 started. We've asked Beth to come in and talk to us a little bit about cybersecurity recruitment. We've been hearing about cybersecurity across the government, inconsistencies, and this was an area of interest for the last meeting. So thank you for joining us. Great. Hello. Good morning. Good morning. I am Beth Bastigio, the Commissioner of Human Resources. And as the Commissioner of Human Resources, one of the things that we are on our purview is statewide recruitment. So we assist departments and agencies in helping them recruit talent for the state governments. So Senator Brock asked me to come in and talk about information security recruitment. And luckily, Secretary Quinn is here. And he can chime in if there's anything that's not. He feels like it's not quite in sync with what they're doing. But I think we think I've got it. So hiring, overall, is a challenge throughout the state, throughout all job classes. Unemployment rate is all time lows. In the US, it's 3.6%. Vermont, we're actually lower than that at 2.1%. And then you can go up to Chinman County where the vast majority of our people are. It's even at a lower unemployment rate. So that really translates to fewer people looking for jobs and a really tight job market, which works out well for people who are looking for work, but not so well for employers looking to hire and especially people in highly technical sought after jobs like cybersecurity. So we have a talent acquisition team and that's the new kind of word for recruitment. We call it talent acquisition. And we assign those. And also our HR business partners are assigned to various agencies. And we've been working with ADS to bring in a strategic plan to address their staffing needs, both to attract talent and to retain talent. One of the things that ADS has been doing is really looking how to grow their own employees in the recognition of the very tight job market looking at what employees they have, how they can develop them to bring up their skills to what they need in the future. So they have internal training programs. They've got internships. They've hired an intern and they have another in the pipeline. So that's been really helpful and engaged with the cybersecurity program at Norwich University. One of the new things that we've done with our new, we have a new recruitment system. So it's easier for us to maintain talent pools. So if someone's applied for a job, but seems like they might be good for another job, we can kind of keep that and have an easier way of finding that than we ever did in the past many years. So that's a benefit of our new system. So if we have candidates that have expressed interest but haven't, we can reach out and say, hey, this job might be a good fit for you. Why don't you apply for this? So that's been helpful for us. This is our classified pay chart. So I was gonna be actually, I realized that I was gonna start talking about our pay plan and how it works and the challenges we face. But everybody doesn't actually know what our pay chart looks like for the state of Vermont and how we hire people. And it's very, it's very straightforward. You have on the left, you have pay grade. So a lower pay grade is paid less, a higher pay grade 32 is paid more. As you progress in time, you get step wage increases. So it's a very predictable. People know what they're going to make in 15 years or in five years. Each, there's a progression. So earlier on in the first five steps, you get an increase every year, then it goes every two years, then it goes every three years. Which is great if you're somebody that's looking for to stay here for a very long time. It's much more appealing to someone who's kind of goes in that, in that direction. Like I want a steady employment. I know if I start here, I'll, you know, in 15 or 20 years, I'll be making this. It's not so great for young people because they're not seeing, they're not, they're not looking really beyond five years. So it definitely rewards longevity. It takes 22, 24 years to get the top of your pay grade. And as I said, it's not really attractive for younger workers, but you do know that you're going to get, you know, about three or 4% raise every year. So it's about kind of the value of a step. And also you get plus that raise, typically the negotiator being an increase. I mean, every year they don't get a cost of living or across the board increase, but usually there's one. So I just wanted to explain that. And there's a range, obviously from low to high. So you can see these are some of the three information security job classes we have at pay grade 24, 26, and 28. So typically a one is at kind of a lower level and a three is at a higher level at each range. You either have higher education or more skills or more certifications or more qualifications. Doesn't mean you're necessarily good at it. It just means that you're doing work that is at a higher level. And so our highest range for that, you know, higher for that job, actually I'm going to talk about the lowest because that's, I have an example of the lowest range in the bottom, so our starting pay would be 51,000 going up to 80,000. And then one of the things also, working for the state of Vermont, we do have a great benefits package. So on average about $33,000 in benefits, which includes full healthcare. It's the best healthcare plan I've ever seen. I think since I've started working for the state, I've not seen one bill from median healthcare for anything that we've done. I haven't paid a bill to them since and we do, our family does use healthcare, so that's rare. That's great, that's a great plan. Retirement, we have really good retirement plans, especially if you want to stay and work for an employer for a long time. It really does, again, reward longevity. So it encourages people to stay there for 30 years so that then when they retire, they can go elsewhere. It doesn't necessarily consider, encourage people who maybe want to work somewhere for a few years or are thinking about only working somewhere for a few years because it's an old style to find benefits plan, yeah. So Beth, one of the things that we've talked to and you've been moving on and that is this Willis system is old and how we could replace it. Do you envision if we end up with a replacement that in fact there would be components that would do a better job of addressing the issues that you've laid out, particularly in terms of the earlier on, the bringing younger members of the workforce in. So I was just wondering, this is what we have today, but we've asked the department to really take a look and see whether we need to overhaul what might have been fine three decades ago but may not service well today. And our department is charged with, statutorily charged with making sure that across state government, people are being paid equitably within what type of work they're doing. So we have a classification system that looks at points for a job. Our system is definitely old. It's been around for a long time. It is functional, it works. We know how to work it, we know how to do it. It's also with our union contracts, our classification system is very much tied to our pay plan as you can see right here. If you're classified at a pay grade 26, this is how you're compensated and we negotiate this pay chart with the union. I expect that we will have. We have asked the consultant that we have hired to look at both our classification system, our whole system, which is really tied in with our compensation system. So we've asked to look at what we can do within the parameters, the existing statutes and what the possibilities are. And we're looking forward to finding out what those possibilities are. Because looking at other states, I mean, every state has a different classification. Everyone does something different. And we're not in as bad a shape as we think. Looking when I look across and see what other states, what happens in other states. I'm like, oh, I guess we don't have so bad in Vermont. But bad meaning compensation. Bad meaning. Bad meaning. Difficult to administer. Our employees are paid relatively a comparable market wage. We don't have as hard a time as recruiting as other states may have. And especially some of the Mississippi, Alabama, Louisiana, people haven't had pay raises in like 100 years. And it's even more challenging because not that the job market is a challenging, but just no one wants to come work for the state. And I think in Vermont, people still think working for the state is in general a great, I hope they think it's a great place to work, but I think it is a really good place to work. And our compensation is we don't want to be, we don't want to be above the market. We kind of try to be about 90% of the market. We do want employees to be committed to public service. So they're not state employees and I can attest that are not necessarily, especially the great ones are not necessarily just in it for the money. They're in it because they're committed to serving the monitors. So that's kind of a factor there. Well, as you look at the pay rates such as those that you have for information security rates, how do those compare to the market today? For the private sector. So we did a quick look because, I know I'm talking a little bit in a minute about a market factor analysis and the amount of work that takes. So we looked at four of the pay grade 24, which was kind of the lowest, our entry level. And so we looked at that, so this analysis is based on that. And so at an entry level, this, if you looked at 25% of the market level percentile in Vermont, our step one, our minimum pay range for that 22 is at 20, we're at 25% of the market rate. And then when you go to step 15, which are highest, we're at 75% of the market average. So entry level, we can, entry level, we're not too far off the 90%, which is kind of where we want to be. But when we get up to the top pay, that's when it's a little more challenging for us. And that is, again, it's just a very brief analysis that we did based on me coming and presenting to you. So it's not a thorough, it's not a thorough market factor adjustment. So what we have, so within, this is as approach as we use to address market compensation challenges. Our higher-entry range program, that's where you look at the pay chart and somebody who has a lot of experience and skills, we can hire them, qualifications, we can hire them at a higher step. So instead of, so we could bring somebody in, but you'd be very rare to bring someone in at step 15, but you could bring somebody in at, even step 11, 12, 13, so a much higher percentage than they would be getting otherwise. So that's one of the things that we have done with ADS, and we did that for a lot of departments to address the starting pay. We can, and there's a whole process they have to go to. You have to offer them step one, but then they say, I can't work for that, and then they have to request a salary, so we can't just automatically say, oh, we'll pay you, whatever. We still have to try to be, we still have to get them to come as low as possible, that's what we tell the hiring managers, because we don't wanna have everybody come in and tell you how to pay your wages. We're trying to look at costs, too. And what's good about that is it's pretty straightforward. The hiring manager can make that request to human resources, and we can approve that almost immediately, and the job offer can go out. Hiring range goes with an individual, it doesn't go with a whole job class. So it's just based on your skills and abilities, not really what's happening in the marketplace as much, and then we also have market factor adjustments, and Senator Brock, who knows about these from when he was in the auditor's office, CPAs and auditors with those skills. I thought you were gonna say he audited the use of the MF. No, I don't think so. I think it's... No, he used it, not audited it, okay. It provides a temporary increase to the base salary range, so everybody that's in that job class gets that pay increase. And we use it for... I know Auditor's Office has it. We have some people in, I think it's Department of Environmental Conservation, the Chief Medical Examiner, so it's hard to hire a doctor for $64 an hour, and that's our top wage that we can do. So we can look at the market conditions, we have to do an extensive analysis to make sure we're getting it right. It's more than just looking at the Department of Labor statistics. We actually would hire somebody to actually look at that, look at the job class, and make sure that we're getting it right. We're in terms of looking at the job class, and to go back to what we're specifically talking about about information security analysts, what market are you looking at? Are you looking at a Vermont market, or are you looking more broadly than that? When we did the market, when we do a factor analysis, we would look at Vermont, and we would look more broadly, and we would look at government versus private sector. So we would look at all of those things and take those into a factor, and then we would work with the department to see what that rate would be. I'd just be very interested, for example, to hear from ADS as to whether or not they believe those numbers are really representative of what those jobs command in the marketplace. And as I said, this was just a quick brush. We wouldn't go out there and say, this is the be all and all. I mean, it just, frankly, it just seems suspiciously low to me based on experience. And as I look, and look particularly at the Vermont Health Connect project, at the contractors who are hired for IT jobs compared to what Vermont was paying, the people who were providing oversight in the department, it just seems suspiciously low to me. And as I said, this is the entry-level job. This pay is the entry-level job based on Vermont wages. So it's not a program or it's what we could figure out was closest to entry-level for an information security analyst. So in terms of vacancies for these positions, do you have information on those rates? I do. And how that compares like across the government? So yeah, one other thing to say about on-the-market factor adjustment, it definitely requires a lot of time to implement. And it goes with the job class and not the employees. There's no discretion based on individual qualifications. So you could have a problem if you did market factor adjustments just for cybersecurity people and didn't do them for other parts of ADS. There would definitely be, John would have, could have issues, fairness issues within the organization. There's also issues if he was looking to promote one of those very high-paid persons to management, that market factor would go away. So there's other things to consider when you do a market factor adjustment. So we don't ever, it takes time to do those and we do those very carefully. So if that is something that ADS is looking for, we will absolutely work with them. What do you mean by a temporary supplement? So temporary until we decide we're not paying market, we're not paying it anymore or until we redo it. So it could be, it could be some very long time. Everyone sees that cybersecurity is the way to go. So the cybersecurity schools are flooded. Now there's a big market for, there's a lot of people in there so that we just would come down. We would have the flexibility and lower vote to take away the supplement. So if for some reason there was no difficulty recruiting anybody anymore, it seemed like their wages were not in parity with the rest of the department or everything else, then we could remove that at any time. The current auditor has kind of looked at wage rates. Getting back to Senator Barack's question about, are you looking at Vermont or are we looking at the region? And Vermont as a whole. So if we're looking at Vermont, I think what we're doing is replicating in state government what occurs within that overall Vermont environment relative to wages and compensation with other states, particularly when you're getting into, say, the Boston labor market or whatever. So if you look at Vermont wages overall compared to other states, we are paying employees less. So if we're, and you can't do what Vermont government in isolation with the rest of the Vermont employment structure, but I'm just saying, I think that this is, now that everything is so regional and people are able to move and commute, et cetera, the world is kind of a broader place than simply the geographical boundaries of Vermont. And so this is what we see here in state government, in fact, is because we're tied to the Vermont labor market, I'm not questioning that that's not the legitimate place to be, but the overall Vermont labor market in terms of wage compensation based on this analysis that was done is lower than you're gonna get in Boston. So if I wanted to make, or other states, if you wanted to make more money, you could go to Boston. That's why Massachusetts state government probably is gonna have a harder time attracting somebody to a cybersecurity role than we might in Vermont because if you can get that same job in downtown Boston working for a Fortune 10 company rather than a state, but in Vermont, there probably aren't as many options. I mean, there are some employers that are gonna employ cybersecurity people at a high level, but a lot of the cybersecurity people for the banks and stuff are gonna be probably in an urban area, metropolitan area. One of the concerns that I've had, and it'd be interesting whether or not there are any observations from your end that support this, is a long-term trend over many years for information technology positions generally in that we have not had a local market to be able to fill those jobs when there are significant IT projects. And as a result, and this is also the case with audit, we go and we contract with large firms to provide that resource. The large firm then goes to the Boston market and brings people in, and then we pay three times their hourly rate in order to, the contractors provide that same service. Yeah. And so again, that just raises a question in my mind is the strategy of looking at Vermont as a comparable market is that part of the problem why we can't fill some of these critical jobs so often? Yeah, I'd say right now, we're actually doing, I would say, okay. We've, of the 10 incumbents in there, this is what we've kind of got. Two, some of you did hire some at step one, one included intern that was permanent. We hired that person at step one, an entry-level job for this. And we've been able to internally promote people and then we've had three hiring ranges. That this is across all of state government? This is, these were those IT analysis. Yeah, two, one, two, and three. So that's, those were, this was, so this is where HR saying, hey, we got, we got the jobs filled, we did our job, you know. So this was in 2009. This is that we did have success in recruiting. We had information security analysts filled by internal promotion. Security analysts too was hired into range at step two and then we had a one hired into range. As the intern I talked about at step one. We were required to do about a two week recruitment. For these, we did three week recruitments. We did have small applicant pools on only about five or six qualified candidates. We may have more people's apply, but they didn't really meet them in qualifications. And it did take a little bit longer to fill those jobs based on 20, but that's, that's for the openings we've had in 2019, we've been able to meet the needs with hire into range. That doesn't mean that we will be able to in the future necessarily. I mean, but I mean, that's kind of the current state. We've had some in 2018, I think we hired people into range at much higher steps. A few people are at a higher level jobs. So we were also able to bring in some more experienced people, I think at higher steps. I think that's really all I had for you. I don't know what other questions you might have. I just had a question. So obviously, we have been successful if we have no vacancies now. There's two parts, one of which is recruiting and hiring and the other is keeping them. And so I was just wondering if we had sort of any historical experience. This grow your own is not new. When we brought in the access system in the late 70s, in fact, that's what we ended up, and have the very same issue that you're talking about, Senator Brock, with Mathematica and very high paid staff brought in working side by side. It does obviously create, and we ended up getting rid of the contract and developing it in-house, but over time because of problems. But it's a matter of also how we keep staff. And I don't know what our experience is in general with them. And maybe it's too early to tell. It's a new agency, but what would be nice is to see what that retention experience looks like. I think one of the things about having ADS as an agency, and having all the classification was the same, but you would see people jumping from department to department and for like the real IT developer jobs or information security, that really isn't going to happen anymore. So we can have the same thing across everyone. Because if it was the way it was before. So you're saying that helps stabilize. I think it helps to help stabilize because if it was the way it was before, and let's say it was in DII, and DII was giving market factor adjustment. They weren't giving it an ADS. Prior we had departments kind of competing against each other for the talent. And now it's, there may be better places to work or better projects, but I don't know if you have people like jumping around from departments because you're gonna get a promotion or a new class or anything. So I think that's helpful. Hopefully that will be helpful to Secretary Quinn in having kind of a more more uniform across state government. I would also say that a lot of project work and the developer work, I think the state of Vermont is so lucky to have some of their, for their own systems and to have their own internal developers. That's not something that we really never, I never really experienced in the private sector. So we actually could make changes to our systems. And I was really, when I came into state government, I was like, what? We have our own people that do the programming for us. You don't have to have conference calls with another organization that doesn't understand your business and doesn't understand your system. So I understand the benefit of having those people in-house that really do understand your systems and understand the work and the desire to retain those public employees. And so we're doing other things, not on the, I would say, we're also trying to do a lot of work in human resources on the retention side, on kind of more the soft side and the management skills to try to help managers on board those employees in a way that makes them want to keep working for state governments. And it's a pivotal position and that is the supervisory training. I mean, there's research on that in terms of either the positive or negative impact of the work culture. Yeah, and what we found is some departments do it really well and some departments basically have no resources. They don't know what to do. So they, here's your job, here's your desk, go ahead. And so it was very, it wasn't uniform across state government. So we've actually been piloting a new onboarding process. We're actually gonna launch it next month. That will uniform, we'll have uniform training across state government. We'll also have really a guide for the supervisors to say, here's what you do step by step. Here's how you can keep your employee engaged, even just the pre-hiring process. You've made the job offer, give them a call and saying hello, you know, just wanted to follow up and see if you have any questions. Follow that up with an email, giving them the specifics. Just really welcome them into the workplace, possibly hook them up with a buddy, that's not the supervisor, that can show them the ropes. So there's a lot of things that you can do and if there's an easy guide that says, here's how you do it. And by the way, supervisors, we're gonna actually see if you're doing it because we're gonna be somewhat tracking them, not individually, but just through surveys. We hope that will have, and we expect that'll have a better outcome for our retention overall, not just for IT security people or IT people. Thank you. Thank you for the record. I'm John McClendon, CIO. I'm Nicholas Anderson, the CISO, the Chief Information Security Officer. So as we've mentioned previously, we have partnered with the Department of Homeland Security with their National Cybersecurity Assessment Team, their NCATS team that is part of the Department of Homeland Security's newest agency, the Cybersecurity and Infrastructure Security Agency. They have a team within that that serves as one of three national cyber centers. Theirs is called the National Cybersecurity and Communications Integration Center, or the NCAC, the NCATS team because the Federal Government likes nothing more than good acronyms. The NCACS NCATS team, the National Cybersecurity Assessment Team. Can you do it again? Can you just do it again? The NCAC is the National Cybersecurity and Communications Integration Center because they hold the statutory responsibility for cybersecurity, which is protection of all the .gov infrastructure and all the civilian infrastructure in the United States, and they hold the emergency communications responsibility. So when we have resiliency issues, like after 9-11, we saw people couldn't get through on the cell towers, emergency responders had trouble communicating with one another. They hold the emergency communications responsibility as well. So is FirstNet project connected to that? FirstNet is connected to part of that, but then FirstNet also has a different program office within GSA and a couple of other reporting response within the General Services Administration on the Federal side. Within the NCAC, the NCACS, which is the National Cybersecurity Assessment Team, they provide services that include a risk and vulnerability assessment. We take advantage of several DHS services that they provide free to states, one which is a cyber hygiene report that we get on a weekly basis where they perform an internet-based scan of the state of Vermont's assets and provide us a report on what outstanding vulnerabilities may be and what they're seeing from an external perspective. They also provide- That's weekly, you said? Yes, ma'am, that's correct, that's weekly. Is that something that we ask them to do or is that something that- We did, we reached out and asked them to do that. So do some states not ask them to do that? That's correct. They're really making a big push right now and that is a free service that they provide to state, local, tribal, and territorial government entities. They're really pushing people to take advantage of that. It's a free service. That's the kinds we like the best. We like free. If it's good, yes. It's been great. It's allowed us to have really well-informed, conversations with our vendor community, and some of the people that are outside of the state government's purview because within our Vermont.gov infrastructure within the old state.bt.us, there are some cities, some municipalities that are in there as well that are hosting things and it allows us to have a conversation with them as well about what, if we see some of their vulnerabilities, what might they be? Are there some parts of state government that are not included in this examination? There are. So I would be willing to bet that anything that is outside of Vermont.gov to include the legislature is not included. I know the Secretary of State's office is not included in that, but they have a separate agreement with DHS where they're getting the cyber hygiene reports as well just for their SOS.bt.us, I think it is. Is there their domain? SOS.bt.us domain extension. So the question is, are those things that are state government entities that are not included, does that suggest that there are other unaddressed or unknown vulnerabilities because these things are not being looked at? I'd say that is, I'd say even more broadly than just the scope of web servers that are externally facing. I'd say things that are not being centrally managed within state governments that are part of IT that has been hosted in a legacy way inside another department or agency or maybe a third party board or commission. I'd say all of those things in aggregate represent a risk that may not be known to us when we're trying to centrally manage the risk and trying to centrally mitigate it for the state. And so you're not getting a read on that with the hygiene report? Correct, so the cyber hygiene report is essentially executive branch and AES's customers that are residing within that Vermont.gov core infrastructure. That's what that's all we're getting. Could you give us some examples that would be outside this that you're saying are not subject to this weekly hygiene review? Just, you said certain boards and commission, you said not the legislature, but judiciary is that outside as well? I would have to look at some of the judiciary's assets or some of the things that they are doing because they are an ABS customer as well. Yeah, okay. For some of those, they're absolutely included in that and part of it would be I couldn't speak authoritatively whether the judiciary has some web servers that are being hosted in a legacy way that are not Vermont.gov domain. The reason that I'm asking, I guess it's following up and that with your question, if in fact these, whatever they are, and I haven't got a clue what that inventory of entities that are outside this weekly hygiene, hygiene, it sounds like public health review. And if they post vulnerabilities, do we have an inventory of where those vulnerabilities exist? So if many, I'm sorry. I wanna actually just follow on to the question, is there any correlation between the sheet that you've put together, the chart that you've put together for us around ADS services and Senator's question? There would be. We can certainly extend the spreadsheet that we have to check that off as well. That's the whole intent of that spreadsheet is to be able to capture how each individual entity within state governments, IT, IT security, IT procurement, all of those things are being managed. So that they understand it. All right, thanks. So it'd be very helpful if you do, in fact, extend that spreadsheet to include. Pretty well. So I'll go over at a high level what the overall methodology was that the entity that's taking followers during our risk and vulnerability assessments, it includes both an external look into the state and an internal look in the state. So they have a team of five people that are well-qualified cybersecurity experts that are DHS government employees that leave the engagement and kick it off with us. And this normally starts about 60 days before we'll ever see an engagement. So we made the request, made the request probably before the first of the year or right around the first of the year, had a kickoff with them. I had a couple of phone calls in March to finalize the fact that we were going to be placed on their schedule. And then in April, I actually had the kickoff meetings begin planning the scope of the project. The scope of the project for this risk and vulnerability assessment was all of ADS's core infrastructure that we used to provide services to the state government and Secretary of State's systems excluding the actual election systems themselves. The election systems aren't connected to the internet. Those aren't network accessible. I just want to make that note, but it did include Secretary of State's sort of business and administrative systems as well. And was the Secretary of State's office aware that that was going to be happening? Yes, yes. So they have an IT manager over there. His name is John Welch. And John was actually part of the phone calls doing this. He participated in generating the paperwork for the microscope and kind of cosigning all phone and radio activities. So what we're going to say is your core ADS core functions and the Secretary of State's outside of the election. As an administrative system. There's things like lobbying registration and corporate registrations, online voter registration, database, things like that. So that was the scope of the assessment. We began that planning in earnest after the kickoff meeting in April. This actually went through in June. A couple of weeks later, we got an out brief. And now we've prepared our plan of action for getting to close out some of the recommendations that you just provided for us. And kind of big four buckets. We have codified that in the categories of vulnerability management, credentialing management, access control, spear phishing and phishing awareness, and overall security. Spear phishing? Yes, now. So we're phishing. It's a good term for us, Jane. I've heard of phishing. For phishing, it's just, in general, sending out those emails, which we performed as part of this assessment. We phished our own state of Vermont employees. Spear phishing is going after high-value targets. It's going after high-profile targets. And you may be able to get a little bit more work into doing that, so it could save. So it's a much more targeted job. So they are going to do this in an individual and say, this person's a board of this. We want to target them. That's where we're looking for this specific piece of information. More targeted based on maybe your role in an organization. It's like for me, if they know that I'm Nick Anderson, and I do security work, and I live here in Montpelier, and maybe I have a daughter who's 10 years old, maybe they're going to send things to me and say, well, I can see from late then that it says he lives in Montpelier. I can see it from his Facebook. Maybe I need to target things and say, this is pertaining to after-school activities for Montpelier schools, and see if I can get him to click on a link that's going to download a malicious executable that's going to provide something there. Or maybe if I know that I'm trying to target the commissioner of DHR, maybe I'm going to send something pertaining to human resources information as a link or as an attachment and hope that she clicks on it, saying, oh, this is something I'm going to ask somebody who's a peer of mine or industry group is sending to me. Or maybe they've masked themselves as a constituent and specifically have a lot of fear. So it's very targeted to an individual to get them to be impacted to you as a part of it. So we did participate in that. And we have an action plan that we put together today as our final day for comments that we've opened it up to all of our agency IT leaders to provide commentary on that plan of action to establish our milestones. And we're preparing next week to work for our own enterprise project management office to kick this off as a fully managed project to govern it in the right way and to make sure that we're tracking and ordering ourselves accountable for closing out these vulnerabilities and these risks to the state of Vermont and across. Is this really a project or is this really an ongoing security protocol that we should retain? I'm just, could you clarify that? Right now I'm looking at it as a project, this phase, to get up to a level where we feel is sufficient. And then from there on it would be an ongoing operation and maintenance activity. That's the one I was looking at. Oh, that word. I would love a definition of that. Oh, an M? Sufficient. Oh. But any other questions that we want to ask? So this chart? Does this go with that? Is that it? Could you explain this document that you just gave us? This is not part of this testimony. This is the 10 minutes I have later on this month. That's fine. Sorry. Well, that's fine. Get in the head of myself. Oh, I was like, do we have anybody from much IT? I don't. No Kevin, it's not here. I don't believe Kevin is in it. OK, OK. Jess, do you have any questions in open session? Yes. My name's Jeff Lower. I'm the CIO of the judiciary with me as a court minister, Patricia Gable. We're still unclear, since we weren't included in any of the planning or results of this process, whether or not judiciary resources were part of this scanning work. OK. Yes. The ones that you received from ADS were? So I don't know if you want to comment on that. Yeah, so may I comment? Sure, absolutely. Absolutely. Patricia gave one mistake, court administrator. And just as a, without more of the detail, I think the Supreme Court would be very concerned to hear that DHS was scanning judiciary files without the judiciary's notice. And so we want to have a good collaborative relationship with the other branches regarding cybersecurity. But it's very important to understand the distinction between the kind of content that is in our electronic files and that we, as a customer, need to know not only which of our files have been reviewed without the Supreme Court's knowledge, but also, is there any capacity for whoever was in those files to retain some kind of presence in our files where there's a continuous feed? So again, I'm speaking from technical knowledge, other than what I just heard when I came in. But that is something really important that we need to resolve as we work together. So the part I'll touch on in open session is that we didn't tell any of our customers what we were doing. Because as soon as we do, everyone starts to scramble and tighten up their applications and tighten up their websites and do things that should have been done, but maybe weren't. But knowing that there's a stand coming, people start to lock their doors and windows. So the only people that knew about it were Nick and I and some of the security staff by design. Not even all of the security staff. Right. And the Secretary of State's office. And the Secretary of State's office. Right. They knew because they, triple A, they had submitted a separate request to DHS to take a look at them. And for efficiency sake, we asked them just to put the two together. OK. And do you, so this is just going to be a random kind of all over the place question, sorry. Is that just a decision that you make as a secretary? Do you consult like the governor's office? Is that your purview? It's a standard protocol. To do it this way. Right. And to keep it a very closed process so that you can get the best return, I guess what you're saying is you want to make sure that it's sort of like a health care facility that it's told we're coming to visit on a certain day. And they all of a sudden change the linens and clean the floors or something. So I was just wondering whether this is the way that these kinds of security scans are undertaken. Part of it is we want to see how our own IT personnel and the IT personnel throughout the state want to see how they react. We want to see do they notice that somebody is present with a network. How close have I? Are they really keeping on the resources that we're charged with safeguarding? It's kind of like TSA going through the airport. TSA regularly engages. I participated with them when I was a DHS employee. Regularly engages in security assessments, and they're entirely unannounced. Where you're going through and you're attempting to smuggle in weapons through airport security. Because you want to be able to test the rigorousness of that local facility and being able to appropriately screen for that hazardous material. The same thing with information security. We want to be able to test just like it was a regular day here working for the state of Vermont. We want to be able to test the ability to identify and respond to security incidents as they were proposed. So have we had a Homeland Security assessment as ADS previously? I don't believe so. How about SDII? I don't believe so. So was this the first time? So no, as ADS. I was thinking historically long term. I don't believe that we've ever engaged Homeland Security in an assessment like this before. Go to my knowledge. OK. And so when the center's questioned around, you know, is this protocol? Is this protocol? Where has that been developed? So we have done other types of penetration testing on systems. In the past couple of years, since ADS was created, with Norwich University, we will pick a specific system maybe. And during their weekly or their week residence during the summer, the team goes ahead and tries to attack a system and gain entry into the system. The first year, we made a mistake of letting the business team and IT team know that this was happening. And magically, the box was outdated and firewalled and protected to the point where it was secure. But looking at it before that, they would have been into the system. And you know, probably a short period of time, that was a couple of years ago, and we'd fix that situation. This year, we notified the commissioner of the agency of the system that we looked at and didn't go any farther than that. And we found some vulnerabilities that we've since fixed. But the more people you tell, the less of an actual real world type is the real experience you get. I'm sorry. Is it Pat? Pat. Pat. Excuse me, Pat and Jeff. I have a question for you. Have you had or asked for a DHS scan before or testing before? You're aware of? OK. I might also add, as Nick mentioned, MCIT leads getting feedback and developing an action plan. We've had no exposure to any information. OK. Other questions from the committee? I'm asking this question because I'm totally a neophyte in this world of cybersecurity. But people are really concerned who has access to these systems and who has access to data. And to some extent, I think Pat referenced, you know, in terms of when a review was done. In other words, could someone, and you told me there are people that have enhanced privileges and that they're going to the system. And I understand the need for security. I guess the question becomes one of, we all have these confidentialities. There's some very sensitive information. So how do these reviews protect of that? In other words, if I want to say, I think Senator Brock is absolutely horrible because of X, Y, Z, could somebody actually go in and have access to those kinds of exchanges as part of this review? I'm just wondering what are the implications of this? Or are you looking at something very technical in terms of ability to access as opposed to a particular correspondence between individuals or a records record or a child welfare case? Could you just give us some understanding of what that means relative to the systems and the information that would be contained in that system? Yes, Sam. So we did have the Attorney General's office review our agreement with Department of Homeland Security ahead of time. So there's both a letter that outlines the scope of the engagement, as well as the confidentiality that's acquired by the Department of Homeland Security when they do this. Some of this specific lens through which the Attorney General's office reviewed this, and this is why it took us about eight weeks to get from initial project kickoff to actual project initiation, was some specific review given the ongoing litigation involving the Department of Homeland Security to ensure that DHS personnel, though this was an entirely separate agency, and a different work function, would not have access to any data regarding that ongoing litigation. So I'd say no, in general. They don't have access to files or information of this incident, mostly because we have people sitting right there with them while this is ongoing. Every single time, I'll give you a few more details in a few minutes. But if they had a department in particular that they said they found what they believed to be a vulnerability in one of their web servers that happens to hold some files in it, they would raise their hands and engage with our team whoever was in the room with them at that time or write down the hallway and say, hey, we found this server. We found this vulnerability. Is it OK if we go in there and exploit that? So if we go in there and see what's in the server and see what we can find, they would go a bit further. So we hear the check and place. Nick would call and say, we see something here. Is it OK that we enter this area? So there was several checks along the way and we were careful about which areas we entered. They did not have unfettered access to our infrastructure or to our customer base at all. But I would say, yes, this is something we're going to continue to do on a regular ongoing basis. So we have, as Art Tony has reminded me, we have a state law about knowingly disclosing personal identifiable info to the US government. What guarantees do we have? How are we assured that the government is not keeping any of this information? And I think that would be a question really for our attorney, the AG's office. They were brought into this process to do a legal review for that specific reason. For your attorney at the AG's office? Yeah, for the attorney general's office. We have two different assets in attorney general's that would be the letter of engagement, specifically the confidentiality of information and any ability for data retention within this agreement. OK. They reviewed it, but was there anything in the agreement that prohibited it? I would have to go back and look at the specific clause to give you the details of that, sir. I can tell you that it was specifically referenced, I believe, but I'd want to go back and find out. Again, if you could just give us feedback as to the nature of what restrictions are placed on looking at information other than looking at systems and vulnerability, but looking at actual information and files, one, and two, retention of information and files, if those things are addressed in agreement that you have. It's sort of conscious of the concerns with around the facial recognition data that was shared with a. Of course, there's no prohibition to do any of that for legislators. They can retain anything that we do and talk about, including our faces, including our faces. OK, do we have any other questions? Any other questions? OK, so you have additional information to provide for us. Do you have any other information that can be provided for us in open session? In your opinion? No, I don't think so. OK, so we've asked our attorney to draft us a memo regarding executive session, which we have. And it's really important to me that we're as transparent as possible, but also that we respect security issues here. So we'll be very cautious when we are in the executive session. I think we have asked that the legislature, or the, excuse me, judiciary members stay in. We had also asked to have legislative IT stay in if they were available, which they are not. And so I think we will ask our attorney, obviously, Catherine, to stay. So do you want a motion to go into a session? Yes. I'm happy to have our customer in the room to hear what we have to say. But outside of that, I think it's really a need to know based on who's in here. So we have the judiciary. Yep, who's our customer? We have our attorney. Yep, OK. And we have joint IT. We have Dan and Catherine. Yes, Dan and Catherine. Is that? And what role do they play in this? Like what? Which they are you referring to? Dan and Catherine. So I don't care if I stay. I don't qualify to speak. I mean, I don't know if you want Dan to stay, since he's much more technology than I am. So I think Dan has been contracted by the legislature to provide some oversight on our behalf in terms of IT projects. We also have an MOU on confidentiality between our office and with Dan specifically and on the work he does with the administration. So he has access to these policies. So you're getting the boot, but Dan can stay. I'm fine with me. Well, I did. It's Catherine. Is that OK? Yep. Well, she's going to be completely out of me. We're not sharing this information regarding the specific vulnerabilities with our own employees inside the agency. They're going to be receiving a two-page action memo that's going to outline what we're doing about it and what we're going to be ensuring this. My entire security staff hasn't even seen this. And I would like to reiterate for you and for the committee that I think this is a very serious issue. But I also think the legislature must have some ability to provide some oversight or. But the understanding for us, anyone who is here in the executive session, is what we're told is confidential. Is that and not to be shared? Yes. Just need to know that in advance. News lately, some information regarding the use of a non-approved manufacturer's device in our telecommunications systems. And I wonder if you could address what the status of that issue is. Sure. So in delight, I believe Jelani first did a lot better than that. Inside of a co-location facility, first light communications was using a Huawei device and questioned whether or not Vermont data was running through that network. So we began to investigate immediately. We asked them for a response outlining how it wasn't part of the Vermont network. And they addressed it through a chain of emails and timelines for the indigital contract, which is the 911 system, the new 911 system that isn't in place yet. But I think where they may have failed to really address the issue was around the data services that the Vermont gets in its data center. We get our internet. We have three different internet connections, one through Sovereign Network, First Light Owns, First Light, and then VTEL. So we have three different main circuits. And so I went back to them and said, following up with your timeline here, it shows that you signed our certification March 11. You're saying in your timeline that there were still circuits in place in mid-June. What's going on here? And this was just a conversation I had two nights ago with their principal technical assistant. And he said, OK, I get what you're saying. I get the way you're reading this. You were never on that old equipment. When we migrate off something like that, we stand up a network identical to it next to it, equipment that we're going to migrate over to. And we start migrating circuits a little at a time over a period. And their period was over about 18 months. He said the state of Vermont was not on that equipment. They've always been on the new equipment. And that was not clear in the communication. So they've assured me that we were not on that long way equipment for our data services and that they may have had others on that equipment. But that's really outside of my scope, whether they had who their customers were. That's all privileged information, not for me. But so to go further, I've requested a walkthrough of their co-location facilities and data centers that they have that provide services to the Vermont network. All of them? Yes. And they're working on lining that up. Some of those co-location facilities are owned by other providers and need special assistance in order for me to get in. So we're working on that. But we've stayed on top of it. So in summary, then the state of Vermont never was on the equipment line. That was the topic of the newspaper article. That's correct. Now, because it always raises the question, well, how do you know? There's no way that you can, in effect, audit to determine whether or not you've got correct information. You're basing the conclusion solely on their assertion. That's correct. And that's why I'm doing the walkthrough. I'd feel better if there's no wall-way equipment in the data center anymore. I at least know from this point forward, there certainly isn't a chance of us being on wall-way. OK, thank you. OK, thank you for your patience and your condos. So we have, just to give you a little background if you're not aware, we've been working with ADS to kind of understand where they're providing cybersecurity, where they're sort of providing. You've heard us talking about customers. And trying to understand how the various entities that are not directly contracted with them are interfacing how Vermontter's data is being protected. So we wanted to hear from you a bit about that. And then I think the committee had also wanted to hear anything you'd like to share with regard to elections. Sure. So first, let me just say, for the record, Jim Kondo, Secretary of State, we do work with ADS on a regular basis. We do have our own IT team in our building. And we obviously work off of the internet system of the state. But we do have our own cybersecurity that we operate. But we work, we collaborate with state resources. For instance, the Vermont State Police, the DHS intelligence officer, Region 1 CISO, it's CISO. Cyber Security Infrastructure Security Agency. There you go. It's a mountain. One thing I've learned in the last year as president of the National Association of Secretaries of State, there's a whole language of short words, acronyms, thanks. And it's amazing to me to hear what they have to do, how they talk. You get on a phone call with them and they're stopping them every 10 seconds. What was that? What did that mean? So in any case, we just recently, in fact, Nick was attended as well as Kevin Lane from the Vermont State Police, Homeland Security, Ted Gansy from the Vermont, he's the Vermont CISO, our DHS intelligence officer, was part of the team that we sent to a regional consortium in Durham, New Hampshire for the New England states with DHS out of Boston, Region 1. We had a forum, if you want to call it, consortium to discuss all the states threats. We had the FBI Secret Service, all the different players that were involved, so we are constantly working together. So I'll leave it at that for now, and then I'll get into what we're doing just so you have a better feeling for it. So defending our democracy for the last year as president of the National Association, I've been going around the country and on national TV speaking about cybersecurity is our new normal. It's a race without a finish line. It will never end. I have been very outspoken asking Congress to provide sustainable ongoing funding to the states. We can't survive by having a lump sum every 10 or 15 years. We got $380 million to the states of which Vermont's share was $3 million last year. And we have a plan for how we're spending that in its public. It's on the EAC website, the Election Assistance Commission's website. The last time we had money before that was 2004. And we at that time, Vermont got somewhere around $15 to $17 million, which we still have some of that left. We've got very few. That's the Habba money. And the money we got last year was also Habba money, and it was left as we call it leftover hanging Chad money from 2004. Congress had approved but never appropriated 100% of the money that they had approved. This was the remaining 10%. And it was divided up amongst the states, according to a formula for Vermont's base minimum state. We got $3 million. California, I think, got like $34 million. So that's the range. We were fortunate. Back in 2013, I was in DC for a conference for National Association of Secretaries of State. My colleague from Oregon, she was Secretary of State at the time. She's now the governor out there, mentioned to me at dinner one night that she had her corporation system had been breached, which I thought originally I said, hmm, interesting. It was the corporation system. Every piece of information we have on our corporate public is all public facing. There's nothing that we have behind the scenes. So it's all public information. But apparently they have some information that they keep private, confidential, and it was breached. So I came back from that in February of 2013, and I asked my IT manager how we were set up for cyber. He said he thought we were in pretty good shape, but it wouldn't hurt to have a second look. So between 13 and 14, we hired a third party. It was actually a Vermont-based company, New Harbor Securities, to do a complete physical and cyber assessment, vulnerability assessment of all of our systems, not just elections, but all of our systems. That was completed in 14. And we asked them as part of that to give us a high, medium, and low priority of things to take care of, and an approximate cost to do it. We have knocked off all those things. In 2016, this was when the world of Secretaries of State changed. August of 2016, we were called to a phone call with Secretary Jay Johnson from the DHS to tell us that there were states that had been attacked, not reached, attacked, who was later found out that only one state was actually breached. For the record, Vermont was not one of the 21 states, and we certainly were not the state that was breached. That state was Illinois. And what happened was the Russians got into their voter registration database. Didn't do anything. Just put the signs were there that they were in. The one thing that I think happened in 2016 that didn't get a lot of play, and this is what I've been harping about with the press, is the fact that, yes, one state was breached, 20 states defended and defended well, which means we were doing our jobs. As I said, Vermont was way ahead of the game. We are considered one of the leaders in the country on cybersecurity with our election system. In 2018, as I said, we had the $3 million. We have a robust suite of defenses. If we were to tell you everything, we might as well email the presentation over to the Kremlin. I can certainly go into some broad discussion about what we do, and I will, but I'm going to reserve that till the end. We have, again, we have a new election management system that was implemented in 2015. We call it VEMS, Vermont Election Management System. Because it's a new system, it actually came with added security, and we had already built in cybersecurity requirements into our RFP. We monitor our systems on a daily basis. We work hard to keep the bad actors out. And please keep in mind, when we talk about bad actors trying to get into your system, they're not necessarily trying to get into just your system. They're trying to get into your system and then seeing what other doors are open for them to go to. So we have a connection, for instance, to the Department of Motor Vehicles. They could try to get into our systems and when they get in there to see, oh, we can go over here to the motor vehicle department or over to the tax department. And that's the issue, I think, that Secretary Quinn and Nick Anderson have to fight all the time with all the different agencies is the bad guys are trying to get wherever they can. They're looking for vulnerabilities. They're looking for weaknesses. We contracted starting in 2016 prior to the 2016 election with DHS. I shouldn't say contracted, it wasn't really a contract. They do it on a regular basis, weekly. Cyber Scan, they look to see if we have any vulnerabilities that have opened up in the last week. So we do that on a weekly basis and we get a report. With Homeland Security. With Homeland Security. It's just like a hygiene report. Same thing. Yeah. Same thing. We have what's called an Albert Monitor. The state actually has two of them. We also signed up so that we could get our own, which basically monitors internet traffic coming into your system. And it takes it in real time, sends it back to the Center for Internet Security, which is under time back to the Department of Homeland Security. They can tell us within 10 or 15 minutes if we're being attacked or not. We do. OK. So I'm going to ask you a question around with that Albert Monitor and with our law that we cannot. How do we know that the federal government is not maintaining any of those? There's no confidential information. It's IP addresses that are going back and forth. And I'll get into a little bit more on another piece of that. This is not going in in action seeing our confidential information. We do annual penetration testing where they we hire a firm. And I'm not sure whether Nick Anderson has said anything about it, but we always hire a different firm each time to actually do try to penetrate our system. And the reason we hire a different firm each time is so we have a different set of eyes on it. So we're not just getting one set of eyes that has one method of operation, and that's all they do. We hire a different set to see if we can find anything. That's on top of the cyber scan, which is looking. And by the way, the cyber hygiene scan, essentially what it is, is like a burglar walking up to your house in the middle of the night, trying the doorknob, looking in the windows to see what's there. I mean, that's what they're trying to do. The cyber scan is taking a look to see if there are any doors that are left open. We enacted as part of the money that we got last year, we enacted two-factor authentication for any individual that has to get into the Vermont election management system. That means town clerks and any of their people. So if they have access to the system, to the management system, they have to go through a two-factor authentication. We also did it for our own staff. And we do an annual town clerk WebEx cyber training. It's a two-hour WebEx. We were fortunate. The first time we did it, we had 235 out of 246 towns that actually participated in it. So we feel pretty good about that. It's a very basic, gives them simple information, things like spearfishing emails and things like that, what to look for. And we're doing that on an annual basis. We built in resiliency. We have the automatic voter registration, which provides us with a much more accurate and better efficiency voter registration database. We do a daily backup of our voter registration database. So even if a bad guy get in and destroyed, let's say, just destroyed it, we would just be able to go back 24 hours and reset our voter registration database. That would disrupt an election, wouldn't it? It could. So that's part of the resiliency that we have is the fact that we do have that voter registration daily backup. We also have same day voter registration, so no voter will be turned away. If they're eligible, they'll be able to sign up. And we have other internal threat mitigation measures that are in place, limiting the amount of damage that a bad actor can do if they were successful at getting in. As far as the vote tabulators themselves, so Vermont uses optical scanners. They're not connected to the internet in any way. They're not connected by hard wire, by Wi-Fi, by remote access software. But that's not true for every state, Jim. It's true for probably 95% of the states. There are some states that actually link. If you have several of these at a polling place, they might link them together to get one set of numbers at the end of the night. But it's not very many of them that I know of actually are connected to the internet to submit their information. So what we have is a system that allows the machines take a look at the paper ballot. And not every state has the paper ballot that you have to back up, is that? Roughly 40 states have paper ballots, in most cases. I think it's like 38 or 39 actually have totally paper ballots. There's a few that might have a hybrid where they have some paper ballots and some not. And then there's a handful of five or six states that have no paper ballots whatsoever. And I don't know how they do a recount. What I've heard is that what they do is they go in and you hit a button, and the machine does a recount. It says, here it is. And Randy, as Senator Brack, as a former auditor, I don't know how that works. I didn't even know why. So we have a robust actual audit that we do post-election. We do 5% of the towns that are randomly selected. We used to do just four towns, and it used to be two races, a federal race and a state race. Now we do 5% of the towns, and we do 100% of the ballots in that town, and 100% of the races on that ballot. And we've not found that. That we changed under my tenure, probably around 2012. But we have not changed. We have not seen any discrepancy whatsoever. We also have recounts that occur throughout the state, although I think there was one kind of infamous one, I think, two years ago in orange. But that was really more of a process problem. It wasn't really the ballot problem. But the simplest solution, audit solution, is the fact that we have a paper ballot. We have something to go back to. And that paper ballot, all those paper ballots are sealed and kept in the ball for 22 months after the election. And they can't destroy them until after the 22 months in case there's anything that comes up. Our audit completely uses a completely different software. Has nothing, no, and completely different set of machines. Does not use the same machine as what we've used. In fact, it's a much different, more up-to-date type of system. And end of the day, we have a, in fact, you can probably look it up on our website, but we have a actual file of the towns that were audited. And you can actually go in and see the ballots that were on that file. So it's really a robust audit procedure that we have. We've actually, when I first took office, there were no rules around this. It was just saying the Secretary of State will conduct audits. The Secretary of State will pick the machine for vote tabulation. And what we have done since then is put rules in place that actually have criteria that can be measured. So we have looked at that completely. And I also want to talk about vote tabulators, because we do not have 100% coverage of vote tabulators in this state. The vote tabulators, which, again, are optical scanners. They don't do anything, but just scan the ballot. We only have about 54% of the towns that actually use vote tabulators, but they represent 80% of the vote. If you want more firm numbers, I can tell you that it's about 135 towns that have vote tabulators and about 110, 111 that do not. That's because of the state law that the legislature passed a couple of years ago that says any town over 1,000 voters must have a vote tabulator. So it used to be really up to the town whether they wanted to or not. Now there is a mandate. We pay for that. The state pays for it through the Hava money. So do you think that system is working well? Is it fine to maintain that system as it is? Well, that's the other part of this. First of all, one of the concerns is always about the memory cards. And how are those memory cards kept? So the vendor who puts the vendor cards together for us actually has a secure facility. It's under 24-hour locking key, pass card to get in. They know who's going in that room. The computers that they use have never, they are not. They have never been connected to the internet in any way. And they don't take our information on a thumb drive that we send to them or an email file. They don't take that and plug that into their system. They actually manually put it into their system. And this is all designed around security purposes to prevent any infection that might come in from outside. So those memory cards are not shipped to the town clerks until about three weeks before the election. They have a strict chain of custody. They keep them under locking key in their vaults. They have to, anybody that touches those, have to record it, who touched it, who accessed those memory cards. About 10 days prior to the election, they take those memory cards out. Each town gets two for each machine that they have if they have more than one machine. They get two memory cards, those memory cards. They do what is called a logic and accuracy test on those cards 10 days before. And then on the morning of, when they go to fire up their tabulators before they open for voting, they actually make sure that they're all zeroed out and that there's nothing else in there. We also, I'm actually surprised when I talk to some of my colleagues, we do an annual maintenance on all of our machines. We have a contract with the vendor that we use for the machines and they go to every town and actually do a maintenance on the boat tabulators. I mean, it's expensive. It's about, it's just under $50,000 a year, but we think it's important to maintain the integrity of our system, to make sure that all the parts are working, that the systems are working. And on election day, we have, I think it's five people, including one of the five will be at our office that are monitoring, they have a computer, we get a readout at the end of the day, the end of election day of any problems, anything whatsoever. If the problem was that the thing wasn't working right and they reboot the computer and the computer fires it back up and everything works after that, that's logged in, we have a report for that. So we can tell if something came up in XYZ town, here's what the problem was and we addressed it. So they have people within an hour's drive of any town in Vermont, so that they can make sure that if a problem does occur and sometimes the computers just won't fire up or whatever, but they're there to make sure that they can address it. Is there any, so how about the under 1,000 population? Those are hand count. Yeah, so. So hand count, it's interesting. Are you happy with that? Would you change that if you could? But it's interesting and I'm also going to speak to a particular recount that occurred in this state in 2006, but hand count towns actually, hand counting of ballots, if you're relying on the human eye, and it doesn't always read the way you think. And I'll give you an example, if you don't mind, Senator. 2006, incumbent state auditor, Randy Brock, on election night won his race by about 180 votes, I think 134 votes. You remember exactly. Oh, yeah. Tom Sandman was the Democratic challenger. He asked for a recount. Following that recount, it had flipped almost exactly. Hundred and two. And well, almost exactly. And he ended up, Tom Sandman won that race. This is before my time, but investigation of that issue, to find out why that, because generally you don't see that kind of a swing in a recount. And that was a phenomenal amount of votes that switched. They found 15 hand count towns and it wasn't the hand counting of the ballots that were the problem, it was the filling out of the official return of votes, which town clerks had to fill out by hand and send to us so that we could tally the votes. There were three people in that race. It was Senator Brock. It was, Mar, of Levy. No, even Levy, wasn't it? No, it was Martha Abbott. Okay, Martha Abbott. And Tom Sandman. And somehow Martha Abbott was the one in the middle on this sheet. But what happened was, she got zero votes in those 15 towns. But somehow when the clerks were putting the numbers in, they put it in the wrong column. So there were 15 towns. That didn't count. That didn't count. Any votes for one or the other, or actually the other. Wow. And it was just a really strange phenomenon. And now we do it completely different, and there's better procedures in place. But, so that was just the case of what happened there. But hand count towns, generally, because usually, when you think about it, 1,000 voters or more get tabulators. So the rest of the vote hand count towns are below that. And I mean, we have some towns, like Victory is only 72 voters. And would it make sense to put a $7,000 voter, vote tabulator in the town of 72 voters? I don't know. So that's up to you guys. Thank you. We know what they're doing, thanks very much. But in any case, there's a lot of procedures that we've upgraded over time. As I said, we did the rulemaking to make sure that even just picking a tabulator, before it used to be, the statute's clear. Secretary of State gets to decide what tabulator is used. And it has to be consistent throughout the state. So that's pretty simple. But there was no requirements around it. So we actually built it into the rulemaking that we did to say, it has to be a paper ballot, it has to be this, it has to be this, in order to get to the choice that the Secretary of State would make. I think this sheet is the one. Which one's that? Right here, fighting disinformation. Oh yes. I think that really is gonna be our challenge. This is a challenge and this is probably the biggest threat that I think I heard Secretary Quinn speak to this as well. But disinformation and misinformation are the two issues that we're facing right now that are really problematic. We're constantly working to educate our voters to make sure that they are, when they're looking for information that they look for the information from trusted sources. Both our Twitter account and our Facebook account are blue dot verified. So that means the blue dot means that we are a trusted source. We're constantly working to improve through the National Association of Secretaries of State. We've been working with both Facebook and Twitter to improve relations, to improve cooperation and collaboration. Literally, they never came to one of our conferences before two years ago. Now they're at every one of our conferences. So that's interesting to think about how, to think about that collaboration. So what's the nexus there? Okay, so what we've done is, we've told them that there are times, for instance, what do we do if someone sees a post out there that's a Facebook post that says, oh, Democrats vote on Tuesday, Republicans vote on Wednesday, or the polling place in Burlington is closed because of a fire or something for electrical problem. So, but they're gonna extend the hour until 10 o'clock, so you can go after 7 o'clock. But we know that that's not true. So how do we compete against that kind of information? And that's the kind of stuff that we're trying. What we've done is we now have a Facebook portal that we can drop information into right away, go directly to Facebook, with Twitter. What we did in 18 was cumbersome, but it worked, and we didn't have any issues, but it was a, we had to go through, we used our National Association as a clearinghouse. So, Secretary of the State, if they had anything, they would feed it to the National Association and they would feed it. They just wanted, they didn't want 50 states bombarding them with stuff. So, Twitter wanted us to focus it more. We're working with them to try to improve that collaboration. We also have what's called an election day threat dashboard, that DHS stood up. And essentially, it's a website that we can go to that every state is allowed to go to sign into, and we keep it on all day long on election day. And you can see if there's a problem someplace else in the country. If I had one thing to say, what's different since 2016, besides our own internal focus, it's communication between the states, between our federal, state and local partners. And that has improved tremendously. So, how are you feeling going in? We feel very confident about where we are. As I said, we're considered one of the leaders in the state. I've been all over the countries speaking about cybersecurity and elections, about some of the best practices that I see. You know, we work with all of our partners. We can't do this alone. No state can do that. You give them a list of all your contacts, and they'll send an email to those people to see if they can get in through them. As I heard Nick Anderson say, spearfishing is probably 80% or more of the breaches in computer systems in this country. It's because someone clicked on an email not knowing what it was, and people were able to grab your credentials and then go get into a website. I think. So, what are we doing working with our state and federal partners? As I said, RIT director collaborates regularly with Nick Anderson from the Vermont CISO and Ted Gansi, the Vermont DHS Intelligence Officer. We are members of the EISAC and MSISAC, some more acronyms. MSISAC stands for Multi-State Information Sharing Analysis Center. That's what all the states are members of and the territories. The EISAC is Election Infrastructure ISAC. Information Sharing Analysis Center. It was the fastest, the EISAC was the fastest startup of an ISAC that they've had in their history. Literally it started in February of 2018, and today we have 50 states, three territories and over 1,700 local or county offices that are members of the EISAC, which just means we get ongoing weekly information. It'll be targeted to us as white means it's not critical, amber means it's step up, red means you better pay attention. During the 2016 election, we had received through our association an alert from the FBI beyond the lookout for certain IP addresses. We had, we checked our logs to see if there was a problem. We couldn't find anything, but then we sent that information on to, I don't think it's immediately over here. We sent it on to the state system to ADS and I think I believe they found one of the IP addresses in their logs. A year ago, August 24th, it was well reported nationally. My IT manager came to me and said, I was checking our web application firewalls, log information this morning and I found several entries and the information we get will actually list country of origin and it was Russian Federation in Ukraine. He said, what do you want me to do with it? I said, you send it over to ADS, you send it to your contacts at the MSISAC, which is the Center for Internet Security for their review and I'll call Department of Homeland Security and let them know about it. They checked with a couple of other states who were unaware and found that there were a couple of the same IP addresses in a couple of other states and that within 24 or 36 hours, they issued a nationwide alert to all Secretaries of State to be on the lookout for these particular IP addresses. So the system worked, it worked and we're pleased with that. As I said, we collaborate with the CISA Director at NDC, the CISA Senior Advisor, the CISA Region One Director, State Homeland Police Homeland Security Advisor and it's just a constant communication, improved communications. In terms of potential penetration of election systems, generally, IP addresses may be one thing to look at but in many information or experience or discussion points with others regarding, in fact, fish IP addresses, IP addresses that look like they're coming from someplace but after they're coming from someplace else. They're masked. They're masked. Yeah, I mean, that's always the threat. We have to be aware of that and our web application firewalls will not recognize that when it comes through, it just recognizes that here's an IP address coming through. But that's where the information level sharing with others, including the Center for Internet Security, is helpful because they can look at those and see. I've been to their facility in East Greenbush, New York and they have a huge TV screen, if you wanna call it and it's a map of the world. And what you see is these lines going like this all day long and they'll be in green, yellow and red. Green is good, it's a known IP address. Yellow is iffy and red is we're being attacked. But what you also see is a red line that might come from Ukraine goes to Houston, Texas. And then from Houston, Texas, it goes a green line over to Washington, DC. It goes green line, interesting. Because what they're doing is they're hopping from one server to another to get to where they are. They're masking their IP address. So these are things that we have to keep aware of and we have to just be aware. And that's the kind of stuff we tell our town clerks because frankly, the opportunity for the vulnerability is really at the town clerk level. I mean, obviously if you have a computer, whether it's this, this or a PC, a computer is a computer, it's capable of being hacked. The question is, are you putting the defenses in place? Are the defenses robust enough to defend? And that's why it's an ongoing, it needs to be sustainable and ongoing, our collaboration with each other, but also with funding the situations that need to be required to defend. We're constantly looking at how we can upgrade. We rely on the experts. We're not the experts, but we rely on the experts. My IT director is a former intelligence officer with the military. So he has some background. So let me ask you a question. With regard to your cybersecurity efforts, is there another committee in the legislature that you regularly report to about your progress or actions in that regard? Well, I guess the only other committee would probably be GovOps. And it's more of a 30,000 foot level. And we don't get into a lot of detail with them on, I might give them the same presentation to you, but if they want one of the actual things, I have it on a piece of paper, but I'm gonna be very careful about the information that we put out there. We had a reporter that contacted me. He said, you keep mentioning penetration tests that you've had. I assumed you got a report. And I said, yes. And he said, can I have copies of the report? And I said, no. And he said, why not? He said, the public has a right to know. And I said, I agree that the public has a right to know. They have a right to know enough information to know what's going on, but they don't have a right to know all the detail on this particular instance. And there's an exemption for that in state law. And he kept pressing me and he sent me a FOIA and Freedom of Information Act letter. And I said, no. And my response was, if I gave you the report, I might as well just put it in an envelope and fill out the envelope and say, Kremlin and just send it to them. And we're not gonna make it easy for our bad actors to get at this stuff, but we wanna assure people that we're doing the right thing. That line is very interesting to me, too. How do we maintain it appropriately? As I'm sure it is to you as well. Doing other questions, the secretary. Thank you very much. You're welcome. I appreciate it. Okay, this is where we are. One of the fields and so on are to be added to it. One of the things that we, Secretary of State's discussion I don't believe in, John, that we're talking about, of other things, looking at traffic coming in from Russia to Ukraine and so on that might be suspicious nature, but it occurs to me, isn't a lot of that traffic actually masked, so it appears to be coming from somewhere else. I mean, I can sit here with my VPN and I can send an email to you and send it from a server in Romania or Slovakia or Serbia. And I mean, that's common software that's easily available. I think there's multiple methods for, where the destination IP says it's from isn't necessarily the case or it doesn't mean that it's not one country acting in another country to mask where it's actually coming from. I think those are common practices. Is that an issue as far as you're concerned, when you're talking about the possibility of getting hit by Russia, for example, you're looking at patterns as opposed to just simply IP addresses. That's right, yep. And so usually, there's a process that we go through that Nick could get more granular with, but when we see patterns of traffic that are suspect or may appear to be doing something that we don't like, we can block it immediately. So, you know, we watch for those types of things and certainly are on the lookout and have different capabilities and softwares and skill sets that we have monitoring, including down at our university. This is an overall note for our future meetings. It would be useful if there are handouts as we went through Nick's presentation, which I thought was great, unfortunately, I couldn't read it. And it would be very useful to have hard copies of any PowerPoints so that we could review and if it's a confidential program, that hand the handouts back so that we could actually view what we're doing. And when we look at things like the matrix, that either issue the matrix with a magnifying glass or ensure that anything that we get is a nine point type or higher. We have in here that no copies of the executive session was my call, I apologize for that. I didn't think about how small it would be up there on the screen, I just knew that we'd be displaying and said, well, how would anyone need a copy? Thank you for that. Try to protect our trees. Thank you. So we did make a couple of updates to the sheet, just basically things that we found in error or that we had mislabeled, but as far as what else you guys would like to see on the sheet, I guess we need to know what level of granularity are you looking for because we provide dozens and dozens of services and they're very specific sometimes to each department or each agency. So it's difficult to put on here and keep it within some kind of range in an Excel format. We do have what we call service level agreements with each agency that spells out how many licenses they get, what's included in the service, how many virtual machines they have, all of those types of things for each agency that is our customer. And so we have that granularity in-house. It doesn't necessarily fit on the spreadsheet by any means. I guess what we're looking for is our task is to provide oversight to look at those fields that might help us understand if there are areas that oversight ought to be provided by your agency or that we ought to have an understanding of generally as to whether or not these risks are being covered that that is what we're looking for in the sheet. We're trying to assess risk and we're trying to assess what things we should be doing better or differently or that we're not doing at all. I think the other thing that we're looking for is something that may be qualitative and by that the red, yellow, green is always useful and there is your assessment of areas or departments of government or agencies of government that we should focus on because there are priority vulnerabilities that are not yet addressed or not being addressed properly, sufficiently. That's what I'm looking for and I'm sure other members have other things that they're looking for. On this spreadsheet I would say that project management services should be included because projects range from anywhere from a couple thousand dollars to a hundred million dollars. So I think that would be worthwhile to put on here. We did recently build a Power BI dashboard which is a dashboard that'll give a lot of our KPIs of metrics and we did this and it's available to all of the public and this does everything from staffing to threats, service level agreements, grades that we get from each agency and as you can see at the bottom here, number of IT projects, healthy IT projects. And so there's quite a bit of information that we're trying to display right on our website in real time and we're updating this on a regular basis. And one thing I would say is the overall grade is something that we focused on a lot from our supporting agencies. I think that's really important to us but it's really important to me on making sure that I understand whether or not we're improving the service that we're offering to the agencies that we support or whether we're reducing that with a new agency. I think that's extremely important to monitor that. So that grade is from your customers. And that grade is from our customers through surveys that we do based on a wide variety of questions. Before in the old DII model it was when you submit a help desk ticket, it may kick you a service that says, how's my service? And what we found was we were running at like 97% satisfaction and I just didn't believe that to be true. That's just way too high for that. Well, but you solved those particular help tickets. Yeah, and just based on the questions and so we've asked a lot more questions in a lot of different ways and come up with a formula that gives us a wide range of grade series as you can see from Bs to C pluses and we wanna be transparent and monitor those over time so we can track how we're doing. It'll take a while to really see a trend but we're watchful of it and my entire executive staff is monitoring this on a regular basis. So what's interesting to me here when I look at, so when I look at this sheet and cybersecurity, it's just thinking about and understanding how these other branches of government, so it seems clear to me we need to have judiciary legislature, the treasurer, attorney general. And it's interesting to me to think about, I don't know enough about whether or not that is appropriate, if that's better or worse. More risk, less risk, so. Separation of powers issues in some areas as well. When you look at the legislative branches, there's been a great deal of sensitivity about being a separate branch of government and how that relationship and I'm sure that sentiment is also shared with judiciary. On the other hand, at some point you have to assess the inherent risk in some of those traditional delineations. The other part you had mentioned was project management and as a big piece and we did have a presentation last time with what's happening with integrated eligibility and a couple of years ago before there was not even a reporting and we were having an inventory now of all the projects that you are managing above a certain level and that report is available as well to us. That's correct, this coming year it'll be everything about $500,000. Right, the threshold was really, originally was very, yeah. So that will be coming in terms of the number of projects that are being managed? Absolutely, yep, that's part of our reporting to the legislature that will, I think it's December 15th we handed that report. Okay, all right. That'll be everything over $500,000. When you start looking at the list from, we track everything now, right, before we didn't really track anything below a certain dollar threshold and that's why the project, the number of five key projects is at 306 is because we're at least tracking the projects that are even a few thousand dollars and having those developers who may be managing that small project report in certain fields on those projects. So the big ones we'll still have the report for and we can get you additional information if needed on the smaller ones but we didn't want to give you 300 pages of project data. I think that's wise because it wouldn't be read. Right. Right. Well, maybe my party. So last time we heard on integrated eligibility and now in certain areas and we're a little behind, we also have a major funded through the capital bill, the case management system for the courts. DMV is doing some incremental work on, so I'm just wondering for future meetings, are there certain key projects in terms of are keeping current that things are going pretty much the key questions? Are they on track and are they on budget? And I don't know whether there's certain ones that we might want to get an update on, but I think that's absolutely a great question, Senator. You know, we have two tenants isolated to hear from in August. One would be just a brief update, I think, on the vision system and then also we were scheduled, I think, to hear back from integrated eligibility just to continue to hear where to ask them when we'll be appropriate. Are there others that are at the top of big cost specifically funded, some of the smaller ones are just down through just operating budgets, but are there any that are at the top of that list? I don't know. Like the court, the case management, so as we don't go through ADS for the case management system. For project management. For project management. Oh, you don't, okay. All right, so, but other areas of project management. Yeah, we can certainly recommend some. The JFO and your consultant, Dan Smith, track a list of projects that they've worked with the Legislature on, assuming to Dean, which ones they feel they should be tracking, and I think there's five or six on the list, including the progress of ADS. But if there's, I can certainly make recommendations of additional ones that I'm watching closely, whether because of their status or because of the dollar amount. You talk, maybe Catherine can talk to Dan. I think we would be happy to hear that. You know, I wonder if we should hear about the court system, because I think it would be great to actually also hear about cybersecurity. We gave several presentations during the session to various committees, and we can certainly update it. Okay, that'd be great. Do we have other questions for Secretary Quinn on this sheet? Okay, so I think we've reserved a few minutes to just talk about our next agenda and any other things you might like to talk about here. Thank you very much. Sorry to not have the folks together. We will try to put those together next time. Not to keep from that. No problem. Solidated torture. Yes. Yes. I'm sorry, once a month, it's okay. So a couple of items that we definitely do have, we definitely have integrated eligibility with another update from them. And they were here for about, what were they here for, 30 minutes last time? Yeah, at least. That's Casper. Yeah. You know, I would find, you know, I made the mistake of pushing print and got all 47 slides or whatever it was. You know, I think it's, for time efficiency, I really would like to boil it down to what are the key pieces of work? What is that timeframe to have them completed? How we're tracking and expenditure? To me, you know, that whole descriptive, maybe it's because we've had so many, some of us have had so many presentations, but I would really like to have more succinct presentations to help us just answer those key questions about the project progress, where we're not meeting the timeframe, where something seems to be over budgeted. And so, I don't know how to communicate that, but, yes, Dan. Dan Smith of GFOIT, you can sell a nice book with Cass Madsen after that last meeting and talked about the strengths and the weaknesses of her presentation. And we agreed that the next one will have a one-page summary to start out. Which is what I wanted was to take, to still for me, what are the key areas that we need to be tracking? So prior to the next presentation, she's going to run the graph through me. Okay. And I will look at it in that. Thank you, Dan. I talked to Dan afterwards saying, you know, it's hard to communicate more is not necessarily better. Or more is good if you want to obfuscate things. Right. So we want to follow up, I think, with Cass to make sure that she knows she's on the schedule. I think we're probably, it's 15 minutes? I would just add something. Yeah, I think we're looking for a brief update on that. Okay. Is that number one on the agenda first thing? Or do you want to do that after? We may want to shuffle around afterwards, but I think we want 15 minutes. So if I might, because Dan could give you one that I would give a vision discussion and who or why. Here, so the vision system was the upgrade that was done back in February. And that was one of the projects that I was assigned to monitor over the past couple of years. We've had some years of an awkward movement stronger. So that project finished and it was a success in the sense that it finished on time, on budget, the objectives were met. There were some areas that may not have been as successful as they liked. They did a customer survey after the completion and said, how did this work for you, the users? And there were some areas that users reported dissatisfaction with. So I had gone back and forth with the people involved in that project and I think it would be good for them to give you their perspective of what worked, what didn't. Just how the thing turned out now that it's done. Okay. And maybe the lack of some sensitivity to some of the end users are, I don't know, maybe too extreme. There's a lot of flavor. So it's a end of project completion retrospective. From vision as a topic? Yeah. Okay. And for the lunches later in the room, that was the expense reporting change that happened just after the Super Bowl. What a personal idea. The endless barrage of user guides that was pushing to you and that whole process when doing your expenses switched. So who would we have to command and report on that? And who would you have on any customer users or is there anybody? No, I think, Ruth, yeah, if she presents the survey results and how it's fine, I think that's probably gonna cover that. And so I would like to have the judiciary come and talk about cybersecurity. Also I'd like to update on this on the project, yeah. Judiciary. So how long would that seems like you're probably gonna need some time for that. And I actually wanna introduce for the committee the concept or the notion of possibly having a longer meeting in August or September. You know, I think there's a few things that we may need to kind of grapple with. So. With 30 minutes left. For both? For cybersecurity and for your project updates? Yes, given that cybersecurity is a topic that we also partner with ADS on, so. You do. That's 30 minutes. That is not, that is not listed on the sheet. Talks about network services. Yeah, okay. Okay, so that would be. Perimeter, we monitor our perimeter firewall, which I think is what Jeff may be alluding to. Okay. But as far as websites, web services that they're outside of EIC, we wouldn't do those. I guess you could call it a partial. So for me, it would be helpful if ADS was also here so that we could understand, is that? Okay, great. So, and I from today would like to hear from the attorney general's office regarding that contract for our DHS and the security for Monter's information. I think that's, I don't know how the committee feels about that. No, no, about not releasing and giving information to the federal government. To the federal government, yeah. And since they're going to be here, it would be good to speak with them also about cybersecurity.