State

After last year’s floods, Vermont’s CIO said this year she was prepared

Vermont Chief Information Officer Denise Reilly-Hughes recalled how scrambling to restore services during last year's floods prepared her for an emergency this year.

By Sophia Fox-Sowell

October 1, 2024

Boaters make their way through a flooded downtown Montpelier, Vermont, on Tuesday, July 11, 2023. (John Tully for The Washington Post via Getty Images)

“There’s a human side that we have to use as a way to lead,” Denise Reilly-Hughes, Vermont’s chief information officer, said Tuesday about the lessons she’s learned from stewarding the state’s IT response to severe flooding over the past two years.

Last year, heavy rain drove state rivers to record levels, which caused catastrophic flooding across the state. In the capital of Montpelier, the Winooski River rose to 21 feet, leading to more than 100 people needing to be rescued from flooded cars and homes, according to a July report from the Federal Emergency Management Agency.

At the time of the 2023 flooding, which took down communication towers and challenged emergency response efforts, Reilly-Hughes had only been acting CIO for five days and with the Agency of Digital Services, Vermont’s IT department, for six months.

“You’re still learning everything and you’ve got a great team, but you’re green,” she said Tuesday during a session of the National Association of State Chief Information Officers annual conference in New Orleans.

With a population of roughly 650,000, Vermont is largely comprised of sparsely connected rural communities and towns. Reilly-Hughes said the human impact of natural disasters quickly became clear.

“There’s this period in the aftermath of, ‘What the hell do you do on the technology side?’ We’re thinking cyber risk. We’re thinking access to services. We’re thinking state services. How are people going to get their data and what are most critical services,” she said.

Reilly-Hughes said one of the biggest lessons from the floods was to respect emergency management protocols.

“Technology should never get in the way of emergency management, everything we do has to be sanctioned by them,” she said. “If we did not have the access to the table, we would not have been able to respond in the way that we did.”

In response to the flooding, Gov. Phil Scott activated the State Emergency Operations Center with the state’s emergency management, public safety and transportation agencies, among others. The center opened access to funding for frontline workers in towns across the state and remained active for many weeks.

Vermont’s original emergency response plan required state and local agencies to meet in buildings and use equipment and internet connections that were no longer accessible, which taught Reilly-Hughes her second lesson: Be flexible.

“There is a framework, but the framework can be so stringent that you can expect No. 1 to follow No. 2 to follow No. 3 to follow No. 4. It doesn’t work like that,” she said.

To troubleshoot the inaccessible meeting points, downed mobile towers and lack of equipment, such as laptops and portable routers that state officials desperately needed to communicate with emergency responders, Reilly-Hughes and the other state departments had to quickly come up with a new plan.

“Thirty-four state office buildings were underwater,” she said. “Imagine the complexities of a state network environment where everybody’s on subnets and subcommittees and you can’t work in that office because we can’t connect you. We basically had to to rig all that out.”

Reilly-Hughes also noted that natural disasters often bring increased cybersecurity risks, as bad actors seek to take advantage of distracted departments that are focused on restoring access to critical state services — such as water utilities — the power grid and clearing roads for emergency vehicles.

“The minute you have a disaster, all of those people see those weaknesses and want to come in and hurt you,” she said of cybercriminals, adding that state chief information security officers should also have a seat at the table during emergencies to mitigate cyber threats.

Almost exactly one year after the historic flooding in 2023, Vermont suffered another bout of severe flooding last July. President Joe Biden approved the state’s fourth major disaster declaration of 2024 to help communities in Vermont recover from damages caused by the heavy rainfall.

But this time, Reilly-Hughes said, she was prepared.

“Predict what the agencies need before they need it, don’t let them wait for you, and lean in,” she said. “Because this is the new normal.”