Gov. Phil Scott signed an executive order Tuesday creating a cybersecurity advisory team to aid the public and private sectors in staying safe on the internet.
The team will include appointees from the newly formed Agency of Digital Services, the Vermont National Guard, the attorney general’s office and Vermont Emergency Management, part of the Department of Public Safety.
The advisory team will meet at least quarterly, starting next week. There is no specific end date for the team’s work.
“Since January, the state has seen over 3.3 million potentially malicious cyberattacks against our information resources,” Scott said at a news conference. “This is equal to 524 attempts … to subvert our defenses and gain unauthorized access every single hour for the last nine months.”
Scott said he became interested in addressing cybersecurity after a winter meeting of the National Governors Association. Virginia Gov. Terry McAuliffe, a Democrat, brought up the issue to all the governors there, Scott said, and Vermont has since sent personnel to Virginia to learn about cybersecurity.
“We’ve seen it here in the state — threats that have involved state government — and so we thought it was a good idea to reach out and build this broad collaboration, bringing people from all perspectives together, so we could attack this not just individually but collectively,” Scott said.
He said a recent data breach involving the credit rating agency Equifax also affected his decision to create the advisory team. “It certainly highlighted that we’re all susceptible to this and nobody goes unnoticed in some respects,” he said.
John Quinn, the secretary of the Agency of Digital Services and the state’s chief innovation officer, said the team’s first priority would be to create an outline of what it will do and a timeline for getting those tasks done.
Quinn said the Agency of Digital Services, which started coming together in April after Scott created it via executive order, is beginning to beef up its cybersecurity workers. He said that is part of a long process to transition from the former Department of Information and Innovation.
Quinn said the agency, which now encompasses most IT employees across different parts of state government, has seven cybersecurity workers. As workers in other roles leave their jobs, the agency has been turning those positions into cybersecurity jobs to continue to expand that team.
“I don’t think state government is unique,” Quinn said of cyberattacks. “I think no matter what sector you’re in, cybersecurity is playing a real part in the way you do business — a day-to-day store, higher education, utilities — we’re all seeing the same thing. We’re all under the same attacks.”
He said the information hackers are after is usually data — including personally identifiable data, health data and credit card information.
Scott added: “For some, it’s just a business for them. They’re in it for the money. They’re going to sell the information to whoever is the highest bidder, in some respects.”
Companies that buy and sell data for commercial purposes are called data brokers. The field is largely unregulated across the country.
During the legislative session this year, in an attempt to find brokers who may be selling Vermonters’ personal information to criminals, the attorney general’s office sought to make Vermont the first state to regulate data brokers.
The new regulations did not pass, but the attorney general has convened a working group as a first step toward passing regulatory legislation.
Scott said he wasn’t familiar with the data broker issue but that the new cybersecurity advisory team may take a look at it.