medicine, WD Commissioner, DVAC program sponsor for integrated eligibility enrollment. The record, Darren Crail, the director of digital services dedicated to agency opinion services. So I think there were really, we submitted the report at the end, at the beginning of September. And I think after the publication of that report that it seemed like there were really three key areas that folks had questions around. One was, what's the status of the networking issues that we're experiencing? And I think that that was in that memo too, partially. What's going on with the budget? Are we in budget? Are we out of budget? How are we spending? And then just some general questions about how are we doing an actual role today. So I have, I put together a whole slide to just focus on answering those key questions. I think the report is a really good lesson for me and like, I'm in the weeds and we're all in the weeds and so we think something's really clear and then it goes out and I'm like, oh actually that didn't make any sense to anyone. So we're gonna keep working on how to make this clear. But oh, at the ADS and AHS partnership was the other question that came up that we just spent a couple of minutes on today. So just a quick high level recap here. Essentially, we committed to delivering four products and I use the word product because I was like, hey, we're delivering an actual business capability. So the healthcare application is a product. The document uploader is a product. We committed to delivering four products in 2019 and Calvary 2019 and three products in 2020. So as of September 16th, we successfully delivered fully on two of those four initial products. So healthcare paper application is done. It was officially approved by CMS last month and we're in faithful out of that product. Enterprise content management was the big win that we got to report on Monday. It went live over the weekend. That's our document imaging and scanning system and so that was a really big deal because we've officially sunset our first Oracle product. Which is a challenge but really exciting. So the whole point here is that we're starting to pick apart pieces of that system and replace it with stuff that makes more sense. And so in the case of enterprise content management, we sunset an Oracle product and we put in its place a more cost-effective product that the state already owns and maintains. So that'll give us operating cost savings over time. So Cass, can I ask a question? Yeah. On the paper application, obviously there's a lot of information. People have got their income and social security, et cetera. And so that actually with that uploading, will it actually update that person's data that is used and recalculate eligibility? In other words, will it sort of take it and populate the file for that particular eligibility household? Not yet. So the paper application was really our starting place to say we have five different paper applications today and we're required by a federal rule when someone applies for health coverage to give them an end-to-end determination for that. Right, I guess too. So by consolidating the paper applications, we made it possible for somebody to fill out one application and their eligibility to be considered for all appropriate programs. The process for the paper application on the back end is still really messy because we're in multiple systems. So multiple staff have to get that application and put it in multiple systems in order to provide a full eligibility determination for staff. The next step will be the online application which will get all of the information into the system and it'll also probably populate two systems but it'll be more automated initially. And then it won't be until the following year when we put in the new rules engine and the case management system that the back end will finally be consolidated and you'll be able to put in all the information and have the eligibility automatically run. So that's a multi-year process. Could you just provide us with a copy of the paper application? I mean, just for fun, I'd really like to look at it. He's gonna apply to the university. I'll tell you right now we're not. Yeah, I'll send it to you. I'll just make sure you guys make a copy. Thank you. And we actually just, I think there's a soft press release I think going out today and a note going out to all of our sisters to formally sunset the old paper applications because we've had them running in parallel so we could do more user testing and now we're saying, okay, get rid of that old one. We all need to be recycled by a certain date and start using the new one. So when you get to the rules, that gets really complicated because some programs still you have an assets test and others you don't. And so the extent to which the system can only ask you the questions that really relate to the information that you need to provide based on which eligibility door you're going in, of which they're gazillions. I assume still, did you get rid of all those special eligibility groups like the Quimby, Slimby's, the Cutie's, the, uh-huh? There's still, there's some work going on that's funded through our MMIS program to try to read you category codes- ACA didn't get rid of that. I'm not the expert on that anymore. I will say that the categories of eligibility are still very confusing on the back end. I just, yeah. All right, I was just wondering whether somehow because, I mean, Medicaid actually has rules so that there's special rules. If you're a woman diagnosed with breast and cervical cancer. There's like a different funding strategy. Yeah, you could have a brain tumor and you won't be eligible. I mean, so that is how difficult these Medicaid rules are but let's not get into that. So I was just wondering whether there was hope inside. It sounds like that if we hold on another couple of years. Yeah, it's just, we just want to do it a little bit at a time. So we made a very conscious decision to start by streamlined with customer experience and work on the back end a little bit over time instead of doing all back end and telling customers that we'll get better in two years. But that does mean that there are some places where things get more complicated for staff. And so that paper application is a really good example where we're rolling it out for everybody but long-term care. We're not going to roll out long-term care into the spring because we want to do some lean events with them to try to get their business process a little bit more streamlined before we add this to it because it's just going to increase their eligibility timelines and they're already struggling because of the new asset verification system. And so there's just some operational stuff. Paint you for? Yes. Well, it's a federal requirement, but it's sloped down, so. But the paper application's been launched for everybody with long-term care. We just put it that we want to do some lean events to really streamline their business process so we don't slow things down for customers or staff. Well, the biggest problem with long-term care is that having to screen for transfer of resources. And I don't know how you, that's still, you have to practically be an accountant to deal with some of those cases. So good luck on that front. Some of it is that we're just some really basic technology stuff isn't there that should be. And lots of people long-term care staff are printing out applications, piles of paperwork and like, there's just some stuff that we could do to make that more efficient so that when we change business processes we're not making things harder. Okay, so then the third product is the document uploader. That's the thing that people can take a picture of their documentation and have it upload to their case. So we're already in a phase roll out of that. Like the first version of that was launched in a bunch of different places, not statewide yet. And it just went to a secure inbox. Now we've integrated successfully with their document imaging and scanning system. And so the plan is to go live with that product in October, so we're on track to deliver that one this year. And then the fourth product we all know, that's the one where we're still challenged and we're targeting February for reporting and analytics. It's an efficiency intelligence project. And that was delayed because of the delays in uploading. There's really two main networks. Yeah, there are two main reasons why that is delayed. One was because it did take us a lot longer than we thought to get the data loaded into the data warehouse, which was a, I don't know if it ended up being a networking issue but it might have been like a more full software. It was a combination of items. Yeah, it was, we have a, there are two data centers. One is in Optum and one is here in the state. And the transfer was not always successful. So we have a constant replication. Basically it's making the database at Optum and our database the same constantly. And that requires a lot of bandwidth essentially. A lot of ability for those things to talk to each other really readily. And essentially after much work, we figured out that that connection between the two is actually not terrible. We did make small improvements. But we found out that on the Optum end that their Oracle database software, there's a specific version of the software that actually does the replicating that was a little bit off and had a bug in it. So we called Oracle and had they actually gave us a patch and we fixed it. And now the, that process of replicating the data from Optum to us has been successful for about a month now without the problem. Well, will we eventually not have the Optum component? Excuse me. In other words. And I think it's important to separate Optum, what functions Optum serves and what software we're using. So it's an explicit goal for us to move away from Oracle from most of the Oracle components with the exception of the Roles Engine. I don't think we've, we don't have any explicit goals yet around what hosting looks like or maintenance and operations looks like and how our agreement with Optum evolves. Right now we need them to do, like every time we need. I guess I was interested in, you were talking about really two databases. That's what I was wondering. At some point are we moving, so that we have just one or? Correct, yeah. We're basically making a copy of it on our end so we can do the reporting efficiently and have our own state to do whatever we want with it. It gives us more control of the data. Eventually, once the major client management system component comes over to another and I'm not sure if that's going to actually come into the state or it's going to be a cloud-hosted solution that we maintain, it would be under our control as well in that way. And then if that answers your question, yes, it would then be that replication piece with stuff. Oh, you always kind of do want to separate data warehouse. You're always going to have to put data, you want more than one copy of your data. You don't want to do your reporting and analytics on the same system that you're doing your day-to-day transactions. So there's some best practice stuff where there'll be multiple copies of everything, but the goal is definitely to find, I would say, more cost-effective solutions for housing or data. Oh, and so I'll just say the other thing on business intelligence is that the building the reports is very complex, like this is complex data that's been in reports that have been built ad hoc over a number of years. And so it's taking the team longer than originally thought to build that core warehouse. And so we're tracking really closely the completion of that bill, but we really need three solid months of testing and the two databases running in parallel for us to go live. So it's a pretty big milestone for us that we're looking at now to say, okay, we really need that warehouse done in October, by October, mid-October, so that we have October, November, December, or November, December, and January to do all the testing that we need to do in order to do the cutover in February. How's that looking? There's, we're definitely feeling more confident based on the progress that the team is making, but there's still some unknowns. So I would say internally, this is our biggest risk area, and the thing we're the most focused on is making sure that we have a clear picture of that by the end of this month or mid-October, so that we can make the right decision. So it's still in play, I guess is the short answer. I thought that February date was also, I'm not doing anything with open enrollment. Yeah, I mean, if something happened in a magical wish-filled world, if the database was built by October 15th and we tested it and everything worked perfect and we could go live November 1st, we wouldn't. No. So it's just the furtile-iest we can go is February because of open enrollment. And then the last one here is, okay. What happens if we don't hit February? What happens if it's March or April? So the biggest constraint we have, honestly, is this set of Oracle upgrades that we're trying to make in February. So these, you know, we, because Oracle is the system that it is, whenever you want to upgrade one piece of software, you have to upgrade the whole Oracle stack. So it's a big thing to upgrade everything. And we need to upgrade it in order to make sure that we have the latest versions, that we have the right support levels from Oracle and all that sort of thing. So we're running a lot of old versions of the Oracle software. The original plan was to do those upgrades in September of this year. We pushed them back until February so that we could finish the data warehouse, because when we upgrade, we're not planning on including the Oracle Analytics software, and we weren't planning on including the Enterprise Content Management software. So those are two things we're gonna sunset. So we successfully sunset Enterprise Content Management, but we still have this, we want to do the upgrades in February because of some contractual stuff on the Oracle side. And so if it's not ready, we'll have to include the business analytics software in the overall upgrade package in February. What is the cost of doing that? I don't have that off the top of my head. My concern about it is that we would have to make that decision now, soonish, because there's work that has to be done to rewrite the reports and some of the code in order to make it work in the new version of the Oracle software. So it's not like we can decide on January 31st or just install it because we're not ready. There's actual development work that needs to happen that will take a couple months. So with business intelligence, we're really gonna have to make a decision, do we think we're gonna be ready for February or not by the end of October? And if the answer is no, we either need to install the Oracle software or push back the upgrades another couple months or those are really the only two options that we've talked about now. I don't know if you have those. Those are the two options. This is a tough one because you wanna give the team more time, but we're gonna run out of time to make a decision because no matter what, there's any contingency we trigger is gonna take a couple months of work. So I just want to make sure I, no, I think I have, but I wanna make sure I have it. So what I think I'm hearing you say is if the database and warehousing is not ready in October, you need to make a decision about this in October. And if it looks like it's may not be ready, we have to decide then to either install the business intelligence upgrades or push back the whole Oracle update like two months. Yes, those are the options today. And what are the consequences of pushing that update out two months? Well, we'd have to, we'd be paying to host two warehouses for longer. So the cost of hosting them both in parallel for that four months is about $2 million, $1.8 million. So if we pushed it out another four months, it would be another 1.8, which would hit our data operating budget. And then the other thing is just the risk of having software that is aged, right? So maybe you could talk about that a little bit. Yeah, we have audit findings that say that we need to upgrade the Oracle software to the latest and greatest versions to make sure they're secure. So we have to keep that cadence running. The longer we go without upgrading it, it just increases the risk. And when you say audit findings, what audit are we talking about? We are audited consistently by the federal government, especially when we do like a big major upgrade. So one of the things that triggers the folks at CNMAS or higher aspirin, those folks, is when you make massive changes to a system, they want you to go back and look and see that all the controls that were there before are still in play, and that everything is still configured correctly because it's going to be a new environment. But in fact, the whole reason we're upgrading all of the Oracle, the entire Oracle stack was because Optum had things they couldn't actually complete and fix in the old environments. So the new environments are supposed to take care of those things. Are you talking about the poem? Yes. Yeah, I don't know what the poem stands for, maybe. The plan of action in milestones. It's essentially a giant. Yeah, I mean essentially they have a running list of open security items. You're never going to have zero security things you have to address. And so the feds, the CMS security folks say, you can have, I don't know what the numbers are, we can get you the threshold, but risks are high, medium, and low. And you can have a certain number of, I don't know if you can have any open highs, but a certain number of... You can't have any criticals, but you can have some. So critical, high, medium, and low. So no criticals, a certain number of highs, a certain number of mediums, and a certain number of lows. And so we're constantly, I think, even quarterly reporting that list to CMS. And we're always closing and opening new things. In addition to that, anytime we make a software upgrade or change, we have to send a report to CMS to say, here's what we're going to change. And they say, okay, this is the level of security assessment that you have to do on your system before you can go live. And we have to do that assessment that assessment might trigger more open findings. We have to send that report to CMS and they give us the green light to go live or not. So enterprise content management is a really good example of that process in place where that we actually extended our Vermont Health Next system boundary by installing that, cooking up that new enterprise content management software. So we had a third party come in, do an assessment. They found like 300 findings or something. We sent that report to CMS and then we spent three months going through and remediating all of those things so that we could be under the thresholds we needed to be. We sent that report to CMS. They had, I think, 90 days to get back to us and give us the green light to go live. So they did that in August and that's how we could go live with that software. But so I think to Darren's point, there's some open items on that poem that will be closed by doing these Oracle upgrades. So I just want to clarify something. February is also being driven by we don't want to spend money on these Oracle upgrades because we're going to migrate off. Right, yeah. So if, in fact, February comes and we're not able to do it, then we would be forced to purchase the upgrades for just that one piece of software. Right. We still have to do the upgrades. Yeah, no matter what, everything else that we're going to continue to use has to be upgraded. The question is, are we going to upgrade, are we going to install the new version of the analytics software or not in February? Because right now the plan is the sunset at which saves us a half a million dollars a year. But if February comes, and for whatever reason, hopefully not, that date has to slide. Can we continue to operate on the old software? We can. You can. It's just a question of risk. Oh, that's, okay. It's not like you can't use it anymore. It's just we have to weigh risk versus. So we've got the issue around the operational cost, which we talked about at Joint Fiscal and that would add more cost. But then the other question is, in February, when we pushed out the delay of the upgrade as long as it's recommended, we still could say we're going to take that risk, yeah. Okay. Yeah. In August, when we were talking about business intelligence, one of the principal reasons for certain network connectivity issues, have those issues been resolved? Yes, the network connectivity issues are resolved. It's really just, are we going to get the database built so that we have three full months of testing before February? And that's, it's just top-right, because like I said, you want to give it to me more time, but you got to make a call because no matter what, we can't wait until January 31st. Like there's work that has to be done. So that bug actually was holding up the enterprise content management. That was the 155th enterprise content management was being affected by something else. Okay, all right, that was something else. Yeah. No, I mean we have to understand, so thank you. The warehouse timeliness being built in a timely, what are the factors that are impacting that? I think that a lot of it is the challenge with reverse engineering stuff that has been built ad hoc over many years by a contractor that didn't document a lot of things and matching that with the right skill set, the skill level of people on the state side. So human. It's human. So I think, you know, we were all just talking before this meeting about what other resources could we bring in that could get up to speed quickly that might be able to handle some of the additional levels of control complexity. Like we, you know, we have flexibility in the project to bring in somebody from one of our staff on engagement contracts who might be really skilled at database development. And so it's like, you know, you never know in these projects of putting, sometimes I think there's a false assumption that more bodies means you can even think faster. And so what we're trying to figure out is like, is there a specialized skill set or a couple of resources who could come in who could help us be more effective without actually being distracting, right? Because then you have to take the time of the people who are working on it to train the new people. So it's a little bit of a dance and we're trying to get an accurate picture of what's gonna be helpful. And then really say, okay, these are the couple options we have and we have to make a decision by X state in order to trigger them because of the work that's associated with them. So like what do we need to see in terms of progress by October 15th, say, to be able to make the best decision that we can about are we gonna be ready by February or not? Like none of it is exact, but that's what we're trying to figure out now that the network issues are resolved. Because we couldn't see any of this before the network issues are resolved because we needed data in the data warehouse in order to be able to test things. So that's part of why it feels like we're having this conversation late in the game. If we had gotten the data in, we would have been doing, looking at and having this conversation four months ago. So it's a combination of two things that aren't great. They're built on each other. Yes, exactly. So then the last one is just, I think we've talked a little bit about the CMS mitigation items. Like there's a couple things that CMS wanted us to do this fall that are really basic from a technical perspective that just get us closer to compliance. So for example, having a way for the age line and disabled medicaid population to report changes online. It's so we have a fillable PDF online. So it's not the fancy version that we'll have next year, but it at least gives people an option. And so that change report form is up and running. And now we're working on our next two commitments, which is having a fillable PDF of the application online and having phone processing for that population to do. So we're on track to meet those this fall. Do you, for the SSI population, used to just be automatic and categorically eligible we still do that. You still do that? Yeah. And so they have to still fill out the application? Not if they're eligible by category. We have matches. Okay, that's what I'm just talking about. Okay, so that is that. We've kind of already talked about this, but just to be a little bit more explicit, I think the concept here is that we're trying to deliver products in smaller pieces and parts that make life better for either users or staff. So the two projects that we've gotten across the finish line I think have shown that we can do our user research and implement a product that makes life better for people, which is really powerful. And I will, this was just a quote, what the day that enterprise content management went live. One of the staff members from our document processing center sent this out in the thank you. And it is the first time I've been involved in a technology project where staff have said, oh my gosh, you made our life better in seven years. So it was like a very, there are two smiley faces in it. I wanted to make sure that you made it into the testimony. And for this big amount of people. Yeah, so that feels like a big win. Like I said, we've successfully sent out our first Oracle product. We're in the process of making sure we have the full grasp of all the savings that will come of that. But at a minimum, we know that there's a reduction, for example, in optimum M&O costs from sunsetting. Sorry, maintenance and operations costs from sunsetting. So when we're building your budget for this year, did you anticipate some of these savings? So this 400,000, you've already, sorry, I've been counting. It'll be by the no projects in BI. No, or the fact you already assumed it when you built your budget request for this year. That's what I'm asking. Yeah, it's not on top of anything else. So you can't use it to offset your higher spending because we've already assumed it in building in your budget request for this year. Right now, the increased costs of business intelligence are being absorbed in the fiscal year 19 budget for DEVA. Because it should, if we go in February, it won't, nothing will happen, and no cost should roll over to 20. It is true that the savings, we didn't know the savings that we were gonna get on the optimum side until after we built the 19 budget. So there is an offset here. So some of the reduction in the costs. But the 19 budget. Sorry, 20. It's closed out. It's closed out. We're in the 20 budget. Sorry, I meant 20. Oh, okay. I get some of the calendar year and yes, sorry. So the 20 budget, sorry, not the 21 budget. I think the other win here is that we encountered networking issues, which we're gonna encounter, but the ADS staff did successfully get through them so that we could launch projects. So in the end, that's a win. And then both the paper application and document imaging scanning systems were delivered. So on the ADS, we mediated the network issues. That is where Secretary Quinn was very honest in saying we hadn't solved it. He had brought in additional resources. It was kind of nice to have somebody honestly say, we're doing everything, but yeah, it's a problem. And that ended up being the bug in the Oracle side. That got solved. So there were two networking issues. One was the bug in the Oracle side, and the other one was an actual networking issue where we had some of the servers in one place and some of the servers in another. We got them into one place and solved the issue. Yeah, so I think the win is that we solved it for the inflate projects. I think the conversation with joint fiscal what ended up in the, at least one of the mellows, I can't remember what was in one, but the idea that, okay, we're probably going to have more network issues. It's not like we magically fixed the issue of aging network infrastructure. So what can we do earlier in the project process, do capacity and performance testing so that we find the issues earlier and then consult them? So that's part of what we wanna, the plan we're working on, we can come back with. Okay, and then the other thing that we'll show up mostly in the November report is we have two of the projects that are scheduled for delivery in 2020. So our premium processing project, this is where we're returning qualified health plan premium processing back to the insurance carriers by October of 2020. We already booked those savings, a million bucks. We gave you a one-time bridge. I know. And then the second is that online application. Those projects have started, they're on track. We did a lot of user, like they started way faster than the other projects because obviously we've learned a lot. So we're feeling really good about those two. Both vendors should be on the ground next month. And then master data management was on track, what was on the list for October to start in October. I don't think we should start that right now. And I think we're already trying to do a lot of things at once. And I really wanna make sure that we can deliver on what we've already started before we start anything new. So while the goal is to start that in October, I think that's just on pause until we make sure we have business intelligence squared away and that project's closer to close and then we can talk about starting something else. I'm not sure what master data management means. In light of all the analytics and stuff that are deferred until February, is there a connection between the data being managed and the data being analyzed? Yes, so master data management, although Darren, you can tell me that. So essentially what master data management is is being able to connect clients and different systems together. And so think of a big list, essentially a giant unduplicated list of people and where they live and the other systems. So you can do analytics across the other systems. So you could tell who is on healthcare is getting food stamps, field assistants, et cetera. So it's that master index. Yes, that's what it is. All right, I understand that. I didn't know if data management was something bad. It does actually include data cleansing, which essentially is making sure you have good data and you don't have people kits in the system too. So you're good. People with two different address, yes. Exactly, making sure you have the best address for somebody by verifying against the US Postal Service or other good sources for a campaign. Yeah, so it's really important. But we just have to prioritize how many things we can handle at once. And right now, pre-processing an online app are both legally required things. We have to deliver an online app for CMS and we have to shift premium processing back to the carrier deferred legislation. So yeah, I just am worried about us starting anything new. So when do you think that's what's your range of when that gets started at this point? I would prefer that we don't start anything new until business intelligence is close to being delivered. So that would be the first quarter of next year. And that master data management is something that we've talked about for 100 years. So it's not critical. I wouldn't think to moving out with the replacement of the exchange and the Medicaid eligibility, specifically, it's more. This is more, it's going to make things more accurate, easy to analyze and use on the back end. But like I said, it is important. It's just, you know, and in my mind, master data management, it would be really nice to do some of that work on the new data warehouse. And so it's connected to be, it makes sense to have business intelligence across the finish line before we start another data project. Some of the folks that are working on the business intelligence project are also the same people that would be working on this as well. So we don't want to deplete those resources from the important work that's being done. OK, so this is just, I'm reacting to what I've already said essentially, you know, we're working on the good fun. What can we do to end as a basis of that? OK, then on the finances. So there's two things that I think are worth pointing out that I didn't make clear in the written report. One is there's numbers of original estimated costs and then current projected costs for each of the inflate projects that we were required to report out on. Those are total costs, not state costs. So when you're looking at those numbers, depending on the project, the actual state share of that is anywhere from 10% to 25% depending on what programs it impacts. So enterprise content management and business intelligence are both essentially 90-10 funded because they're health care only projects. It's not actually 90-10, it's like 87-13, but we say 90-10 for short. So when you're looking at, you know, ECM and overage of a million dollars, essentially the impact on the state budget is about $100,000 on the capital bill. So just I should make that clearer. I should have both numbers in there, essentially. Yes. And I think you said you're going to do that in that picture. Yeah, I have all the numbers in my inbox. I just am trying to normalize everything to make sure it's right. The other thing is that each one of most of those projects bridge multiple fiscal years. So you're looking at the total projected cost, but it's spread over two fiscal years. So it really takes looking at what were the original projected costs in fiscal year 20, sorry, and then how much should we spend by project in that fiscal year, and then looking at that for 21. And so I have all those numbers. That's one of the handouts that I'm working on that can detail those costs for 20. And there's essentially, when you look at it, two. So the headline is that we didn't exceed our budget in 20. So we had about 2.3 million in capital funds to spend in 20. And we spent just $100,000 less, 2.2. So we were right on budget, essentially. And even though the cost of some of the projects in 19 or 20 were higher than expected, we underspent in some other areas. So an example of that is program spending. So IE is a really big, complex set of projects. And so you need some staff infrastructure at the program level, we call it, to make sure all those projects are coordinated. So we have my role. We have a program manager. We have some other, like, we call them project coordinators to make sure we're doing all the appropriate reports to CMS. We have 18F costs that are built into that program budget. So we've been spending a lot historically at the program level, particularly on staff augmentation. So bringing in individual contractors to help with that work. We have really crunched that spending down. And so we spent millions less at the program level than we originally thought we were going to in fiscal year 19 or 20. So that covered some of that. There's also a couple other places where the project spending moved slower than we anticipated. So both business intelligence and document uploader, the costs of those projects are gonna stay steady, but some of the work started off more slowly than we thought. So those costs are being kicked into fiscal year 21. So it's a combination of things moving a little slower and actual under spending working on it, hand out that we'll detail that information for you. The story for fiscal year 21 is that when we look at the budget, even with some of the projects sliding, based on our best estimates of everything that we wanna get done, assuming nothing crazy happens with CMS with cost allocation, we will be able to deliver, we said we're gonna deliver in the $4.5 million requested for fiscal year 21. The wild cards are CMS and FNF's decisions about cost allocation. And so that is still a conversation in play. I hope that we'll have more information on that in October, November timeframe. We've made a counter proposal to them about how to do cost allocation and we're just really waiting for feedback. Where does the FNS matching come in? That's the food stand. Yeah, so anything, any project that involves SNAP recipients, FNS will reverse it at 50-50 mandatory. But what do you do, what particular? So the online application. Online, they're having to, you're having to cost allocate that because it's including other benefit programs. And document uploaders in the same line for those two projects. And childcare assistance is not part of this at all. I think at some point it needs to be brought in because there shouldn't be a family on childcare assistance that probably doesn't have, shouldn't have their child in Dr. Donis or for example. Right, I mean everything that we're building should be extensible, which essentially means expandable to other programs. So, but that, you know, that in June of next year we're hoping to start work on the case management system, which is really what's going to empower the back end of these programs to come together and make it possible to consolidate more things. And how is that different than the, what's the piece that we're just talking about? The online application. It's a master data management. So the case management system is essentially like contact management. So a case, a worker can go in and put in somebody's name and it pulled up their whole case file. So all of the information that's in it where they live, what their eligibility determination is, when they're out for a review, all of that stuff. And so there's, you know, there's data in there. Would it be, including for example, reach out beneficiaries or getting a financial benefit, but they also have a case plan. So it would be, it would include the case plan in terms of, you know, what the education or training or employment activities or associated service needs, assessment of the family functioning, that would all be there. Yeah, but we're not even starting to put energy into that in June of next year, essentially. That's when the case management work or the rules engine work picks up, which is what will allow us to sunset more of a complex back end of all of these. So I asked you this the other day, and I remember, obviously the development of the health exchange was very costly and its ongoing annual operational costs are costly. Is there some ballpark estimate of when we get done with all these investments and migration away from the exchange? What would be the net savings? We don't, but we, I recognize that a lot of people are eager for that. Well, you know, when we were first talking about, this was back when Mark Larson was around, we were talking about an exchange with an annual operating cost of $18 million, I think he said we were up to about $30 million. That's a lot of money, and I'm just wondering whether we're moving in this direction. We obviously think that it's financially advantageous, functionally, it's advantageous, and we won't have any more YouTube quips of people about to slit their wrists on hold. But I was just wondering in terms of any estimate of what it would help in terms of the cost of operation. Yeah, we used to sit down and really think about that. And I know it's more difficult, it's going to be harder because what we're doing is taking and bringing back the eligibility for other benefit programs before we get done, which got split off sort of with the exchange. And so it isn't just a, it isn't a clean comparison. Yeah, I mean, I think that it becomes particularly challenging when you're trying to do things in this modular piece by piece way, because I don't know yet what we're gonna choose for a case management system. And so I think we can work on some high level estimates, but they're gonna be just that. I think there's also, but at some point somebody at the agency level should be able to aggregate what are the total operating costs across all these benefit programs. And so the exchange might be 30 million, but in fact then you've got all the other access related and other systems that you might have out there. And it's totally one of the dissolidates staffing. I will say that I've heard differing opinions about whether operating your system in a modular way in which you have multiple pieces and parts and vendors is more or less expensive than going with one vendor to do a whole thing. I think, I don't know, I just heard a competing opinion about that. I think there are other advantages to doing things in a modular way because the continued investments that you have to make in the system to change things are smaller, but when you add up all of the individual costs of maintenance and operations across multiple vendors, I think that's still a working part of even across the country in assessing that view. The other thing is one advantage to this is you end up getting the best free solutions rather than sometimes companies come in and we've got the whole thing for you, but a bunch of those pieces of the whole thing aren't the best pieces of technology that we want to use or as duplicative of things we already own in-house. And so you don't want to re-spend money on things we can do in a more efficient and economical way. I think your question is a good one and we do hope that's something we're going to work on. And I do appreciate the importance of what does it mean for the poor Vermonter who's trying to navigate these systems, but at some point it would be kind of nice to know how it all sugars off financially. And I don't... And at this point we're starting to... We have our best guesses of what the architectures will look like three years from now, so I think we can make better assumptions and probably won't be here to see the findings. It's like all those investments in healthcare. Where are we going to see those more? I mean, everyone always says what we're doing is going to save money. It's like, okay, you know. But the good news is we are actually seeing some savings already from those things that we're sunsetting the new shiny thing and leveraging something we already have. So we're seeing concrete examples of that. How many more times we can do that? I don't know. Like it's not like we have an in-house case management system sitting on the shelf, but we can sunset the old one and just use that one. So I think it's gonna be less likely over time, but... Okay, and then on the partnership. So we're really focused on... There's three key things that we're doing to try to make sure that we're streamlining the relationship and decision-making between ADS and AHS because everything that we're doing is this really intense partnership. So it's been really clear to us that we need to focus on ensuring alignment on strategy and goals. So it's like not only about what we want to accomplish, but how we want to accomplish it. We need to make sure we're all aligned on that in order to work effectively because so much of this is working in a different way than people are used to. And so you need to have alignment on both strategy and outcomes in order to keep everyone rowing in the same direction. And so there's two things that we've started to do in the last, you know, I would say, it's pretty new four to six weeks that we think are helping. One is agreeing on a new organizational structure for project execution to really provide staff with clarity on roles and responsibilities and what decisions they can make and what things they have to escalate and how our staff will partner together. And so, you know, there's just some key roles, for example, that you have in modern software development that we haven't had. So a good example of that is we typically operated with what we call program manager model. So one person who's sort of my counterpart on the project management side that's keeping an eye on everything in the program. So how all the projects are doing, all the boxes we have to check with CMS, all those sorts of things. And what you see in modern software development is that you have a delivery manager and a product manager. And so the delivery manager is spending their time really focused on what are the key pieces of software that are in flight that you need to deliver and they're just like dogging those things constantly and making sure that people are coordinated and that all those things are across the finish line. And then you have a product manager who's somebody who's thinking about what are the next four projects that we're gonna start. And you don't have one person trying to do both of those things. And so one of the things that you see in our org structure is creating those two roles and moving away from that more traditional program manager role. And that's something we're working to implement now. So I'd be happy to share that with you. But there's just things like that where we're really trying to get clarity and making sure that every person on that team has a written set of roles and responsibilities and expectations so that they really understand this is what I'm as responsible and accountable for. Are you getting good acceptance from the staff in terms of making those changes roles and responsibilities? We're in the middle of rolling them out yet. So I think it's still a little early to tell we are in the middle of hiring for a delivery manager and I'm really hopeful that that's gonna help. We also just hired a deputy program sponsor. So a second to work on the business side to take some of the stuff off of my plate essentially and really have another person focusing on in-flight projects so I can spend more time on budget and cost allocation and conversations with CMS. So I'm breathing aside really about that too. But I think that has been really well received and we were able to hire someone on the state staff who has like 30 years of experience in lean and project management. We've done work in health care. We've worked for a couple different hospitals and you know we've only been around for a couple weeks so I was picking up on things really quickly. So I mean. Who is that? His name's John Zennacher. I'll bring him in at some point if we guys can meet him. So and then the second thing is making sure that we have executive check-ins every other week to ensure alignment at the highest level. So that means Secretary Quinn and Secretary Maxim work all in a room together and I'm briefing them on how we're doing an IE and we're just talking through problems or challenges in real time which I think is kind of as much needed and it's really helpful. This has been great. Thank you. When we're looking forward to we want to have an update in October here at our regular meeting and then we'll have to make another recommendation in November. Yeah. So I would like to ask you to maybe articulate in the October meeting what we should be asking, looking for what you're going to be telling us what will be the key pieces here. And then again for considerations in the November recommendations. So let's start with our next meeting. What will you be coming to talk to us about? What should we be thinking about? So I think the things to think about are where are we at with business intelligence and have we made a decision about what direction that's going to go? Have we successfully rolled out document uploader? And then where are we on the newer projects that we've started? So I think the November report explicitly asks for updates on the online application on premium processing and master data management which I just kind of already told you that we're pushing that out. That's not going to change but progress reports on those two new projects that we started. And then I think the other key thing is the network stuff. So what is our plan for performance testing and capacity testing and how are we going to implement that earlier in projects? You're going to tell us that in October? And then the last thing I think would be any progress on the funding conversations of CMS. Is there that? You had also mentioned that there was an issue involving increased compliance by clients in providing you with information and documents that might generate an increased need for staff. But I didn't see a number associated with what that might anticipate. Is that something you're going to be able to talk about? I don't, probably not by October. So I don't have anything today to indicate that we're going to need more staff. I think we're going to need to get more out of the people that we have. Like it will put some day-to-day pressure on people. If we see dramatic uptake in the uploader and with cooperation rates, like if it were to go from the 50 to 60% cooperation rate with documentation today to something like 80 or 90, that would warrant a conversation about making sure that we have the right number of staff to handle that. I guess one thing I'm still unclear on a little bit though is if you have a 50% cooperation rate, what does that impact, how does that impact people who don't comply? They are closed off for their benefits. And is that a significant issue at this point? I mean, Medicaid, you have a lot of churn. So people might apply, they might not cooperate with something and then they need to go to the doctor and you can get on Medicaid again every month. So there's a certain amount of churn created there that increases workload for staff. So the question is, do they have to then process and do application all over again? So if we go from a 50% cooperation rate with hey, send me your paystuffs to a 75% cooperation rate, so now we're getting more documentation in the door that staff have to review and say, yes, you're good, you stay, you're eligible, or no, you're not, is that more or less work than the work generated by the churn of people coming off and on, off and on. And I just, we need to see more stuff come in to be able to understand that impact. It is totally possible that it's just gonna, like even out, that would be my instinct, but I don't know yet, but essentially that's what we're watching for on operational side. And we have key performance indicators around processing time and backlogs and volumes, which will give us early indicators of what direction that's going. So certainly if there's any indication that we have a problem, expect that I would bring that to you right away. But we don't have any indications of that. It's just something we're paying attention to. Okay, all right. Thank you. Is there anything else that you'd like to do? No, we should think about everything. Okay, I would be in touch with more numbers. Just know that I'm working on that from our state fiscal year 19 to provide that detail, so, okay. Great. We said, yep, we're gonna get started. All right, there it is. Good job, sir, very careful. Yeah, that's usually what you want. So, we're looking for the next hour to have a discussion. Senator Brock and I have had a couple of discussions this summer. We wanna understand more about cyber security reach notifications. So, in particular, thinking about the legislature's role, how the legislature could be notified with regard to state sites and for state-collected data, how we could, how we should, how we are. And so, we have asked, there are a couple of pieces of information that have come. So, David Hall from Ledge Council has done a lot of work on data privacy and with Ryan Krieger from the Attorney General's office. So, they are here to help us on that, kind of understanding those pieces. Becky is here and helped get data from really all of the Ledge Council around any issues. We asked for the last three years any kind of major issues that have come up that relate to cyber security. And then, Secretary Quinn is here. We just wanna hear about kind of standard practices. And I wonder, in terms of notifying the legislature, and I wonder if actually, if that makes the first, if that makes the most sense, is to start there. And you and I have not had a chance to, I haven't told you what I'm gonna ask you. But just to talk about, if there's a breach, and I know you have a presentation, but what I'm interested in right now is if there's a breach right now at a state site, or a state DM, how would the legislature become aware of that? Who'd be contacted through me? And who? And who? Yes, who like, is there a process? Is there some, you know, is there any kind of standard? Like to this protocol? Pro Tem, yeah. Right, it depends on the severity of the incident. The Speaker, the Pro Tem, along with the chair of the Energy and Technology Committee and Senate Government Operations, Senator White, which is where I report to. Well, I think that I would also be interested in not just in breach, but also in denial of service of other kinds of attacks and incidents. Yep, that's for an incident. Or for a significant internet, a significant outage affecting critical or important services. Okay. And I- You're gonna swirl, for example. Sure, yeah. And I mean, I view this as a, you know, like, hey, this is really emergent, and you know, how are we working? How do we wanna work? And how can we get there? Yeah. So. Okay. From right now, we have things I can publish out. This may be helpful, I thought Ryan would start, but that's all right. Close old mouse, if you'd rather. Do you have a document on that? Mm-hmm. Yeah, it just, so it lays out our process for dealing with a incident here at the State of Vermont. Oh my gosh, where did we start? Right. Start in the upper left. Right, then user reports an incident. So I could walk through each one of these, if you'd like, or we could just use this as a backdrop, but this box right here, or this area, is really where the incident command, ADS Secretary, State CIO, starts to notify people and coordinate, whether, you know, I'm coordinating with federal partners, insurance providers, the legislature, contract support, Attorney General's Office, Governor and media partners, if there was a level three or higher incident. So that's a term that would be great to understand. Yep, it's on the next page. Okay. There's a classification of each level. John, where does this exist? What is this from? That's our internal process. So when you say where does it exist, it exists in the Chief Information Securities Office? Okay, and so this is a process for ADS? Yes. Yep, now, this is a process for ADS. If an incident happens elsewhere in the enterprise in, you know, the seven or eight branches of government we seem to be identified so far in terms of information technology, what happens there? For example, to Secretary of State's office. I would call him the Secretary of State and ask him. No, but I'm just asking in terms of, again, this issue of protocols for notification is limited to what ADS actually owns. And if we look at the matrix regarding critical systems and services around state government, ADS does not own all of it. That's correct. Yep. And we don't have Kevin here, but can I throw in the hot seat? And can you just identify yourself? I am Jesse Jametista, I'm the operations manager for the judiciary. And, you know, if you guys have a breach on attack, do you have? I mean, so since I've been here, we haven't heard anything specific come through with a breach, but this is where it gets a little bit of a gray area because we would kind of look towards ADS being the ones who are securing the perimeter of our network for some of that. But some of these areas are a little gray as far as how we get notified. For instance, this process is, we don't have access to see this process. I'm seeing this as you are seeing this process. So what goes on, and on that side of the fence is unknown to us, as far as what we have internally. We have systems that we own and security parameters tied to those systems, but it's all inside of the overarching network, which we don't want to own at this time. Right, I think it'd be good to have Kevin come in and describe their network, right? We provide the internet connection and do nothing more. Yeah. Okay, okay. Is there, John, Secretary Quinn? Yes. So is there a reason why this process would not be known to, or should not be known to, some of the users of ADS services? Or the judiciary, okay. I don't think it's not a secret by any means. We have all kinds of documentation about all kinds of things. I mean, even if it was online, it still takes all the communication around how to get out every process we have, right? So this is something that we need internally. So it's our internal playbook. If the help desk gets called and says I have something funny going on with my machine, it gives them a standard process to walk through, how to identify if it's a security incident or if it's a regular IT computer issue. So going to the graph, it's the call to your help desk that triggers the, the end user reports the incident to the service desk. That service desk, then, is what triggers the whole process on this graph? Or there are three different. Yes, so, or we get a system-generated alert on one of our intrusion-detecting systems, tells us, or law enforcement notifies us of an incident that they see happen. Those are the main ways that we're alerted to an issue. Is that federal law enforcement? It could be. Could it be C-law enforcement? Sure. How would they see something that we wouldn't like? Can you give me a, for instance? We've, in the past, been contacted by the Vermont, I'm gonna, it's Vic. I'm trying to think of- A law enforcement. Yes. They have a special unit that looks at- Crime victim. Information. No, no, Vic is the Vermont Information Center. Yeah. Intelligence Center. Intelligence Center, right. They've sometimes monitored some things online for certain criminal activities, and every now and again, they'll spot a network segment of the state of Vermont, maybe, or identify a state person that could, someway, be thrown into the mix, and they'll notify us and brief us on what they're seeing, and we look into it further from there. Oh, yep. Let's go to the panel. Okay. So overall, this is how we deal with a security incident. And as I said, a level three, which we considered likely to result in a demonstrable impact to public health or safety, economic security, civil liberties, or public confidence, that's the level where we would notify the legislature. Okay. So oftentimes, when we have a system outage, just speak to Senator Brock's request for notification or further dive into that, we usually put a time limit on that. So I won't notify the governor's office until we've been down for 30 minutes or 45 minutes. Quite often we'll see a blip in something and by the time I call it, it's fixed, whether it be from what.gov website or internet connection to a waterbury complex building. A lot of those things are considered minor until they get a certain threshold of time, which depending on the building, depending on how many people are affected, I use my judgment for that, I'm going to notify. So this is sorry, John, for kind of stopping and starting here, but when we're looking at these levels, I think maybe one of my questions is, would we ever be notified? So, you know, would we get notification A and then N? So, and I think what I'm, I don't know what I'm hearing right now. So with level three, we would be notified, would we be notified for anything below level three? The legislature? Would it show up in a report? What kind of report? I don't know, can you think of a way that the legislature would be informed of level two, level two, level one? Sometimes, you know, my citizens reach out to their legislators and say, you know, I tried to go to the DMV and get my license and the system was down. And that happens from time to time. Okay. You know, I'm not picking on the DMV, it's just one that's across the street, so it's easy to use, but you know, that happens from time to time and people get affected. It's all at what scale do you want to be notified? You know, if the system goes down for 10 minutes and the office is, you know, having an issue, do you want a notification? Do you want to be notified, you know, if we have a problem at the Department of Labor and they can't access, you know, one of their systems for an hour? Do you, you know, I think part of this is understanding what you all would like to hear about. And then we can change your process to add in notification. One of the things that we like to do is confirm that there's an actual incident before waving the flag, so making sure that it's a true security incident before starting to send out notifications all over the place. Right. Yeah. Okay. Is there anything else on here that you think we'd like to? No. Okay, so then. Great. With regard to, so I think with a level two, one of the things that I hope we will talk about, level two or lower is, you know, is there value? So the legislature has an oversight role. They have an appropriate role, right? We have a public conforming role. And so is there value? Do we have a responsibility? Can we do our jobs? If we don't know about level two, do we need a phone call when DMV is down? No, but should we, on an annual basis, know that DMV goes down, you know, three times a week for 30 minutes so that we have a sense of how we should be thinking about, and I don't know the answer to that, but that's more along the lines of what I'm wondering. Well, I am wondering what do you use to inform the governor's office on assuming that a 10-minute or whatever, I mean, some of this stuff is just not that common. So out of this series of colors, when would you have that kind of notification that would rise to the attention that chief executive of the state? Is it orange or red or orange? It's orange, for the most part. It depends on the system, and I don't mean to be elusive in the way I talked about this, we have 1,400 different systems for 8,700 employees. And you multiply that number of classifications, you're gonna, Right, right, and so some of these applications serve 10 or 20 business office people and not a large portion of state government. If it will continue down the road of very customer-focused organizations, so we'll use the DMV, if we had an outage in my weekly report, I would, to the governor, I would say, you know, we experienced an outage on Wednesday. Here's what we know about it. Here's the timeframe that it was down, and here's the resolution we know at that time. Some of these higher level would not wait for your weekly report. That's right. I'm assuming. That's right, and those are usually when we suspect a breach of data, when maybe a media outlet has contacted us and said we've been a made aware of an incident, those type of things, we usually like to give the boss's office a heads up that there's potentially something that is going on and we're looking into it. We're also obligated now that we have cybersecurity insurance. We have mandatory reporters, which is the state CIO, the attorney general, secretary of administration, the chief information security officer, and I think Rebecca White, our insurance manager, I call them direct reporters or mandatory reporters. Once we know of an incident, once we've been told that there's an actual incident, so if we had a ransomware attack, once we're told we have only 24 hours to notify the insurance company in order to be eligible for a claim. So we have to determine very quickly in an actual real cyber incident on whether or not it's a real incident and whether or not we need to contact the insurance company. So can you tell me a little bit more about mandatory reporters? Do you listed other entities besides the insurance? So what is a mandatory report? That's something that you have to report to? That's someone that if they know that there's an incident, if they've been told there's an incident, they're obligated to report to the insurance company to put in a claim or not be eligible, essentially. So if we want to be eligible, we have to put in that claim in 24 hours. And so the legislature is not on that? No. Management. Function. What's been the frequency of level five emergencies at any? What was your question? Well, of course it's been the frequency of the level of five emergencies at any. I don't believe that we've had any. Well, the situation, for example, of which state systems were down for four to five hours, would that not have qualified under that definition? I thought about that. We were still able to access some resources. Our email, for instance, our online file storage, several district offices still had internet connections, still had access to those systems. So it was a partial outage. Our main data centers were out. And I looked at that more as a level four. This is a very good question, Eric. Can you speak to kind of the more general environment of our peer states as far as whatever you measure up here as and kind of from a larger sample size, what the frequency of these more severe events are? I'm understanding you're right. What are our other states? Level five? Yeah, I mean Vermont is a sample size of one. But if we open up that pool to a slightly larger sample size to kind of look at the, I don't want to say the industry, but the market or the group, a little bit larger group is a little bit more frequent. You say we can ever have a level five, our other states in a similar position as us experiencing level five is on a more regular basis. That sort of thing. Yeah, I wouldn't say it's a regular basis. And I may even change my mind about whether or not we've had a level five the longer I think about it, because I think we need to think about things like E911 and an outage there and whether or not that would be considered a level five, which it very well could be considered a level five. Other states, there's a number of other states that have had ransomware attacks that have crippled either their town, municipal government, county government or state governments in some situation, Colorado, Minnesota, Georgia, a number of states. In fact, ransomware attacks overall, about 60% of them are on government entities. So we're seeing more and more activity in that area nationwide if that answers your question. But reoccurring events, I can't think, I don't have any data to support that New Hampshire has five a year or New York has 15 a year. It all depends on, there's a lot that it depends on. A state like New York, and they have 150,000 employees, state employees, so what's considered. Do you have any information as to whether those tend to be increasing as time goes on or decreasing as states get more sophisticated in their countermeasures? I don't have any data to support that either way. My instincts are that states are seeing, and we're highlighting more outages than we used to. We're relying on technology more than we ever have in the past, and it's become more of a lifeline that ever has in the past to everything that we do. So it may, they may be smaller from a statewide perspective. It may only be a county or a town or one specific service, but people are depending on those more and more, and therefore they're getting more attention than they ever have in the past. Okay, thank you. One more question. So in turn, do you track like all outages? Well, I shouldn't say outages. What are we, cyber, what is this for? So this is for security incidents. So do you track all security incidents? Yes. And so as you're sitting there, and definitely we can continue to evolve this conversation, can you think of any reason why the legislature should not be informed of that like on an annual basis or a quarterly basis? Is there any reason that you can think of as you're sitting there? We'd be happy to put it in our annual report. In fact, we've put parts of it in there already as far as number of plot attempts. This is the one that comes to mind. But this week in my weekly report, because we're building out the project with Norwich University, we've been reporting on the number of incidents that Norwich has reported to us that they've seen the number of incidents that we've been able to look at directly from that. So there's been over 300 incidents that we've looked at already that Norwich has picked up on their systems as potential incidents. In all those cases, we have been able to track down what's been going on, and we haven't had anything big there, but they've had us check out 300 different things approximately. So this committee is looking at some oversight, there's other committees that look at some oversight, but we also, we have our appropriations committees. And so when we think about what information might be useful for them to know, it might be more specific than our incidences. Sure. And so can you envision a way where that, I mean, are there challenges in reporting with more specificity looking backwards? I don't think so. I think that we could give you a report on how many ransomware attacks that we saw, how many different types of attacks. The systems, that's what I'm, so this is what I'm thinking about. You know, we're talking about appropriations, you come in, you've got a request, you know that there's an issue. You know, what is the, so rather than on a case by case basis, what is more of the standard procedures for us to know that there are issues, that standard kind of communication. Right. And I don't know what it is. Right. I mean, is there, again, is there like a looking backwards? For the perimeter in some systems, yes. For a lot of systems, no. In terms of breaches. In terms. For incidences. Yeah, in terms of deep monitoring and reporting capabilities. Just now, does Dan Smith have any, get any notifications on cyber incidences? No. So would there not be some concern though, about not reporting in sufficient granularity, breaches that continually occur in a particular system suggesting that it's not particularly well protected? If we wouldn't want to certainly put that in a report that is not closed in circulation. Right. So I want to be clear, we're aware of no system that has breaches happening. There's attempts continually, right? I mean, there always is no matter where you go, whether it's the financial sector or transportation sector, we're going to see constant attacks. As far as breaches go, we've been very fortunate in that area and with the tools that we have, we have not seen anyone get through. I'm trying to sort out exactly what we were talking about here. It seems like for some of us, when we're talking about cyber security, we're thinking of external threats. On the other hand, there have been times when the system has been down. It may not be a result of any kind of cyber activity at all, maybe for something. The swirl on the lines. So in terms of the notification protocol, we talk about cyber security. What falls into that cyber security definition that results in a notification? Because not all of it would necessarily be an external threat. It could have been the other swirl, all the way through the cable, I don't know. So I'm just like, are we conflating things here or? I think so. And so that's why I just wanted to step back and say, are we really talking about a range of activities that could trigger a notification? And 911 was referenced, obviously, that has security issues, but in a very different way, maybe, than we are thinking about them in terms of our automated systems that support functions of state government. Right. So this was about security incidents, right? So this was about, whether it's a breach of data or a compromise of data. That's what this is all about here. Thank you. Yeah. Okay. Laura. Yeah. Then I would say, I think you were kind of getting to the issue of how much legislature need to know, but from an appropriations point of view. I mean, John might come to us and say, when we're talking about budgets, and he'd say, on the last year, we've had a certain number of incidents that are really critical, and they really concern us, and we need some more equipment to help us resolve this problem. And so then, yes, the appropriations folks would want to know, well, what's the extent to the problem, and how can you solve it, and how much is it going to cost, and will it really work? All those issues that I don't, I wouldn't think we need routine reports. I would think we would simply want to rely upon John's staff to come to us and give us that information, that we're behind the times, we need another firewall, or we need whatever. Which is what we funded the last time. But there are other things that we've funded, and it would be nice to get a feedback, and it's just getting going, and that's the whole relationship with Norwich, and which was going to be really a major enhancement to our capacity, because you were saying, and to do that 24-7 kind of surveillance is just doesn't fit well with, to do it all on the state level. So, we accepted your request to establish that relationship. I think we all would like to, a year from now, sort of get a summary, is this working? We're at lousy, the legislature's lousy, in terms of structuring a follow-up. Did we, did it actually give the benefits that we were hoping for when we made this investment? So, I see that's another area, as well as the documentation you provide us when you say we need 400,000, because we really need to acquire this additional technology or software to carry out our responsibility. Right, and I think when we, just to dig down into that a little bit, when we asked for the one-time appropriation, we were able to tell you how many pieces of equipment were over 10 years old and how they weren't being able to be updated and the cost of that type of information. And then on the security front with Norwich, we're still implementing. I'm not asking if you're gonna write this note down. No, no, no, I know you're not, but I think it's a good opportunity for me to just say we're still on time and on budget with that project and that's scheduled to be live for November. Right now it's still working out the kinks, but as I said, we've been able to, they've identified 300 incidents and we're tweaking exactly what it is that we see through that program. So I think it'll take that year to figure out whether or not the service is right for us and it adds the value that we're looking for. But I'm happy to come in and talk about that. Okay, I only caution against my legislative experience that we have take tremendous amount of resources and reports and I will tell you, it all converges on your appropriations committee in terms of all these reports which are enormous and it's hard to go through and find on page 56 so it's a recommendation to do something. But so some of it is making sure that we're setting the right parameters for what we get because I know that too many reports go on either underutilized, unread or whatever and I just want to be sure because it involves every time we ask for something where we are obligating the use of state resources which are limited and so it needs to be in a format and sometimes what we want is much more simple than what agencies want to give us. So one page summary might be what we feel we need to really understand that if we want more we can ask for it but oftentimes we get more than it's going to serve us well and use more resources than we really want to obligate or I'm only speaking for myself because I have every January you can measure it you can measure it in inches. We clocked about 300 hours with the reports just that we do last year. That is not in significant staff time. No, no, especially when it's the people that should be leading the employees out there now they're coming back and we're spending time doing this week after week we've started already we've been collecting information from out in the agencies. Our security staff constantly has people coming and going as you know. And now we have Scott working half time on reporting type stuff, right? And that's Scott, Harvey, as opposed to dealing with security. Right. Half his time is on reports. Hey, well, yeah, overall, yeah. Reports about HR functions. Well, I think that's my point and that's a point. And we're happy to provide whatever not just, you know, we look at it but you'll sometimes find that it's multiple committees that are making those demands and no one has a sense of what this at all come down to on each individual part of state government. Who's he reporting to? Is he reporting to the legislature? He's reporting to the legislature. He's doing different parts of our strategic plan that are legislative annual report that's legislative. He's reporting on the BAA money that we that we received in the project requirements from that because being in internal service, I don't necessarily have the luxury of using internal resources for some of these projects because it's just, it's a vicious cycle of that. You know, how do you pay for it? But, you know, that's just one example of I suppose you can't charge us, can you? We had another million dollars under that one. But, you know, I think the reporting that the legislature approved in the ADS cleanup bill last year will be helpful. Hopefully it'll be less time this year. A lot of the things that we're putting the strategic report when it was DII in the first two years it was ADS, there were all these things that didn't belong in a strategic report. I mean, there were all kinds of things in there that weren't even clear as far as what we were, what I was supposed to be giving you. And no one could really tell me. So I think we're on a good track now. That's what I'm hoping that we have is really clear understanding of, you know, in communication. Right. You know, the other thing that, Senator, I realize it's nice to get the feedback to say, we think you could get this information in a more organized or more efficient way. It doesn't hurt to say we don't know that it's 300 hours or 10 hours or whatever. So sometimes it's good to just say, well, we can do this, but this is really what the workload implications are. That's the only point I think. One of the long-term things that we've done to cut down on the amount of time it takes Scott or me or, you know, Sean, as we've developed an online dashboard that have our KPIs metrics that are always up to date. Every time we get information from the field, we update it and that way you can go to our website, click on the dashboard and see how we're doing project management or how we're allocating resources to human services or what we're spending on security or what we're, you know, the different areas and we're building it out. And it's, you know, another project that we're running internal, but I think it's a really, really nice improvement. Gartner, one of our vendors, wants to showcase it because they haven't seen a state do something like that. And provide that amount of detail or transparency to the public. I must think that's a heavy, heavy look. The dashboard, yeah. I've looked at it. Have you looked at it? So, thank you. We have Ryan and David here who've done a lot of work on cyber breaches in the public sector, really, or private sector, excuse me, really, and have talked, taken a lot of testimony and worked with the committees on notifications there. And so, hopefully you can get a sense of what we're interested in here. And so maybe we'll have David. So, you've heard this conversation when we think about notifications around state sites. And this was a question actually that I didn't ask John. You know, what would happen. Although now I see, I see here. Do you see any holes in our notification processes within state government for our state sites? Do you have a window onto that? Do you have anything to add? Do you have questions about what we're trying to, look at here? I mean, for your record, David Hall looks to the council. I'll just quickly answer and then I'll allow you to go because he works in the real world. I just, as you probably know, I staff, part of what I staff is consumer protection. So my nexus to this is security breach notice act as far as what happens when there's what we define as a security breach. Then I also staff other things like, you know, consumer reporting, education, privacy type things. Data privacy and that sort of the private sphere. So the real nexus to what I do really only is the overlap between the security breach notice act and what you're talking about right now. And the reason that I overlap with that is because as we define it, the state or a subdivision of the state could be, is a data collector for purposes of that statute. So there's really three things that come into play is what's a security breach, who's a data collector and what kind of information is involved. And so basically data collector very broadly defined. I have a handout that I don't need to go into right now, but- Is this a legislation that you insulted the actual class that's still up? Well, it's related to that, sure. Yes. So again, this is sort of a narrow sphere and there was legislation that passed halfway through last year to expand the application of the statute, but essentially if what we define is personally identifiable information is breached, then the person that owns or maintains, collects that data for any purpose, will have a duty to notify consumers into either the AG's office or department of financial regulation. So it could be that some of what the secretary is talking about, if it involved what we define as PII, that could trigger some portion or the state under the act to have to notify consumers and really technically have to notify the AG's office. So that's a huge part of what Ryan does and I defer to him about how it works and what the implementation of it is, but that notice again is a consumer notice and then the state piece of it is just either Attorney General or DFR. It's not legislature, it's not other places in the executive branch. It's a pretty narrow process and you'll see there the definition of PII is fairly narrow as well and it has to involve a name, either a first name or first initial and last name plus some other data points. So unencrypted SSN, a driver's license or ID card, a financial account that could be accessed without a password or a PIN or a password or a PIN. We did a lot of work this last session again on a bill that would have expanded the list of data points that would be applicable and require notice. That bill did not pass yet. I don't know if it will. So right now this is what we have. I'll stop there. So I have one question and I don't know if it's for you or Ryan but as it relates to state sites and state collected data, so I've heard that the state would be considered, could be considered a data collector. So would Vermonters be considered consumers? Yeah, consumer defined in the statute as a resident of Vermont. So I think that one thing and just to kind of like state in a different way, what David just said, when Secretary Quinn was talking about security incidents and security breaches, within our security breach notification act, there's a very specific definition of security breach which could be considered a subset of what Secretary Quinn was referring to as a security breach. So a ransomware attack is a security breach, generally speaking, but for purposes of our statute, if any of that specific type of data was not acquired by someone, which often is not the case in a ransomware attack, it would not be considered a security breach for the purpose of the statute. For the purpose of the statute, if it's a security breach, then the notification obligations kick in. And those notification obligations aren't tell the consumers whose data was affected and tell either the Attorney General's office. Well, in the case of the state, it would probably be the Attorney General's office because I don't think there's any aspect of the state that's regulated by DFR. The own DFR only gets reported if it's a DFR-regulated entity that has the breach. So if there's a state breach, you'd be notified. It would be obligated to notify or want to, it would be you. No, and a few years ago, and I have to defer to Secretary Quinn, a few years ago, there was a project that was started which was a security breach notification protocol for that sort of security breach. I don't know what, you know, where that, and that was before you were there, so I'm not sure where that ever went, but I think the general policy would be, it would be, correct me if I'm wrong, that the agency or entity that would breach would coordinate with ADS and determine how the breach notification go out. They would probably break into this section of administration if they'd work it out themselves, but someone would have to give notification to consumers. That would be the ADG's office. Our role officially is to make sure that they comply with the law. That's where we are. So do we have that in process? Do we have what in process? Security breach notification protocol. So if we had a DMV was breached, they would know like how to contact what to do, is there a process in place for them? We wouldn't necessarily be in charge of that process. So the DMV, they have a specific customer base and they would say how they are gonna communicate with their customer base or what their notification process would be. So with the Department of Labor, a while ago we had issues of the Department of Labor. The commissioner called me as well as the governor's office and said, we think that this is going on or we think that this has happened. He talked about it as a group. The Attorney General's office was notified. There was a statement or a pressure release that was drafted by the Department of Labor and sent around for general consensus and then sent to the public. So once we knew that there was something there. So that sounds to me like a case by case basis, which is not the same as the protocol like we do, would you agree? Well, I think the protocols are formed by the agencies and not specifically by my agency. So I was unaware of some protocol exercise happening before I got there. That suggests that there are agencies that have no protocol. I don't know. To be honest, I don't know if there are agencies that don't have a protocol. If every agency ought to have a protocol. Oh, absolutely. So it's possibly based upon some guidelines that ADS would probably be the place that would issue those guidelines. We could assist with that. I mean, who, besides ADS, who would that be? Well, it's the owner of the data, right? So there's different, and I have a sheet here. I've got it for Senator Brock, more than anyone that's interested, all the different audits that we do and the frequency of the audits for different systems, different data. Some of those things determine what the process is of how we notify people. And whether it's more than five people, or you accidentally send a social security number, you have to put in a specific request but form to your federal partner, letting them know. So it's different for every agency and department. We would actively take a role in that, but the people that own the data need to control the process. I know it says that every agency and department has counsel and it's the counsel's responsibility to advise them in compliance with the law, including this law. In some cases, the counsel for the agency and department is actually the Attorney General's office. So that is a conversation that takes place as well. We expect that they all are aware of their compliance obligations, just as any other compliance obligations are in their mind with them. And I guess I'll just add one thing that, much like in the private zone, often, or sometimes, if there will be a data breach, they'll just pick up the phone and call me and say, we think something's happened, let's talk about it. Our office has always been very open with both industry and businesses and other state agencies and helping them make sure that they comply with the statute. We don't just sit back and say, you did it right, you did it wrong. We've always been very proactive and often folks like that. Lots to think about there. Well, it is a lot to think about because when I'm thinking about the scope of this committee, I mean, the whole technology and information technology is just permeates the whole world around us. And so for the purpose of this discussion, we are concerned about the state itself fulfilling its own legal obligation for those state agencies that would be subject to this law and making sure that state government itself has the required information and the required knowledge about what to do to fulfill their statutory obligation here. Sometimes we forget that the law applies to us as well. Yeah. Well, and I guess I would not further complicate matters, but we have observed, I've been doing this for about this particular law about eight years now. And what I've observed is that it is not always a black and white question whether or not an incident falls within the definition of breach because the definition is if this type of PII was acquired or there's a reasonable belief that it was acquired and that's not always clear. The ransomware. Well, no, not ransomware, just any kind of incident. If the logs that would have been necessary to track whether or not data went out were overwritten, if the incident was discovered long after the logs were overwritten, which is not uncommon, or if the infiltrators covered their tracks, or if a laptop was stolen and they just didn't have a record of what was on that laptop, there's, or if an email account was breached and it's not always easy to know what was it, you have to search through it. So there's all sorts of different scenarios where it can be unsure whether it falls within the breach definition or not. And when that happens, our office's position is generally err on the side of letting people know what happened. As you can imagine, the data collector, and I'm not talking about state governments just generally speaking, the data collector usually wants to err on the side of nothing happening. And so, that's attention. And that's something that can be part of the complexity of this thing. And sometimes we can look at the same set of facts and in good faith read it as saying there wasn't a breach or there was a breach. And so it can be, it can get a little bit complicated there as to whether or not a breach actually does get reported or not based on that analysis. So, did I understand you before to say, so it would not be under the definitions that have been worked on, a breach, the ransomware would not be considered a breach because you're not pulling information out. There are types of ransomware, correct me if I'm wrong, there are types of ransomware where they go in and they encrypt the system and they also might steal some stuff. So, some ransomware might also be a security breach. But there are also types of ransomware which are generally known to just encrypt and they're not trying to steal information, they just want their money in that to decrypt it. That would not be considered a security breach. So, part of it depends on what kind of ransomware you're talking about. And I know one of the ways to mitigate or I think I know, I don't really know anything. So, here's what I think I know. Now, I think I know that one of the ways to deal with ransomware or to defend against ransomware is multiple backups. And so, if you have one of those backups is, you know, what kind of, I don't even captured, what is the phrase for when something is ransom? Ransom. Encrypted. Encrypted. Okay, so if one of those is encrypted but you still have access to the others, is that, what is that considered? Again, it depends on if there's a likelihood that the, I mean, if ransomware has happened, then they've managed to infiltrate your system somehow. So, the question is, did they also manage to acquire data in that process? And part of it is just understanding that particular fact pattern, whether it's likely or not that they would have done that. So, are municipalities, if they're collecting data, yes, they would be considered data collectors as well. Do we have situations where our municipalities are collecting data that is then being fed into state systems? Yes. Who's responsible for protecting that data? Who's responsible? So, if it's collected at the muting level? We all are. Are you being like checklist, voter checklist, like on a tax record, you know? Right, so we all are. It starts with the person handing over the paper or inputting the information. If it's on a town computer, is it on a public computer? You know, what's the security around the municipal systems? What's the security on the state side? Who's responsible for the data? Like what are the physical security features of where this information is being stored as well as the technology side of the security? So, whose responsibility would notification be if there was, so if there was information collected at the state level, or at the muting level that the state was using, the state has a breach. I mean, whose responsibility is it to notify? Technically, the person that owns or licenses the data the way the statute is written. So, if you own or license the data, then you're the person that's responsible for the notice. If you don't, but you have a breach, then you have to tell the person who does own or license the data, right? Yeah, that's the way that it's written. The thing is, owner license is not defined, right? And there are situations, offenders and all sorts of situations where you could actually make a legitimate argument that multiple parties all own, could be considered the owner or license or the data. The position our office has always taken is, we don't care who does the notification as long as the notification happens. If the notification doesn't happen, then we'll hold everybody liable because nobody did the notification. So, we basically say, work it out amongst yourselves, if there's been even notification, just make sure it happens. I'm not sure how that would work in the state context, but that's how we do it in the private industry. Yeah, and that's really that, right? Like, how are we translating, how does that translate to have interest in it? Yeah, well, okay. There's also a question. I mean, the levers that the state has placed through the statute are that there's enforcement capacity if they don't do what they're supposed to do. I mean, let's just be practical. The AGS office, is it going to sue the legislature if the legislature loses your social security number? Yeah, I mean, our main enforcement mechanism is penalties. So, what does it mean to, from one, I see a government to issue a penalty on another agency of government and I'll go back to the general one anyway. That's it. I mean, the environmental division has in fact enforced against other parts of state government where there's an environmental issue. That has not happened in the data security realm because we brought up against that. Not that we've actually had occasion to enforce, we just kind of think about it. Do we have other questions for? Well, I do have one question getting back because it ties into data that's collected by local government. And looking, I don't know how to read our charge when it talks about the states whether we're talking about the state of Vermont government, but in fact, it seems like there is a legal obligation. It could be if the municipality somehow has owns the data and you determine the way, and they fail to notify. I guess I would ask the extent to which anybody has a sense that municipalities or governmental entities are aware of this obligation. I know you're supposed to know once the law gets passed, but I just really am wondering, so much of what we have, it's grown up around, I mean, practices just grown up and the application of technology and computerized systems has sort of occurred over a period of time. I'm just not convinced that all entities are aware of their obligation under the law. And I don't know if the league, so I was gonna say, has gotten this word out, but they seem to be the most logical vehicle to make sure that our municipalities are aware of the importance of maintaining security of their systems as well. She had been on our list when the press fine was not able this month. Oh. And this is an issue that I would say is the municipalities are very worried about. So they're aware of it. If they're worried about it and the league is trying to do something, then they're aware they do have an obligation. I don't know that they are aware of it. Well. If I get that, I'd say that our office has gone around on a lot of public education on this issue. We've shown them at the bar association meetings and the tech jam and tried to explain this in every capacity possible. I think that other, I'm like maybe even five years ago, people know that if there's a data breach, someone's supposed to tell someone. I mean, everyone gets so much notification at this point that they know it's a thing. So having someone say like, we didn't know we had a duty to notify that really doesn't fly anymore. And I've even, I've spoken with the league just within the last few weeks about coordinating better and, you know, doing some drone shows and things like that. It's more along the lines of they might know that they have to do it. They might not know what they have to do. So it's more letting them know that they should just call us and then we'll help them out, yeah. The Department of Homeland Security in conjunction with from state police are also doing some outreach to municipalities and trying to figure out a way to assist in educating the municipal employees and people at that level on how to protect their systems or just some of the standard processes that they should be following and best practices. Honestly, my bigger fear, and not with all municipalities is not so much that they might have a breach and not know they have to notify it, but they might not know they have a breach in the first place, especially with less sophisticated municipalities that might not have the systems in place to do that detection. Yeah. Okay. Is there anything else? This has been helpful for me. Is there anything else that you think that we should be thinking about right now? I expect we will take this up in a shortly. Talk about where we may want to go with this or not. Is there anything else at this point that you all want to? Thank you. Jesse? Anything? Let's get this Kevin still here. So, next we have, John, are you staying or are you going? I am going to stay to offer moral support. So we have Colonel Kavanaugh with us from the Vermont National Guard. We asked for an update on the governor has a cyber security council just so that we could understand a little bit about that council, how it operates, what it does. So, if you could for the record. Sure. So I'm Lieutenant Colonel Brian Kavanaugh, Vermont Air National Guard. And I'm part of the cyber advisory team, the governor's cyber advisory team. I've been involved with state assessments on the IT and different advisory panels for about six or seven years. Started working before John came and he and I have worked closely for the last three years or so on that team. But I'd started way back, he was working with Vermont Emergency Management and the state police. Because we recognized the need many years ago, we went through our own trials and tribulation in the military and how we deal with cyber incidents and changing the way we do business to better secure our environment and within the whole, the military system. And so we have such a close relationship with Vermont Emergency Management. We formed up a working group about six or seven years ago. And so I've been part of that since the very beginning. And then when John came in, we've elevated that up to a higher level of group now and we have a very strong kind of representation of between a lot of educators in the Vermont College system, Norwich and Champlain College. We have military representation, emergency management, public safety. What else am I missing, John? Elections, utilities. Yeah. So we have a strong group really looking at these issues. Finance. Excuse me. Do you want some finance? No. GFR? And again, I'll kind of point out this is at its infancy in a lot of ways. I mean, John's made tremendous progress in the last few years compared to what we were looking at six or seven years ago. But we didn't know what we didn't know. And I was able to bring to the group a lot of things that happened in the military over the years, which goes back at least 20 years of significant incidents. And so, what I wanted to try to bring out is we helped develop this strategy. We decided that that was, we've been talking about it for many years what should be the things the state should work on. And so, we created the strategy document as an outline of where we think the focus should be. And again, a lot of that has to do with lessons learned from outside companies of which I've got 25 years of working in various businesses in Vermont. And I can tell you, the company that I ran had, we had 200,000 attacks a year on our computer systems. And that now contrasted to the military, we get that every day. So, that's the magnitude of what you're talking about. Now, a lot of it is not people actually behind a computer. They're automated routines called botnets. And there's, you know, but basically they're programs that run and try to go and infiltrate. And I guess my kind of, what I wanted to convey to you to simplify things is this is just like any other type of law enforcement. Every time there's an incident, it's a law enforcement action, right? It's a public safety issue. And it's as if no, you know, it's no different than protecting our homes where, you know, you lock your doors, you may have alarm systems, you have police that patrol. If somebody wants to get into your home, they can always break in. The same is exactly the same with every IT system that's out there. You cannot 100% protect everything, but you have to mitigate your risk. And that's what we did in the military side we started about 20 years ago. I will tell you, we're still not 100% there because every time we go to mitigate something, the bad guys create some new approach. And so it's a never ending issue. And it is part of our infrastructure. It's no different than our power grids. And how do we protect that? You know, if lines go down, we have linemen that can quickly put them up. We have redundant systems. We have weights are routing electricity and gritting them to better prevent and add more resiliency. And we're still at the beginning stages within the whole cyber arena to get ourselves there. We'll get there in the future, but we have a long way to go with all that. But it's not that complicated. And the point is, again, I'm really excited working with John because over the last couple of years we're starting to do things now. And first is understanding the problem. And I think you as legislators could get, I think there's information and assessments that you need to get from the state community. Be it by agency, be it overall, but just start getting reports and information on what type of challenges they have. And some of them may be sending in a vulnerability assessment team to a town office and just doing an assessment of a half a dozen. So you have some information. You know exactly where you stand and what their problems are. And then that way you could develop legislative actions to help them, either being funding or some other type of oversight. But I think right now you don't know enough to know that. And I know having been involved in a lot of state issues that have come up, there's a wide variety of people who are better postured and others that are not at all protected. General citizens are the worst because there's not a lot of information. And if you look at the strategy, we broke it down into four lines of effort, increasing our capability. And that is looking at our technology, looking at our workforce, monitoring and reporting things to the appropriate people, attracting businesses to the state to bring better capability here. I will tell you that the current estimate is there's about a half a million jobs that are unfilled in IT nationwide today, expected to grow to 2 million in the next 10 years just because we don't have enough people going into that career field. So any business you talk to, they are short staffed. And it gets worse when you get into government because you guys don't pay as well as the outside. So it makes it a lot harder to build that bench depth and really execute a lot of things. John's staff is, you know, it's very slim on the things that you're asking him to look at. But you know, at least there's a staff now that didn't exist three years ago. So that's a big positive change. Then, you know, the other part we talked about in the strategy is resilience, which is really how do we respond and recover? I've done a lot of work with emergency management. We have plans in place where the National Guard comes in to help. But I will tell you, that's the only thing that you have at the state. There's no other capability to respond. So- To cyber. To a significant cyber attack where say somebody took down some critical infrastructure and you needed to get services back up, water systems, power, you know, whatever it happens to be. There's not a lot of, you can't just go hire a company to come in and help you. It's just, it's not that simple and easy to do. And there's also just not enough people. Anybody who runs an IT or services IT services company, they're full up. They have more business than they can handle. So that, you know, that's again, one of the lines of effort is education. For us, that's creating a pipeline of people from kindergarten through university level that are focused on this field. Because it's an enormous field with a lot of potential. Somebody with a high school education and a certificate can immediately get hired at $45,000 a year to do cybersecurity at companies, whether it be local companies or local municipalities. So there's, but we don't have those the pipeline. I mean, if you look at Norwich and Champlain College, they're graduating 20 or 30 people a year. I mean, it's very minimal and there's no high schools that are really have good programs out there. The tech schools should be embracing that. And that's gonna take some state and action to actually make that happen, focus that. So I wanna go back to a large scale incident. And you know, all we really have is the National Guard to respond to that. And one of the, you and I had a conversation a couple of weeks ago. And I believe you said to me, what we're looking at in that kind of a situation is not like how do we get it back on. It's how do we rebuild it? Yes. And so in a large scale incident, if it's power or water or all of these things, that seems like maybe that's beyond the National Guard. So do we have plans in place to, do we have a plan for? We have a general response plan. Now, as I said, there's a wide variety. If you look at the power systems, because they're mostly private companies, they're better postured. I would think they have. And they've been working on resiliency for a long time. But when you get into water districts and sewage septic systems, they're very vulnerable. And it's not just in Vermont. I mean, that's nationwide. So it's not something that's unknown, but it's not something that gets a lot of focus. But you know, but they're also decentralized. So there's, you know, again, it should be a risk management. And you have to look at it. What is the most, what is the highest risk and how many people can impact? Because, you know, in emergency management, if you go without water, sewage, power, for more than about three days, it really, things start to degrade in a community after that point. So they're, you know, communications. Is that something that I'm thinking about? Well, you know, there's a lot of elements of communications, right? So there's the IT, but there's also still phone systems. There's radio systems. So there are some capabilities that can be brought to bear. A lot of that, Vermont Emergency Management has resources and can outreach to. But again, we rely so heavily on IT. Everything is really melded together. Even a lot of radio systems now travel through internet lines because we, you know, in the mountains, it's hard to get a radio signal across the state. So there are vulnerabilities. And again, you don't know what you don't know. So I think, you know, what I would advise is you start looking for information in reports and vulnerabilities assessments so that you can, you know, develop what are the high-risk items and what to look for. But again, you know, and again, keep in mind that everything is vulnerable. Anything that you have on a computer, if somebody really wants to get in there, they can. And so I heard the other conversations about reporting. The majority of hacks are unknown. And I would say it's well over 90% people are never even aware that their system was infiltrated. And they may find out years later because you just think about on your own computer how much you store. How do you know if somebody came in and took a file? It's very, very difficult. But again, that's where you need that those levels of public safety. And we're not at a point where we really have that yet. Part of the outreach is communications or part of the lines of effort on the strategies communication. That's really outreach to people's businesses and then interagency so we can create that awareness. And people know to report it. I mean, I would guarantee most people have no idea if their computer got hacked at home that they should report it to anyone. Or who to call, who to report it to. So it just goes under reported. So again, we don't have a good awareness at... Who do you report it to? Who cares if I've been hacked? Do you care, John? Of course I do. Oh, my gosh. I don't need to. As long as he helps you get it back up again. You know, ask if somebody breaks into your home, are you going to report it? Most people would, right? So it's just an awareness that they should report it and then who do they... Who should they report it to? Not to the police. Well, who do they report to? Yeah, that's what I'm saying. I don't know. They would say sure, stand in line. What would they do? And that's part of the point of, we all have to ask what do we want them to do? I think that they should report it. I think that we should have some type of investigative approach. But we're a long ways. There's so many incidents now. And I think it's kind of a convergence of there's too many incidents and there's no way to report them. It's somewhere we need to lower the incidents and have more reporting. And sometimes you don't really know what to do. I have caller ID. I brought up a local number and a woman is 92 years old. I answered the phone. And the recording is an AT&T. It was like, I don't think AT&T was probably taken, Francis Ladd's telephone number and converted it to a robo- A sales call. So to me, that's another example of how people can be deceived or how technology is manipulated. You know, I hung up, but I mean, there's so much of this going on. It's like, how could you even keep track of it? As you say there, how many 200,000 attempts? Attempts, yeah. No, it's pretty incredible. Citizens kept ransom, but they're based ransom. How do we know? How do we know in Vermont when somebody gets ransomed? How would you have any sense? I said yes because I know relatives or friends or friends of parents who have had their computer encrypted. Yes. Really? We see single instances across the state network at different times in past years. Before I was in this job, I had a little bit more visibility down into some of the networks as just the position I had. We'd see a DLC, a computer, get fully encrypted overnight, and it would try to spread to the file shares, but we had proper permissioning and stuff in place to prevent it, but it's not uncommon to see that type of thing. But there's no place to track that, like individuals, I mean it's just, you just kind of happen upon it. Not now. Yeah, I mean there's no official reporting, right? And again, that's part of public outreach. If we had some community outreach saying, hey, report cyber crime, just like we do with other, telephone scams. Sometimes there's an article in the newspaper, the local police chief says, beware of these calls that are going through the neighborhood of the mess. Well, there may be law enforcement reporting because this is nothing more than an extortion by other means. Exactly. And that is a crime that is reportable to law enforcement. The problem is most law enforcement doesn't have the capability or knowledge to deal with it. Right. And as long as nothing is done, and it has to be of a huge magnitude before federal authorities would even consider it. Yeah, that's exactly right. They don't have the capability. And once you get, I mean, even our state police have minimal capability, but when you get to local police and sheriffs, they have none, essentially. Did you have a question? I do. Yeah, go ahead. Were you asking me or were you asking me? I was. I was asking you. Okay. So I had part question, part statement. This kind of speaks to us like we larger scale situation. If we've got the criminal type activity that is occurring, it almost doesn't matter what the technology is. And it may be beyond scope of this particular committee, but I'd like that the people present to at least start thinking about it is maybe setting up some sort of a default of following the behind what's gone wrong, what people are doing to harm others regardless of the technology that is done to do so. So for the state purposes, but if we treat it as though something was on a piece of paper, then what would we do if that piece of paper was stolen and sold to somebody else? If somebody broke into your computer and stole your credit card information and racked up charges, how would we treat that if they had stolen your physical credit card and gone somewhere else? So maybe setting up some sort of a default of in the absence of more precise guidance, the statute should state what we're going to do based on what was the end effect regardless of how it was achieved. If that makes any sense. And I'd be curious to know what Secretary Clinton and Colonel's input is on something like that, maybe setting up some sort of a default statute of if something goes wrong, we treat it based on what the end effect is for our regardless of how they did it. Does that make sense? I think conceptually that makes sense, but the practicality is how do you actually do that? And he's right. I mean, it's a crime if somebody steals your data or breaks into your computer. It's no different than any other crime. And you know. He's trained in those? Well, it's not only training, it's what you would have to have for law enforcement resources to have any ability to report. Nothing happened, so to speak. So it. And then you still have the problem, that's just a symptom, right? The problem, the root causes people aren't protecting their computers. Businesses, small towns, small businesses aren't protecting their computers. And the reasons are because, you know, they don't have the capability and a lot of them can't hire the capability because it's not available. You know, the average cybersecurity person with a 10 years experience and a degree in certificates is making over $200,000 a year nationwide. So there's no, there are a lot of companies can't afford to hire those type of people. So there's a lot of people even in companies who just get hired with minimal experience, no credentials, and they can do about 90% of the job but there's still that gap where it makes systems vulnerable because they've just gotten more complex. That's why we, and John and I have been involved in the National Governors Association had cybersecurity workshops. And we went through and we had discussions with and also Major Rick Hopkins who's on the state police who's now retired. We went through looking at every other state and what they've done and our strategy is aligned with how other states have approached it. We're not, you know, we're not the first ones to go through this. A lot of the larger states, you know, California, Virginia, Oregon, and you know, Washington have put a lot of these plans in place, Michigan. So we copied a lot of what the approach that they took. And they're many years into it. Some of them are five to 10 years into it and they're still not where they wanna be but you know, we have to start somewhere. So are we doing any modeling for a cyber and so emergency management, right? I mean, they do exercises. Yes. So have we done like statewide cyber? We have. Prep exercises. How often do we do something like that? Not that often. I mean, the last one we did of significance was three years ago. When we had Vigilant Guard, we had a statewide emergency and we had done a cyber intrusion at a utility up in Johnson, Vermont Electric Co-op and they cooperated with us. We partnered with them and we built an exercise with Norwich University was involved and so we actually did a response in recovery. It was very much at the walk stage of how we would do it. But it's in line with, there are response, the military, we've had response capabilities for 20 years and then there are national framework for how to do this even within cyber. So we use all those same protocols and procedures to do it. There has to be an element of the legislature involved in that type of an exercise. Okay. No. No, I was more like. I think you said a question. It was a statement, but I really mentioned it as a question. So when you do that type of thing, is there a literature or something like that? I mean back then we didn't have agency of digital services, so. That's the administration. That's the administration, yeah, but now there was nobody on the legislative side. It was an emergency management exercise. It was more of an operation run. Yeah, it's more operational. I just got an email the other day from emergency management. We're planning on holding another exercise in 2020. And so thinking about it, does the legislature hold a seat in the state emergency operation center? I'm assuming maybe, probably. I know. No, I think so. Typically you keep your operation separate from your legislative, you know. But you had notifications going, right? But you had notifications going, right? And so that's, which is what I'm, you know, you would have no. Correct. Operators. But we are not administrative, right? Right. But you would have notifications going. That is correct. That's interesting. That's how the Vermont emergency management works, their EOC operation center. So it's, it's reporting in through the governor and the, and legislative staff. And so Erica Vornemann would handle that. And then public safety would also have a component of that. I don't know exactly what that reporting is. I was thinking of the emergency preparedness board, the general doobie. Yes. Chairs. There's legislative representation there, right? Emergency preparedness. Yeah, that's, and that's mixed with Homeland Security and other agencies, part of that board. We take up a number of different issues, including cyber security. The emergency. Nick's presented at that, Nick Anderson. We've had Homeland Security come in and talk to us. What is it, the emergency, what board? Emergency preparedness board, yeah. And how are they constituting? I don't know. The name Stature, is it a federal? I would say it's probably just, it has traditionally been run by the Lieutenant Governor in prior years, prior administrations. And it's, I don't know exactly what what the authority is of that board, but it's all, it's basically discussing a lot of the same risks to the states, more along the public safety side. Where emergency management is housed. And emergency management, yeah. So it's talking about risks to Vermont specifically and then risk management capabilities and to then, my understanding is then would flow to legislators for filling any gaps or issues that they come up with. Okay. If I may, is Becky at the room? She is. Okay, this question may be more towards her, but I'll ask it to the group at large. We're talking about a little bit of a transition back and forth between state and federal agencies. Is there a clean way of determining when something is a federal issue versus a state issue? Because with internet, I mean, even if somebody is communicating problems, St. Alden's to Brattleboro, there's a high likelihood of that traffic transitioning outside of the state. So as far as, you know, criminal activity, even if the both parties are within the state of Vermont, if we have authority or jurisdiction, if that traffic passes out of the state first or does that immediately fall to the federal agencies? The answer to that on the top of my head. It's something, I mean, usually federal law would preempt state law. There's a law that, you know, in existence and there's not something on the state level, but I don't really know in the situation what law could be in place. So I'd have to do some research into that. I'm getting rid of your camera. Well, when you think about broadcasers, for example, very, very often, we have a wire fraud case. The wire fraud, the federal statute comes into play by that very reason that you don't know where the traffic is. The traffic is unlikely to be solely within the state, just based on the way the network work. Right. So I do know that on the emergency management public safety side, we have several task forces like between Vermont Information Center, the Vic, which is a fusion center and has, we have some National Guard presence in there, but we also have Homeland Security, there's FBI, there's other agencies in there and then there's some task forces like an FBI task force that also has state police. They've included now some cyber capabilities both from the FBI, Homeland Security and the state police. And that's basically how they get around a lot of those jurisdictional issues. So you just form a task force with all the agencies and it becomes like a unified decision-making and whoever has jurisdiction would take the lead on any particular. They discuss it, they know, they have the expertise and they decide who would take the prosecution or the action. And a lot of cyber task force are done that way now, including the one down the US Cybercom and there is, sorry, what's the cyber center down in DC. Anyway, there's a lot of cybersecurity task forces that have now formed up. More at the federal level, but we do have some working with the FBI now in Burlington as part of their other task forces that they do for other types of law enforcement activity, whether it be inter-jurisdictional, inter-state. Okay, thank you very much. We appreciate you coming in. It was very helpful. Thank you. Thank you. We're gonna talk about the reports that we want John to submit to us. More, more, more, more. We've got plenty. The different report for each committee. So, I have started kind of a briefing for myself for House leadership and then started talking to Randy about how do we share this and the thought, we really need to have this discussion at the committee level. What is it that we want to tell the legislature they should be thinking about with regard to cybersecurity? Do we have recommended or cyber incidents? Do we have legislative recommendations? Do we have data requiring needs? Do we, you know, what priorities do we see here? I have a list. I know that Senator Brock has a list. Maybe I would start with what came out today and has come out before is assistance to education, assistance to students, assistance to help grow this professional field, you know, either through incentives or just more awareness or every occupation. I know, I know, but you know, certainly more awareness, you know, letting kids know this is a growing field out there and it would be of you to study cybersecurity. Let me just, sorry, I'm not handling this well. Becky? Yes. We want you to just be a part of this conversation so that you can help us. Okay. So just to get started thinking about how we may want to just to turn this up to the people who are here. Okay. And so the committee would be recommending to the legislature just so I understand during session or is this something that individual legislators would possibly put in drafting requests for prior to session? So I think it could be both. Okay. So I'm envisioning, I'm definitely envisioning a memo talking about, you know, the kind of finer points of things that we need attention to house and senate leadership. And then also possibly some legislation. Well, we have more mandates to report. And I would think that that report would be the vehicle. We are mandated. I believe we are. Correct me if I'm wrong. I'm sure, you know, because I'm new, I'm really struggling. It's great. The membership and shall oversee, evaluate, and make recommendations on the following. States card deployment management oversight of IT in the furtherance of state governmental serve activities, including data processing, telecommunication networks, related technologies, compatibility among existing and proposed technologies, issues related to storage maintenance, access, privacy and restrictions on computerized and then issues of public policy related to the development and promotion of private, commercial, nonprofit information infrastructure in the state. It's relationship to infrastructure and it's integration with international information that works with number four security. I just got it. Oh, you've got it. So I didn't see that we had to do a report. It was more the, yeah, I don't, is that inheriting creating it? Yeah, I may be wrong. I don't, I was just looking at it again. I didn't recall a report. I thought that this committee didn't have any authority to take legislative action, not many. We don't think there's any reporting required. No, no, no. It just seems oversee, evaluate, and make recommendations if we have something to recommend. So we've done a lot of overseeing and evaluating the last few meetings. Yes, yeah. Serving a lot. We are learning a lot. So, and I interrupted you, Marty. You know, you were talking about, well, just a recommendation, not necessarily legislation, but I, what I have learned from all of this is that obviously it's an emerging topic and it's an important topic. And we in our state as well as everywhere meets professionals who are able to work in information technology, whether it's cybersecurity or just information technology. I mean, you talk about CAS and we're a work with the integrated eligibility project and meeting professionals who are able to integrate those kinds of things. Anyway, so a takeaway for me is that, yes, it's an important emerging business area in our state. And if we can, it's a workforce issue that we as a legislature could, if we chose to, put some emphasis on that particular workforce development. I would support that. One thing that if I may, it sounds a little bit to spoil the wall, so I'll speak up. I don't, I can't read the body language, so I don't know if I'm gonna be able to say something. You're fine. The crux of it is, regardless of the technology, the ultimate behavior of our neighbors is independent, right? So we don't really care what technology people use to do a thing, we care what the end result is. So if we can structure at this, it may have not been necessarily communicated to the panel in my earlier question and slash statement, but something about the idea of some sort of a default of what is the end result? Not how did they get there? So if as far as legislation goes, I would ask that perhaps the community, sorry, the committee recommends to the body at large that we come up with some sort of a legislation that creates eight defaults, ability and authorization for our enforcement agencies to be able to take action to protect the citizens and do what it's needed based on the end result, regardless of the technology used to get there. So are you basically saying you'd like to see some sort of equivalency between cyber crime and regular crime just based on the end result? Yeah, and I've got contacts in the law enforcement community who are continually frustrated based on their inability to take action because government is often 10 or 20 years behind the curve as far as coming up with legislation based on what is the current technology of citizens. An example would be the use of drones, right? If there's an awful lot of legislation based on law enforcement using drones, it is limiting their ability to save costs and provide better service to the public when they could do the same sort of thing with a helicopter, but that's a huge expense and a major lift in order to achieve that goal. So kind of the same thing with cyber crime. If we can come up with something that would allow law enforcement to, I forget the term, based on historical action, what they would have been allowed to do to protect citizens based on old technology, do the same thing with current technology, then they don't have to wait for us to come up with an explicit law that allows them to take action if somebody from China hacks through Canada and comes into Vermont and steals somebody's data from New Hampshire, you know? It would require less specificity. We need a lot more testing. Yeah, so I'm gonna respond to that and say, one of the things that I'm most worried about and we've heard it a lot today is you don't know what you don't know. And so one of my major goals in all of this is first and foremost, to make sure that we have properly identified our lane and then that we have some sense, and by our lane, I mean the legislative lane, we have some sense of just starting to get an idea of what we should be paying attention to in our lane, which is why I was and remain kind of focused on this notification, the training, these sorts of really big picture. That feels a lot more specific than I'm feeling like we can get to right now. It could be a very simple recommendation that if they chose to ask the judiciary committees to look at what we have on the books already in terms of cyber crime and if that can be enhanced in any way. And let them do the work. What I was thinking before is that if there are federal laws, I'm just, I don't know, I'm not an expert on cyber crimes at the federal level. Those would be applicable here. So I think it would be doing research on what is already there at the federal level and then what might be lacking at the state level. And so how would that, so it would be simply what Artie was saying, making a recommendation that judiciary looks at that? Or in order for them to do their work, you really need to have that legal review of what are, we already have, for example, federal statutory protections and penalties in that cybersecurity arena. To me, that would be what you would build from what we already have in place. And it could be that's something they've already looked at. I just, I know that they've looked at a whole lot of the privacy issues. I know the drone issue, you always get into that tension and in terms of law enforcement and what would be their preference. So that's why it would really, that gets us into a very complicated area that we haven't really delved into. But we could at least have a baseline of what we have for statutory provisions relative to cybersecurity crimes. So are we asking for that for this committee? Or are we going to recommend that the judiciary review that? What are for us? And ultimately they're going to have, ledge council's going to have to do it for them. I guess that's what I'm saying is, do we? Do we ask? Do we ask that it be done by legislative council as a first step? And then that would help inform the policy committees. I mean, we know for example, that you can use computers to commit all kinds of crimes that are already on the books. Like child pornography, for example. That and like extortion with, Oh, you name it. And so on. But there are likely some crimes that either are defined or need to be defined that maybe outside of the traditional list of crimes that breaches intrusions of computer systems. We do have laws on the books for that. But are there any types of behavior that we're identifying or that ADS is identifying? For example, in its work that are not covered by Vermont criminal laws and that ought to be, that to me would be one of the first things that we ought to be thinking about. And I don't know if there are such things. I mean, we do have laws that gets breaches and systems. We have laws that get either. That's why we need that baseline. Privacy, yes. But what we need also is just to identify what things are going wrong or potentially were threatened to go wrong that we don't have anything or any penalties to prevent. The other topic that kind of emerged and that is within the state government, not that we need to know, but that there has been an identification. I get ties back to your inquiry out of all the different activities of state government. There's some that are really critical and has there been a process? I mean, you had a great term, Randy probably from your past experience in terms of that risk assessment, in terms of the five most critical systems or whatever. Basically it's risk assessment. Do we have in effect a prior decision? And so I think that could be something that we would, I think that that's kind of an important step if we don't have it. And I didn't think we did really very well develop. So what I, and I don't think Secretary Quinn was in the room. So what Scott told us, I believe, was that systems are prioritized based on federal requirements. I believe that's what we heard. Well, does it lead to various and some reviews because of federal requirements that mandate that these things be done? Yep. Also, we did say that 80% of them fell into the more like the password and more universal, but 20% didn't, you didn't have that very deep dive. And that, it's what precipitated your comment about, well that 20% may in fact, include very mission critical systems. And should they, And the question is, do we know what they are? And my sense from the comments and discussion is that we didn't really have a risk-based process right in place. So that's why I was thinking that might be a good recommendation. Yeah, I really would agree with you. I think that's really important to the legislature to have an understanding of prioritization. And we're gonna run into some confidentiality and security issues there. And so we'll also have to think about notification as a part of that. So, I mean, notification, I think, we have to make some recommendations on notification. And it's gonna be probably limited or protocols or I don't know what, but we're gonna have to figure out some. Do we get notification in other critical incidents, final situations? I mean, in other words, we setting a different standard for the recording of cyber crimes than we are for other crimes or other, if we had a massive downtown fire or, you know, I mean, I'm just wondering whether we, perhaps are asking to have a reporting or something that we're not imposing on anything else as it relates to reporting of the legislature. You know, it could be a variety of things. Well, that's why, to me, it falls into the broad category of risk management of which cyber is just one of a number of risks. But there are some things that represent risks to the enterprise, referred to the state as a whole, that are much more concerned than other kinds of risks. And that's kind of the fundamental question is, do we have any risk assessment process in place to tell us what are the really awful things? What are the really critical systems? And do we have fences around those? If you're gonna think about where there are defenses, it would seem to me that the most important, most critical, most dangerous things fall into that category and I don't know that we do or not. And notification for these purposes. So we are not operators or administrators. So I'm not concerned, you know, that John has not called us within 60 minutes of X, Y, Z happening. But I do wanna know that within 60 days of X, Y, Z happening, somehow in the legislature, we understand what happened. You know, like after, or maybe not 60 days, but we understand, you know, like what? For purposes of being able to explain it to your constituents? No, for purposes of being able to provide oversight, understand what we need for staffing systems. And push back, you know, on this, absolutely. I'm just trying to sort out the extent to which our response for this would be somewhat different than any other response from some kind of an emergency situation that might hit the state. I mean, I don't know when Irene hit. Did we have legislative notification? No, I think there was just public notification to everybody. Do we have notification? I mean, as a, do we have a required protocol? If, I don't know, say for example, one of our correctional facilities somehow got breached and, you know, you had a fairly large escape. I'm not, I understand that everybody wants to know that there is information that comes back and it's hard to say, gee, I'm a legislator and I don't know. The question is when we're not in session, exactly what we would do with it or whether we're opposing. I'm always concerned about the extent to which we are making our expectations consistent across. State government and that's the heart of my question. Are we saying, well, this is our particular focus right now so we want these kinds of actions as opposed to something else that might be even more egregious and it's not subject to letting us know. That's, and I don't know what we have to know this. I do know that anybody who is head of a department oftentimes will send me an email just to give you a heads up. Right. You know, this is going to happen but it's not because they're required to, it's because it's just a common responsible practice. So. In terms of our responsibility for oversight, it would seem to me that this would fit clearly within that and I think Representative Seville is right, which is we don't need to know 60 minutes after but we need to know periodically the state of bad things that may have happened if for no other reason, because we have A in oversight responsibility but we also have the responsibility as legislators thinking through what bad thing happened that we may need to address through legislation or action on the part of the legislation. Or support appropriations for when they're coming in. And so Laura, are you thinking about notification to all legislators or to just this committee to the oversight committee? I'm not actually thinking about it to all legislators and I don't have something concrete in mind. What I'm worried about is, and I'm worried, this is really pervasive. I've heard, I have heard various people in state government refer to cyber and are need to be confidential about it. These are potentially acts of the war when we're looking at our, and so they're very serious. We are not gonna be dealing with all of that but I'm worried about our responsibility. Do we know what it is? Again, some conversations with the speaker about this. What is our role? And then being very narrow, I do not wanna get all over the place on this because I think we could get lost in it. The notification piece to me is important for this reason and that is to help us understand what's happening. That would, generally if you're talking about information you need that would help drive policy or a budget, I mean that's always gonna happen when we're in session. So the question maybe reporting carries different meanings that people receive in using the word but it does seem like that it is helpful that we get information not in detail but of the extent to which I don't know maybe that annual report. I don't know who looks at your annual report but we may look at what we want for specific information and recommendations in that report based on actually situations that have been experienced. So it would be not only a report on the sort of the incident reporting in an organized way but also based on the nature of those incidents of what that would translate into in terms of either budgetary recommendations or requests or statutory changes, yeah. So right now I think the reporting that we get gives us kind of big picture and my sense is that if we ask for more specificity we're gonna get a lot of pushback from the administration around security and I understand that, you know like if I but I think it's important for us to know that Department of Vehicles system has major issues every month and is down three or four times a week as opposed to the Department of Labor's system. I don't think we all need to know that but I think the legislature has that there has to be a way for the legislature to know that and I don't know that that's being communicated right now. Do you think that that's being communicated right now? To anyone, I mean I think. No, I mean unless if it makes the news, right? If there's an outage that affects the public that makes the news, no, I don't think that the legislature is usually notified about an outage. So last time we had the squirrel outage, you know. I mean everybody called me within an hour. To make notifications across the board is pretty difficult in that time. I hear what you're saying, you know we have different systems that go down for different reasons all the time, you know. There isn't a month that goes by that I don't get a notification about some portion of my health connect going down, right? There's different priority incidents. There'd be a module inside that goes down. I'm just thinking what a monster this whole thing is as far as notifications and what could potentially be notified and what the risk piece that Senator Brock talked about we, I would love to do that. And that's on our roadmap, but 100% transparency we just don't have any resources to do that. We don't have the resources to hold our vendors to the things that it says in the contract around security or to validate that they're doing them. We just don't even have close to the amount of staff that we need. But if we were to focus our attention on those higher level situations or the orange or, I'm not, I know every, the printers at DMV used to go down and they printed the license. They were obsolete. I don't view that as a threat. I view it as obsolete technology and something that we had to address through some other means. But if we could at the end of the year be able to say as the rise of the state of Vermont this is what our experience with very significant situation incidents that would drive your request for why we need that piece of software or whatever or a position or statutory response. My concern is not to make it so broad that it diffuses things so much that we don't focus on really what needs legislative attention. Is it possible to do it if you looked at it because it sounds like the number of incidents that fall in that higher range three, four, five are not hopefully. We can certainly put as much information as we have in that annual report, high level information we can drill down from there after because we'll have it ready for January and go from there based on whether or not it's the right amount or too much, too little. I just want to build on what you're already doing not lay or something else on top of it. Well, and I lately understand how many reports you all have to look at. But when I ask, if I go to a committee, sometimes I go to a committee that's not my jurisdiction to talk about our report, I just get a blank stare back and even from some of the committee members in the jurisdictional areas, they're like, oh, I'm not unsympathetic to that experience. I'm actually trying to make sure that we don't make compound that. Right, and so anytime that we ask for money or anytime that there's a new initiative, there's always data behind it, at least so far in pregnancy, we've always tried to provide, we have 286 switches that are included in 10 years old, for example, or we have no visibility between 5 p.m. and 8 a.m. of our network and that's why we're gonna do a security operation center. So we always try to provide the details at that time. It's easier, maybe you do it more in order to justify a spending request, but I think the policy area might be not as connected as when you're coming in and asking us to respond. Because we have, so our oversight role, you're gonna come in with your, the administration's gonna come in with their, the administration's priorities. So we, I think we have a responsibility, correct me if I'm wrong, to have some sense as to whether or not those are like the priorities. You know, I mean, at least enough knowledge to know like something's missing here or, you know. Right, I think the tricky thing with, I'm trying to think through this with the annual, let's say putting information in the annual report is that at that point you're in session, so it's, I mean this committee can meet off session, but it's also in the jurisdiction of many other committees at that point. So I think you'd have to think about what it is, like what you want the information for. So if it's in the annual report, it's going to be for shaping policy around maybe funding or how to address other, you know, if there's a statutory need. If you're looking for the information, maybe off session, it's possibly so that it goes to this committee and then you all can make a recommendation to the legislature at the end of the year on some topic, but I'm just trying to figure out like when you want the information and who it would be going to. When is the date of your annual report? January 50th, it's usually a pointing point in time. So we stopped collecting in the beginning of October and it has to be from October around in order to put the full report together. By then would you have, and you have enough information if we were meeting at that point before the session so that the report actually just sort of is a more robust or more official and more comprehensive summary. Would you have the information in at least a preliminary stage in October, November for this committee to review and make a recommendation to the committees of jurisdiction? The entire report? No, no, no. But just what you see are so the key things. Key action items that you think come to warrant legislative action, attention or review during the regular session that we could recommend the committee take a look at this or that this particular request be funded because of the risk or whatever, that kind of thing. Just talking out loud, I think I'd be getting ahead of the rest of the administration. I know, I know, I'll put you in a different, yeah. Yeah, I'm happy, and I've discussed at the cabinet level like here are the areas in order to give us a little bit more comfort in the area of risk around enterprise-wide solutions. Here's what I plan to put in my budget. Yeah, we understand. Ultimately the bottom line is gonna be the bottom line and that's the governor's decision in terms of what ends up being recommended. So that don't mean to have you somehow across the line in that regard. I was just trying to think about how we get information. It's an oversight committee and how we get it and so that we can actually help inform and direct the committees of jurisdictions that, you know, work, that's all. Yeah, I think what we can do is talk about some of the tools that we're lacking and the cost of those tools and what the impact may be if we have those tools and then you all can make your own decisions on whether or not they're priorities of the legislature. And that doesn't, I don't think that circumvents the process that I go through with the administration but it would give you visibility into some of the things that we see that may be useful. Well, it obviously would be useful to hear as much as possible from you while we're in the process of preparing whatever report document information that we pass on to legislative leadership so that when your report comes out, we don't find that we're all going in different directions. Well, I mean, I don't think we're obligated to all go in the same direction. No, we're not, but at least to know if we're going in different directions would be useful, I think. Okay, and I am cognizant of the time and also that we're dug in here on this. Oh, well, I think we were just trying to think and this sort of summary of our work, doesn't have to be very long, really. And another area that we did touch on and it worries me a lot and that is local government and how we support the training and I have Karen on the October agenda, maybe. And so it seems to me that that's something our GABAOPS committees might be particularly interested and that is the risk that, and how there might be, I don't know, maybe there's some kind of uniform training or some kind of way of supporting what are in many areas of very thinly staffed and limited expertise, but I do see that as another part of the discussion. What else do we have here other than cybersecurity because we have spent a lot of time on I think we need to know what you're going to look at. Compatibility. I certainly think we could issue, I'm envisioning definitely a standalone cybersecurity or it doesn't have to be standalone, but I think that we have a cyber security like communication. We could. I mean we want to make some recommendations on the great eligibility or other things. I was just looking at her charge. I'm trying to think about anything that we wanted to include. The compatibility among existing and proposed technologies. It ties back to the whole creation of the agency of digital services in my mind, John. Maybe I'm wrong, but what we have is a history of sort of that independence of the various parts and there was a real issue and I'm wondering if there is some kind of summary statement in terms of the progress because it seems like we have made considerable progress in terms of that assessment. And maybe you could help us with that just to put in so that if our colleagues read it they can see that what used to be pretty fractured and so forth and there was a lot of controversy around the creation of the agency. People, other agencies were concerned, will my needs be taken care of? How am I gonna be at the bottom of the food chain? And then the whole way in which that network support is really essential to deal with the cyber security risk. So maybe just an update state summary or something might be helpful. I absolutely agree. We got something. Was this part of the report last year from ADS? Just kind of a, you know, here are the, or was that informal, a different kind of piece? No, I believe that was part of the report. We're talking about the same thing. Just how things are going in terms of agency formation and integration and operation. Oh yeah, absolutely. How long would you like? That's what you mean, right? How long? Yeah. I don't want you to repeat your annual report but it does seem like this committee has, in its oversight, has really tried to get an update in terms of the work that you've done and... So you can comment on what we were starting to do. Just for now. Yes, yes. That's all I'm talking about. Okay. Like 100 words or 500 words or 1,000 words or that's what I'm trying, because she kind of went like this and I'm trying to determine if I've given you a paragraph or if I've given you a two page report. Well now I think I'm hearing you say maybe in our memo we need to comment on what we are here and seeing in terms of the testimony with ADS and ensuring integration. What we've heard. Yes, okay. And one of the things I heard... And since we heard it all from you, John, you should be able to be able to determine how to take your chances. Three sentences. One of the questions that came up earlier sort of along these lines was what the requirements are for interaction between the three branches. So I don't know if that's something... Yes, that's definitely something that Senator Brock and I would like on that recommendations list. I don't have any specificity, but some sort of notification protocols. Well, I would like to the extent that we can have the judiciary, the legislative and the administrative branches meet. Call it the enterprise security and the information security council. What ever, you know, the handling of the whole separation, you know that. So, but I agree, we have to, we can call it and particularly it's harder for the legislate, because Kevin has been, well no, John has been so adamant about what that legislative connection is back to the whole... The wire. It is the wire. But if we can think of a nice, you came up with that and you just rolled off on something enterprise. Enterprise information technology council, something like that. Composed of the chief information officers of the three branches of government to meet periodically or regularly to collaborate on issues of common interests, words of that effect. No less than... No less than the animal. No less than the animal. So that they talk with each other. Yeah, how do you write that in statute? We just want them to talk to each other. And also, I think we have to do something around notification of audits and or testing. And I don't know what it is. I didn't hear the last part. Audits and or testing, you know, of systems. And I don't know what it is. I don't know if it's pre or post or, you know, but that kind of goes along to the inter agency. I don't know what it is. But we have to do more there between the legislature, the judiciary and the administration. It's, you know, I don't know what it is. But let's tag that for a little further discussion. I also have a note here for October. You know, it seems to me that legislators may be a pretty significant vulnerability in our system. Well, we don't have access to much sensitive information. But fortunately, well, but emails, I think I think we can mess up the system. No, no, I don't know enough about your network. But I would say you probably submit your W2 somewhere in the legislative system, for example. So I'm sure there's well, the vision system has vision. Let's do that. But I'm not sure how email. Yeah, I would short circuit this to say, I like to bookmark for this legislative training. And I know I think Kevin would like there to be some legislative training. Yes, I think he did it last year. And I think doing it again, certainly would be helpful and maybe more intense. But it would be good if there are ways in which legislators pose risk as part of that training that people need to understand, which is, I think, what you're driving at. Things like bringing thumb drives in to the legislative lounge and putting it into computers, which we do every day. And I would like Kevin to come and tell us about that a little bit in the next step. I think that might be a, it might be both a show and talk. It might be a tell in terms of training. But it also might be just a sheet of do not do these things because they're dangerous to our systems. The Colonel Cavanaugh's notion of the muni assessment report reporting, or muni assessment reports. And we may get way over our skis on that. But I would like to bookmark that for how could we support the municipalities. And really, I think that the LCT is starting. Oh, I think that's the mechanism for doing that. And I don't know if that won our help or what. But I think that's a pretty significant issue out there. Do I have anything else online? Yes, I do. So, and this would be, and I've talked to Catherine about this very briefly a little while ago with regard to cyber, again, incidents. And our ability to really even, so we have confidentiality issues, or not confidentiality, security issues just in terms of notification, technical issues, who are we to have a sense of if the administration is prioritizing, if there are other things that should be prioritized. And so I would like to consider if there's some role for a legislative, and I don't know what it is. It could be through Kevin. It could be through JFO, but the kind of Dan Smith, like a technical expert for the legislature in this regard. I see everybody getting very excited about that. I'm sorry. Very security. Yeah, very security, actually. Yeah, yes. I was just wondering what you were talking about as far as prioritization, because we send our project list of 63 projects over a million dollars to the JFO, and they prioritize what they think the legislature will consider the top 10. And then we do more detailed reports and submit those to the legislature every year. I think she's talking about security prioritization. Yeah. Like the high risk, you know how those guys are really worried if they got down critical, high, medium, low. If you're asking questions, are they putting things in the right category? Right. Yeah. And that's where you're at. Right. In terms of the security risk, do we want the ability to make that assessment? Or do we have some technical expertise that could make that assessment? I would not label our system as being critically security vulnerable, or I just, you wouldn't want me to do that, right? You wouldn't want that to be in any public record as far. That's right. I'm happy to discuss it and give you all the information you want. She's wondering. That's exactly what I'm talking about. So when we're grappling with this, we have a responsibility. And how do we fulfill our responsibility in a way that acknowledges that this is very sensitive information? So to me, that means as few people as possible. But we have to have a mechanism. And it has to be a mechanism that is capable of really understanding, which is not necessarily anybody at this table. I mean, we're not cyber experts. So that's, and I don't know that that's the right thing to do, either. But it's something that definitely I have been thinking about and talked with Katherine about. It's not something I think that Dan could do. And that's not what we're hard to do. It's kind of bad. Well, I don't know that Dan would be interested in that, because he's in Nebraska, Wyoming, and Arizona. Yeah, he's proud of that. He wants to have some flexible. But whether you could have somebody else do it or not is a discussion for a long time. But I don't know whether we're talking about the legislative IT system being subject for security. And is it kind of like Niharber or one of those entities? Or if it's independent audit? Well. Sorry, is this for the legislative system, or is this to analyze the executive branch? This is to help us with oversight. So that we have to give us some technical assistance in terms of cyber security. Of the executive IT system. Well, yes. The state of Vermont. It's not coming out well. Like a third party review, a third party risk assessment. For instance, Department of Homeland Security already did that for the state of Vermont, not the judiciary, not the legislative. Well, they did get into the judiciary. So you're talking about just a different risk assessment? No, I think just under. So when we're thinking about cyber issues, we're thinking of cyber breaches or cyber incidents or cyber planning, cyber infrastructure for us, security infrastructure. The legislature's lane, I think, is pretty narrow. It's oversight and appropriation. But that oversight, I feel like we are underqualified to provide that oversight. But maybe that's the case in many things. I was going to say, this is more of a technical assistance in terms of providing that oversight. And that is part of what Dan Smith does, but you're suggesting that in the cyber area, you need that degree of expertise so that there's an expert who can be called upon to provide advice, but not necessarily to go in and audit, but to perhaps be sufficiently expert to determine whether or not the audits that DHS or others have done meet the need of providing the oversight that we want. Is that what you have in mind? Yes. And I think Dan is working on a project. So we have an active project. So that's different than our overall systems and how the security is functioning. Yes, it's a very different role. Norwood, I think he probably has the body of expertise to do what you're talking about. It may not be something that we should do, but I want to put that down as something to consider. So presumably, the legislature could request the kind of DHS look that was done for the executive branch, as could the judiciary. Yep. They could both do that simultaneously, but be walled off sufficiently from each other, not the judiciary. Through Homeland Security? Yeah. Yeah, Homeland Security could narrow the scope in and help them. And is that a free or is that a cost? Or is that a time available? It's a prioritization by Homeland Security. It's a free service. I don't know enough about the specifics. Nick really did a lot of that, but it was a free service to us to save us about $85,000, $86,000, by having them do it in an outside company based on our scope. It didn't get into specific systems, right? Or so it did look at specific systems and vulnerabilities and systems that looked at our perimeter. So the other thing that we could possibly do is instead of this person at JFO, would be Morris, I don't know, outside of an independent auditor that reports to the legislature around the administration? Yes, no, I don't know. I don't even know if that's possible. I don't know. I just don't know what it would look like. I mean, I like the thought of a third party kind of advising the legislature like Dan does. It's going to be hard to find someone else if you don't take with a big company. Well, it would be probably a company that's in the business of doing that. So it's one of the big four riot firms, and then there are obviously specialized companies that do this. But we're talking about significant amounts of money. This is not an inexpensive thing to do. And I think, I mean, I briefly spoke to Kevin about this, and he said that free service from the Department of Homeland Security would be available to the legislature or the judiciary, but there were certainly sort of like efficiencies of having it done for the whole state at once. Well, the comment was made by adding Secretary of State it elevated us up from a very long list. So big enough value. So I mean, if you're going to pay for a service, I don't know if there's just like from the efficiency standpoint of having it available to everyone, but there's probably also concerns about sharing information between branches and how you would have that work. Like keeping everything independent because as it's been said, I think our system is sort of walled off from their system. So OK. The other area where we took a lot of time, though, was around at least that review of the Secretary of State System, the state system, and the judiciary and those four areas. So in terms of testimony, and then what the committee has spent time on, it seems like we should at least include for anybody would give this report to know that we took testimony both from NCSL and a variety of places around where our greatest risk was, and it was past management, the password policies, et cetera. So I'm just trying to think about if this document communicates any of our work, it would to the committees of jurisdiction, some of the things that we actually heard about and looked at and got information on as part of that oversight responsibility. Is that we had a number of witnesses that came up that were arranged for that? Yeah, I think just at the time I had the one concern is if the committee of jurisdiction wants to take testimony on those vulnerabilities, I don't know if that's information that you would be able to share from the confidentiality standpoint, more detailed information. I think we heard very general overview, but in terms of if there's any legislative action that would need to be taken. No, I think what's really important is that a directive. In other words, this was identified, and this action has been taken. So it doesn't necessarily mean anything. Everything has to translate into a statutory language. It's just a way of, we heard about it. We heard about the assessments. And we have assurances that specific action was taken to address it. So it's the DHS assessment, and then the administration responds to the cyber directive, which hasn't gone out yet. It knows. OK, I'm with you now. I think, yeah, absolutely.