Gov. Phil Scott speaks to reporters at his cybersecurity press conference Tuesday.
Gov. Phil Scott issued an executive order Tuesday creating a Cybersecurity Advisory Team, a 10-member panel including representatives of state government, the private sector and academia. In doing so, he rolled out a seemingly eye-popping statistic.
“Since January, the state has seen over 3.3 million potentially malicious cyberattacks against our information resources,” he said. “This is equal to 524 attempts to subvert our defenses and gain unauthorized access every single hour for the last nine months.”
Shocking, isn’t it? Well ...
“There was a wide range of threats, from phishing attempts to spam to brute force attacks,” digital services secretary John Quinn explained. “It encompassed all of state government; all IP addresses.”
OK. The state of Vermont has something close to 8,000 employees. If you figure each of them has an email account, plus you add in general agency inboxes and such, plus a decent number of moribund but still open accounts, how many are there? Ten thousand?
That might be high, but it has the benefit of simplicity. Divide 3.3 million by 10,000 and you get 330. There have been 283 days so far this year. So if the state is counting each spam email delivered to each inbox as a cyberattack, that’s barely more than one a day.
Quinn himself pretty much acknowledged that. “I don’t think state government is unique,” he said. “We’re all seeing the same thing; we’re all under the same attacks.”
It’s safe to say that whether or not the 3.3 million figure was intended for its shock value, cybersecurity is undeniably a very real issue. Just ask Equifax.
The Advisory Team will serve a number of functions: developing strategic plans for addressing cyberthreats, developing best practices, seeking opportunities to build a skilled cybersecurity workforce and, perhaps most importantly, foster communications between experts.
Speaking of communication, Scott took a moment to pat himself on the back for creating the Agency of Digital Services. “When we had all these IT professionals throughout state government and they weren’t really talking with one another, I thought that we were susceptible,” he said. “Now, in many different ways, we’re able to work together and become more efficient and become safer.”
Scott said the new team’s acronym, CAT, was unintentional. No sly references to quickness or predatory aggression — although there’s a tempting “CAT/phishing” connection just begging to be exploited.
Scott foresees CAT as an ongoing effort. “This is going to be a never-ending battle,” he said. “There are new threats every single day, so I don’t think you can stop defending yourself.”
After the main event, Scott fielded questions about the EB-5 scandal. Specifically, they were about Attorney General T.J. Donovan’s motion to dismiss a lawsuit filed by investors in the ill-fated Jay Peak schemes. Donovan argues that state employees are entitled to immunity; last week, Scott said the idea of immunity “doesn’t give me a good feeling in my soul.”
On Tuesday, he seemed to pull back from that comment.
“I think that we should use [immunity] judiciously,” he said, “but we need to protect some of our citizens, our employees, who step up and take some of these positions without fear of any repercussions, I guess … From a civil standpoint is where the immunity comes in, but criminally they have no immunity. So if there was any criminal activity, they wouldn’t be immune.”
Scott was asked if he agreed with Donovan’s call for dismissal of the lawsuit — and he deferred to the attorney general.
“He’s doing what he thinks is best to properly represent the state of Vermont,” he said. “I have to rely on his expertise as we move our way through this.”
Last week, Scott openly mulled the appointment of a special prosecutor in the EB-5 case. On Tuesday, he was cooler to the idea.
“We’re in the middle of a lawsuit at this point, and I’m not sure that it would be beneficial to put a special prosecutor in place at this time,” Scott said. “That doesn’t mean that there won’t be an opportunity, if we don’t get to the bottom of everything and we need to put the general public at ease; from that perspective, we could still utilize that at our disposal.” He concluded by again emphasizing his reliance on Donovan’s expertise, and his desire to “put this behind us” as soon as possible.
Scott’s deference to the attorney general may be entirely appropriate in a chain-of-command sort of way, but it won’t do much to mollify skeptics of the state’s handling of the scandal, or of Donovan’s reluctance to release public records. And we’ll only put this behind us when there is a full reckoning of how this all happened and who was responsible.