 Vermont PBS in cooperation with Orca Media and the Vermont Press Bureau presents Capital Beat, the Week in Review from the Vermont State House. Here's host Neil Goswami. Thank you everyone for joining us this week on Capital Beat. We're very glad to have you with us. I'm Neil Goswami with the Vermont Press Bureau. I, like most of you, probably have experienced some technology challenges at home and work and state government is no different. We are joined this week by John Quinn, the Chief Information Officer for Governor Phil Scott. Chief Innovation Officer. Innovation Officer, excuse me, and Representative Laura Sebelia of West Dober to discuss some of the challenges facing state government in terms of information technology. Thank you both very much for being here. I appreciate it. Thank you for having us. John, I'd like to start with you. The administration is now about two and a half months or so into the first term of Governor Scott. As you survey the landscape of state government through that IT information technology lens, what are you seeing? What are you looking at? Is it an extreme challenge that you're facing here? Well, I think the pockets of IT government range from really, really good to somewhat challenging. And when I talk about challenging, I'm talking about legacy systems and our struggles to keep up with technology. So there's a wide range from very good practices to challenging areas. We know that obviously when we think of technology challenges, Vermont Health Connect comes to mind, the rollout in October 2013 was not smooth. And for a several year period, state government really was challenged by trying to implement what was required by the Affordable Care Act. We know that there have been some strides made. The system is largely functioning and capable of doing most of what we require of it at this point. But the state is also interested in what's known as the integrated eligibility system, which is sort of the next generation technology challenge that the state will face. Have we learned some really hard lessons from the experience with Vermont Health Connect? And are we prepared as a state to move forward with such a challenging project in the future? Right, so I think there have been lessons learned, right? And I think we would all agree there's been significant challenges that we faced. One of the first things that we did when the administration came in was we said, okay, let's stop for a minute and talk about what we're doing. What are the outcomes that we're looking for? What's the realistic timeline? What are the best practices that we should be following? And those are the things that we've been working through to try to make a more successful project out of integrated eligibility and enrollment. Okay. And that's really one of the pieces that we had heard taking testimony on both Health Connect and integrated eligibility. One of the big lessons we learned is we have to have, you're operating under a deadline. Right. That some of the outcomes that we saw are actually predictable. Right. And we should note that you are on the House Energy and Technology Committee, which is new this year, sort of reconfigured to include IT elements. As you take testimony and you hear about the challenges with Vermont Health Connect, as a committee, are you feeling confident that the state can move forward with integrated eligibility, which we should probably explain for viewers, it would link in all of the state's programs together so that it's sort of one-stop shopping for them. And the state would be able to know whether someone is eligible for a specific benefit program or not. Right. So am I feeling confident in that? I think part of really the creation of this committee and also the creation of this agency, hopefully, is getting us in a place where we can be more confident with regard to the decisions being made. There hasn't really been a space in this building to focus on IT projects in a big way. And there's not really a place to focus. As right now, as it stands, IT is confused. It's spread all throughout government and it's hard to really get a sense of how things might be interacting, how one thing might impact timelines or costs or other projects. I think looking at integrated eligibility and the confidence level, again, I think we're making some progress. I think we've got a lot of progress. A long way to go. Yeah. And as you dive into these issues, is Vermont unique in its struggle with technology issues or are all states sort of struggling with implementing new systems in a new age? From my perspective, the technology is changing so quickly that all states are struggling to keep up and keep their systems modern and up to date and keep their frontline workers trained and up to speed on what's going on and what the newest trends are and how to deal with that and how to make sure we're providing the best outcomes for Vermonters with system integration, trying to make sure that citizens at home, whether it be sign up for Vermont Health Connect or sign up for a job, that we're able to provide them some integration between the systems to use the data and to focus the data in a way that makes sense and makes it easier for the user. Okay. Well, at the outset of Governor Scott's first term in January, he proposed or he signed an executive order that seeks to create a new digital agency. The agency of digital services, Executive Order 0617. There you go. And I understand you are well-versed on what this Executive Order does, but what it seeks to do is, in my understanding, is take all of the IT elements in state government and put it under the auspices of one new agency. But I know very little and you know much more, so why don't you fill us in on what this order seeks to do? All right, so I'll start by saying the governor has been in the Senate and then Lieutenant Governor for 16 years. So he's heard about our technology failures. He's seen them. You know, he's had people testify on them. Through the campaign and through the transition, we spoke with several agency heads, frontline workers and said, how do we fix this? How can we take a systematic approach to make this work not only for internal state government, but for the citizens to provide better outcomes? So through conversations with CIOs on the outside, our research partners like Gartner, through conversations with the legislature, we came up with a reorganization of IT workers. And so what we're doing really is we're reorganizing all the IT workers in state government to report through a cabinet-level CIO. And so two years ago, the legislature set up a special committee of three people, two, three outside people to make recommendations to the legislature on how to improve IT. And one of those recommendations was to elevate the CIO to a cabinet-level position. And by doing that, it puts a technology person at the table to discuss how to solve problems for Vermonters with the agency of human services secretary and the agency of administration secretary. And it gives them that full, broad perspective on how to solve issues. So right now, state government has the Department of Innovation and Information, or maybe I got that backwards. Information and innovation. Information and innovation. And it has a commissioner, I believe. What does that department do right now? And how would that change under this new digital agency that the governor is seeking? So the executive order would dissolve the the Department of Information and Innovation. And it would take the core services that DII provides, networking, desktop support, project management, and it would reorganize those in a way that made more sense for modern government to make us more nimble and to make us better with our customer service to the other agencies and departments. But what the underlying issue is with the Department of Information and Innovation is they're separated from the business. So they're all stationed together and they're not sitting side by side with the people that are trying to use the technology, which the governor heard, I heard, the administration heard just doesn't work. So in his executive order, what he's proposing is even though the department's being restructured where the agency would be restructured, people would sit where they are today. And that would also relieve some of the disruption in the agencies. You know, if you were to pull people out, it's rather disruptive. But leaving the people sitting where they are to understand and to work with the business users, we expect to find better outcomes. So essentially you'd have technology people embedded in various departments. We would. And it's that way today for a lot of the agencies. But what doesn't happen is the alignment of strategy, the alignment of the state's IT portfolio. What's a priority? What's a not? Who decides? What's the governance around those projects? How do we fund those projects? How do we take a different approach rather than using one time money and strategically fund IT? Yeah, I mean for for me looking at the ability to be able to prioritize, plus the structure of only being these folks embedded within their agencies. So we're not losing that connection to policy. I think it's really important. I think it's a smart question. If the legislature does nothing, then the executive order takes effect. And I believe it would be April 17th when some of these changes would kick in. Either the House or the Senate could take a proactive step to, I think the what they'd have to do is pass a resolution saying no, we don't want this. Representative Sebelia, do we have any sense of whether or not the legislature, either the Senate or the House, intends to intervene and not allow this executive order? It does not appear so. I certainly don't speak for the Senate and I'm not able to speak for the entire House, but I can tell you that right now the executive order rests on the wall in our committee. Our committee discussions have really centered around wanting to make sure that we understand how this is going to roll out, not if it should. So I think we're feeling pretty good in our committee about this. It's looking good, as we know here in this building. We will have a new agency in state care. Nothing's nothing until it happens, as we know. That's right. You learned that lesson quickly here in the State House. I would add, Neil, that the Senate took an approach where they have decided to do nothing with it. The Senate Institutions Committee and the Senate Gov Ops Committee voted unanimously to leave it on the wall and to let it go through. It's not that they haven't done anything. They looked at it and decided we would do nothing further to stop it and allow it to go forward. When the average Vermonter thinks about IT, I mentioned at the top the stuff we might face at work or home, but state government IT is a little more involved, perhaps, than what we deal with in our work lives or our home lives. A big part of that is security. The state of Vermont deals with a lot of personal data, personal information of people here in the state. How would this new digital agency work to better protect Vermonters? How would it make us more secure in an IT sense? I'm glad you asked, because I think security is our number one priority. The governor has made it very clear that cyber security is real. We've been working with the National Governors Association. We sent a team two weeks ago to a conference on Meet the Threat, which was National Governors Association event of planning for cyber attacks, cyber planning, because of the weather. Only half of our team was able to actually get out, but the governor is very serious about taking a proactive approach. The new agency specifically, we would be able to do things like best standard and have them implemented across the enterprise, because all IT people will be working for the same agency. We will be able to ensure that our procurement had the right language in them around IT security to ensure that there is a data breach that we cover Vermonters and that there's assurances in place that the companies have liable. I know that's a priority here in the legislature as well, and part of putting these new committees together to be able to really spend more time making sure that we're doing that well. The security of personal data is extremely timely in that we just learned of a quite expansive data breach here in Vermont through a third-party vendor that the state uses, in particular the Department of Labor. Job links, I believe it's called, it's something that when Vermonters are unemployed and they will be unemployed for I think longer than 10 or 20 day period, they have to use this job links program to upload their personal data and to receive benefits and show the state that they are looking for work. The governor just recently and the Labor Commissioner Lindsey Curley revealed that 180,000 Vermonters might have been exposed. Their data might have been exposed, which includes perhaps names, addresses, social security numbers in some cases. 180,000 people in Vermont might have had that information out there stolen by somebody. John, I'm not sure if you are able to speak to this, it is a third-party vendor that was breached, but how does something like this happen? How do people with perhaps bad intentions get into what are supposed to be secure areas? So there are several ways now and one of the most popular is phishing attempts through email where they send you a link and make it look like it's coming from John Quinn, but it's really not coming from John Quinn. Look Neil, here's an attachment of our itinerary for our trip. When you click on that link, it lets them into your computer and gives them access to the things that you have access to. So that's one way. How this system was compromised, the American Job Links Alliance software, I think that's still under investigation and the FBI is looking into it. So I can't speak specifically about that, but cyber threats are real and they're becoming more and more prevalent every day. We're seeing thousands come through and be blocked by state systems every day. Yeah, as I said, the governor and the labor commissioner noted 180,000 people potentially compromised. Vermont was one of 10 states that were involved in this preacher that used this American Job Links site. The governor mentioned that this day might consider a lawsuit against the company and it would look to ensure that Vermonters are made whole, but it's a scary thing for Vermonters when their personal data is perhaps stolen when we have questions about identities being stolen and your credit and all those things could be impacted. So where the new agency would help with this type of thing is, you know, we would want stipulations in the contract. If it came to IT, we would look at the security pieces, look at the security system, make sure that they have risk insurance, make sure that they're liable for notification to users. We would want to make sure that we're following state statute. We would want to make sure that any data that isn't needed is purged out of the system. Those are the type of things where technology, people can help. And with the new agency, we'll be following best practice and implementing some of those things into our procurement process and contract process. Yeah, I mean, it's really not acceptable to have these kind of breaches. And in addition to, again, further justification for the need for this agency and being able to get some standard protocols in place around safety, we're looking at in the house just a number of different ways that people are doing this outside of our computer systems, you know, just accessing technology systems, just accessing through our citizens. So it's a very serious issue in the state. And, you know, we're facing it on many fronts. So again, I want to make clear this was a third-party site, not something the state was actively involved in securing or controlling, but something that the state did direct Vermonters to use. So when we think of Vermont technology and Vermont systems, how do you test and assess threats? Is there a sort of a standard operating procedure that you use to try and determine whether or not something is secure? We do have third-party vendors that help us assess some of those things. We use best practices based on the software that we use. So we try to stay as closely aligned with best practices for Microsoft or Oracle or any of those type of applications. We have system reviews in place when a new system is stood up. We have an enterprise architecture team along with a security team that has recently gone from one person to four people. So we're moving in the right direction. Yeah. If the digital agency goes through, what does it do in terms of state jobs, staffing levels, that sort of thing? Is it sort of a wash? Everyone slides over to the new agency or is it something? So the governor's made it very clear that this is not a job-cutting exercise. This is restructuring of IT. So there'd be no job losses out of this. And really what we're looking to do in the first year is assess what our skill sets are in our IT workers and say, are we utilizing our IT people in the right ways? Could we use X on this project over here instead? Based on our priorities, the administration's priorities, the legislative priorities, we need more recent resources over here. We know that these six people have those resources. We can shift them to better staff the priorities of the governor and the legislature, which currently we don't have that kind of assessment done. We don't know across agencies what we have for skill sets, which is a problem. So I would add to that. The Speaker of the House obviously has elevated the need to really get our IT situation in a much better way with the creation of our committee. So our committee cannot really do our job, in my opinion, well without this new agency, without the ability for us to have a place to go to to understand what's happening all throughout state government. We don't tend to think of IT as a political issue. I don't know if I mentioned it, but you aren't independent in the House. Are you hearing anything from progressives, Republicans, and Democrats in terms of whether or not this is a good idea? Really not. I've heard a few little tiny questions more than concerns, and I think that they are of the type that one might expect when we're proposing such a big change. When you have a big change like this, a big transformation, you're going to have some stress with that and some good questions that will get asked as a part of that. And I think we've been asking questions, John and BII as well. So starting a couple weeks ago, we started sending out five-monthly emails to our user base and our IT workers, letting them know what's going on, where we stand in the legislative process. We've been doing question and answers through email. We've started to work on a new website to stand up to give people information on what this looks like and how it's planned. And we've been holding brown bag lunches around the state to inform people on what this is going to look like and how it will affect them, because change is hard for people. And the more information we can get out, the better. Right. And there was a 90-day period after the governor signed the executive order for the legislature to intervene if they chose. I think I mentioned April 17th will be that day that everything becomes effective. And it appears we are on track for the new digital agency, so we will see where that goes. Representative Sebelia, we have just a couple of minutes left, but I want to sort of query you a little bit about what this new committee is diving into, what else you're considering this year as you sort of find your footing in a new group. So this is a new committee. It's made up of all veteran legislators, two years or more, no new legislators. It's a smaller committee and new chair. So we're three members from last year's Commerce Committee, five members from last year's Natural Resources and Energy. So we've got a decent telecommunications and a decent energy group that have come together, and we are all interested in better understanding our IT situation. We know that the speaker is very interested in having us better understand our IT situation. So we've taken some testimony on the $1 million projects report, which I found to be fascinating, but that was, you know, a report. It is a real report. I've seen it. I'm a little intimidating also in terms of the scale of the challenges that we're looking at with IT, but some of the bills that we've been looking at this year, 248A, extending that, yes, and telecommunications that we extended for another three years. We also added a 10-year telecommunications plan that we've added. That's going to be redone this year, and we've added, in addition to the agency of commerce providing input into that, we've added education, health care, public safety, and workforce development labor, making sure that we understand the needs of our entire telecommunications, our entire telecommunications needs throughout Vermont when we're looking at developing this 10-year plan. We also, yesterday, today, today, I think we passed out an energy efficiency standards for appliances bill that is looking at having Vermont adopt the current federal standards, and we are having a lot of conversations in our committee about energy storage. The new frontier, I suppose. The new frontier. It's very exciting. I'm learning a lot about that this year, and having a lot of good conversations. Very interesting how our neighbors to the south of us are possibly a little farther ahead of us. Possibly not, I'm learning. Interesting conversations to be continued. We'll see where we end with this. Okay, very good. Well, we are out of time for this week. My thanks to John Quinn and Representative Laura Sebelia for joining me to talk about this ever-exciting conversation around IT. Hopefully, our viewers are still with us. I think we did a good job of keeping in light and not digging into the details. So, I'm Neil Goswami with the Vermont Press Bureau, and on behalf of Roarka Media and Vermont PBS, thank you for watching, and we hope to see you again next week.