[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                  CATALYST FOR CHANGE: STATE AND LOCAL
                         IT AFTER THE PANDEMIC

=======================================================================

                                HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON GOVERNMENT OPERATIONS

                                 OF THE

                   COMMITTEE ON OVERSIGHT AND REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 30, 2021

                               __________

                           Serial No. 117-33

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                       Available at: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                             
                              __________

                                
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
44-986 PDF                   WASHINGTON : 2023                    
          
-----------------------------------------------------------------------------------     
                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Stephen F. Lynch, Massachusetts      Jim Jordan, Ohio
Jim Cooper, Tennessee                Paul A. Gosar, Arizona
Gerald E. Connolly, Virginia         Virginia Foxx, North Carolina
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Ro Khanna, California                Michael Cloud, Texas
Kweisi Mfume, Maryland               Bob Gibbs, Ohio
Alexandria Ocasio-Cortez, New York   Clay Higgins, Louisiana
Rashida Tlaib, Michigan              Ralph Norman, South Carolina
Katie Porter, California             Pete Sessions, Texas
Cori Bush, Missouri                  Fred Keller, Pennsylvania
Danny K. Davis, Illinois             Andy Biggs, Arizona
Debbie Wasserman Schultz, Florida    Andrew Clyde, Georgia
Peter Welch, Vermont                 Nancy Mace, South Carolina
Henry C. ``Hank'' Johnson, Jr.,      Scott Franklin, Florida
    Georgia                          Jake LaTurner, Kansas
John P. Sarbanes, Maryland           Pat Fallon, Texas
Jackie Speier, California            Yvette Herrell, New Mexico
Robin L. Kelly, Illinois             Byron Donalds, Florida
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts
Mike Quigley, Illinois

                     Russell Anello, Staff Director
              Wendy Ginsberg, Subcommittee Staff Director
                       Amy Stratton, Deputy Clerk

                      Contact Number: 202-225-5051

                  Mark Marin, Minority Staff Director
                                 ------                                

                 Subcommittee on Government Operations

                 Gerald E. Connolly, Virginia, Chairman
Eleanor Holmes Norton, District of   Jody B. Hice, Georgia Ranking 
    Columbia                             Minority Member
Danny K. Davis, Illinois             Fred Keller, Pennsylvania
John P. Sarbanes, Maryland           Andrew Clyde, Georgia
Brenda L. Lawrence, Michigan         Andy Biggs, Arizona
Stephen F. Lynch, Massachsetts       Nancy Mace, South Carolina
Jamie Raskin, Maryland               Jake LaTurner, Kansas
Ro Khanna, California                Yvette Herrell, New Mexico
Katie Porter, California
                         
                         
                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on June 30, 2021....................................     1

                               Witnesses

Mr. Doug Robinson, Executive Director, National Association of 
  State Chief Information Officers
Oral Statement...................................................     5
Ms. Amanda Renteria, Chief Executive Officer, Code for America
Oral Statement...................................................     8
Ms. Teri M. Takai, Vice President, Center for Digital Government
Oral Statement...................................................    10
Dr. Alan R. Shark, Executive Director, Public Technology 
  Institute (a Division of CompTIA)
Oral Statement...................................................    12

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              


  * Questions for the Record: to Mr. Doug Robinson; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Ms. Amanda Renteria; submitted 
  by Chairman Connolly.

  * Questions for the Record: to Ms. Teri M. Takai; submitted by 
  Chairman Connolly.

  * Questions for the Record: to Dr. Alan R. Shark; submitted by 
  Chairman Connolly.

Documents entered into the record during this hearing are 
  available at: docs.house.gov.

 
                  CATALYST FOR CHANGE: STATE AND LOCAL
                         IT AFTER THE PANDEMIC

                              ----------                              


                        Wednesday, June 30, 2021

                   House of Representatives
                  Committee on Oversight and Reform
                      Subcommittee on Government Operations
                                                   Washington, D.C.

    The subcommittee met, pursuant to notice, at 10:10 a.m., in 
room 2154, Rayburn House Office Building, and on Zoom; Hon. 
Gerald E. Connolly (chairman of the subcommittee) presiding.
    Present: Representatives Connolly, Norton, Sarbanes, Lynch, 
Raskin, Khanna, Porter, Hice, Keller, Biggs, and LaTurner.
    Mr. Connolly. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the committee at any time. And I now recognize myself 
for an opening statement.
    Today, more than a year into the pandemic, we're making 
progress in our effort to emerge from the crisis, which has now 
claimed, tragically, more than 600,000 American lives. Nearly 
50 percent of the population is fully vaccinated. Just last 
week, my home state of Virginia hit 70 percent of all adults 
having received at least one vaccine dose. New daily 
coronavirus cases continue to drop, as do deaths associated 
with COVID-19. We cannot, however, forget what transpired this 
past year.
    Throughout this global health crisis, millions of Americans 
looked to the Federal Government for help as they faced 
illness, unemployment, and food insecurity. Despite urgent 
congressional action to provide unprecedented levels of 
economic assistance, medical assistance, many individuals and 
small businesses nonetheless were denied timely support and 
assistance, in large part due to severely deficient IT 
infrastructure at the Federal, state, and local levels.
    In other words, Congress mustered the political will to act 
on a bipartisan basis to prevent the world's most powerful 
economy from falling off a cliff, but we were nearly thwarted 
in delivering lifesaving assistance due to outdated IT. This 
should galvanize our IT modernization efforts at all levels of 
government.
    Last July, this subcommittee held a hearing on ``Federal IT 
Modernization: How the Coronavirus Exposed Outdated Systems.'' 
At that hearing, we examined the Federal Government's response 
to the coronavirus pandemic and how legacy Federal IT systems 
hindered those response efforts.
    Emergency relief, however, is not administered solely at 
the Federal level; in fact, it's usually administered at the 
local level. As the pandemic has demonstrated, state and local 
governments are on the front lines of crisis response, often 
administering and distributing federally funded relief and 
benefits.
    Unfortunately, many state and local governments' IT 
infrastructures are outdated, causing severe gaps in access to 
digital services and undermining Federal public health and 
economic relief efforts that were designed to be rapid response 
and timely.
    Further, cyber attacks on state and local governments are 
on the rise and continue to cause significant disruptions and 
waste taxpayer dollars across the country. This hearing 
examines the role of Congress and the Federal Government in 
accelerating IT modernization initiatives for states and 
localities as they fortify and improve how government at all 
levels deliver critical services to our citizens.
    According to research conducted by the Cyberspace Solarium 
Commission, state and local governments often struggle to fund 
basic services for their populations, and, as a result, they 
regularly defer IT modernization and digitization in pursuit of 
shorter term funding priorities.
    Throughout the country, surges in demand for government 
assistance programs during the pandemic, like unemployment 
insurance, public and mental health services, screenings, local 
food and housing assistance, and other benefits prompted 
government websites to crash, contact centers to be 
overwhelmed, and, in many cases, delayed relief to those most 
in need.
    Further, the pandemic abruptly revealed how ill-prepared 
many of our state and local governments are to deliver vital 
public services securely and remotely. Criminals took advantage 
of overwhelmed public IT systems, generating a significant 
uptick in cyber crime during this pandemic.
    In 2019, for example, it was reported that 966 U.S.-based 
government entities, healthcare facilities, and schools were 
affected by ransomware attacks. In 2020, that number jumped to 
2,300, including 113 ransomware attacks on Federal, state, and 
municipal governments and agencies.
    As the number of cyber attacks rose, so did the amount of 
ransom demanded by criminals. The overall cost associated with 
the spike is unknown, but some estimates suggest that just 113 
attacks on government entities in 2020 cost $915 million. The 
pandemic laid bare the consequences of decades of deferred 
investment in government information technology, and we must 
not let the lessons learned during the crisis go to waste.
    When done right, state and local governments can provide 
public benefits and services that help people in their most 
desperate time of need. For example, Congress created the 
Pandemic Electronic Benefit Transfer Program in March of last 
year as part of the Families First Coronavirus Response Act.
    The program provides nutrition assistance to families who 
lost access to breakfasts and lunches as a result of school 
closures. To get the program up and running as quickly as 
possible, many state governments created online mobile-friendly 
applications to collect data from parents and guardians in 
order to identify the children most in need.
    This state-led program reduced food hardship experienced by 
low-income families with children and lifted 2.7 to 3.9 million 
children out of hunger. It was, in fact, a success story. Over 
the past year, the pandemic forced state and local governments 
to modernize IT systems quickly and to embrace digital 
services. Yet aging and inadequate IT systems, not a lack of 
political consensus or will, continued to hinder access to 
critical government services.
    The Federal Government can serve as a resource to provide 
guidance and best practices on IT modernization as it also 
swallows that medicine itself. The Federal Government can share 
technical acumen and lessons learned. That's why I intend to 
introduce the House companion of the state and Local Digital 
Services Act. This important piece of legislation, led by 
Senators Wyden and Murray in the Senate, provides guidance and 
funding for state and local governments to form digital service 
teams focused on delivering fair and effective public services.
    Further, this past year demonstrated how important 
intergovernmental activities are in addressing national crises. 
Currently, no formal Federal forum exists in which Federal, 
state, local, tribal, and territorial government 
representatives can convene to discuss issues of import that 
require collaboration among the various levels of government.
    As a former county supervisor and chairman of one of the 
largest counties in the United States, I understand that state 
and local governments need a platform to talk meaningfully 
about legislative process, the impacts of Federal legislation 
on localities, administrative solutions, and the impact on 
relationships between localities, states, and the Federal 
Government.
    This Congress I intend to reintroduce my bipartisan Restore 
the Partnership Act, which would recreate the Advisory 
Committee on Intergovernmental Relations, which operated from 
1959 through 1996. The forum will help state and local 
governments navigate the Nation's most pressing 
intergovernmental issues and advance innovative solutions that 
can leverage IT funding and expertise in the Federal 
Government.
    I hope to work with my friends across the aisle to move 
this legislation, which has historically been bipartisan and 
grows out of years of work with my friend, former 
Representative Rob Bishop of Utah, and the task force formed by 
former Speaker Paul Ryan on intergovernmental affairs.
    This pandemic catalyzed a rapid response and shift in 
culture for how state and local governments deliver services to 
the public. As we emerge from the pandemic and begin recovery, 
we have an opportunity to examine lessons learned and to 
identify best practices to grow our digital capabilities and 
strengthen how government serves the people.
    With that, I recognize the distinguished ranking member for 
his opening statement.
    Mr. Hice. Thank you very much, Chairman Connolly, and thank 
you for holding this hearing today.
    I think it's important to understand the situation of state 
and local information technology systems, especially given the 
role that they play in distributing Federal assistance and 
services; that certainly has become more in play and more 
highlighted the importance that we have in this hearing today.
    And as we saw in the early stages of the pandemic response, 
some systems simply couldn't keep up with the demand. We need 
to understand what has been done in the interim to address that 
situation. But let me be clear, as we look for next steps, it 
is my firm conviction that Federal funding, additional Federal 
funding should not be the default answer.
    States, localities, territories, and Tribes have received 
half a trillion dollars so far in COVID relief. State tax 
receipts did not take the nosedive that many people said would 
happen. In fact, about half of the states throughout the 
country actually saw revenues increase. The American Rescue 
Plan included $2 billion for unemployment insurance system 
modernization.
    So, look, there's plenty of funding out there. What needs 
to happen is for states to properly emphasize information 
technology and cybersecurity in their own budgets. And, more 
importantly, they need to take steps to reduce fraud. There is 
an estimated as much as $400 billion that was lost to 
unemployment fraud. That's a staggering amount of money: $400 
billion. That's half of all unemployment funds.
    And those funds were stolen, likely stolen by criminal 
actors, who knows, China, Nigeria, Russia. Who knows who, but 
that's $400 billion that's gone. Who needs to bother with 
corporate espionage and intellectual property thief when, at 
the end of the day, we can just take cash right out of 
Americans' pockets?
    So,there's no excuse for, from my perspective, why this 
committee hasn't held one hearing on the massive waste, fraud, 
and abuse that has risen to the point of a national security 
issue. I appreciate greatly our witnesses for being here today. 
I'm certainly eager to hear from you, but this committee needs 
to do its job and focus specifically on finding out how much 
money was lost and who took it.
    Earlier, I mentioned systems that weren't able to keep up 
with the demand when Americans needed help. I can only imagine 
the extreme frustration of trying to apply for benefits only to 
be unable to access the system. And then, just speaking briefly 
with the chairman beforehand, this is a common problem. I don't 
know that there's not any Member of Congress who has not heard 
from constituents about this type of frustration.
    But I also, and I'm, again, confident that many others have 
also heard from constituents who are unable to get help from 
government workers simply because they were not at work. And 
now we have the Biden administration making telework and remote 
work one of their top priorities for the so-called return-to-
work program. And so we're going to so-called return to work by 
not returning to work. This is problematic.
    And before we look at any permanent policy of this nature, 
we owe it to the American people to fully understand the impact 
that this type of policy would have on the American people. And 
I know we have reached out to inspectors general across Federal 
agencies for an assessment of what can be anticipated with this 
kind of policy, and we need to know. Those are serious 
questions. In order to make good policy, we have to have good 
information from all sides of an issue. So,that's yet another 
hearing that I believe we desperately need to have.
    So, in closing, again, I appreciate our witnesses for being 
here today. I hope indeed that we learn something about one 
facet of the post-pandemic situation, but certainly there are 
many others that demand our attention, and I think they can no 
longer be ignored. But I'm grateful for you being here. Looking 
forward to our time together this morning.
    And, with that, Mr. Chairman, I yield back.
    Mr. Connolly. I thank the ranking member.
    And I think I agree with him that--and I'll be interested 
to see if our panelists agree--I don't think the issue right 
now is money. I think there is a lot of resources available 
both at the state and local government in part because of our 
action but also in part because many states--not all--and many 
localities--not all--have actually performed pretty well 
financially during the pandemic.
    And that means there are resources to invest, and they--we 
need to try to better understand that decision-making process 
and to the extent we can bring influence to bear to strongly 
encourage state and localities to make the investments we're 
trying to urge here in the subcommittee that the Federal 
Government make as well.
    So thank you, Mr. Hice.
    Now, I want to introduce our witnesses, and we're so 
grateful to have them today and their expertise. Our first 
witness is Mr. Doug Robinson, executive director for the 
National Association of State Chief Information Officers.
    Welcome.
    Then we'll hear from Amanda Renteria, chief executive 
officer for Code for America.
    Third, we'll hear from Teri Takai, vice president for the 
digital--for the Center for Digital Government.
    And, finally, we'll hear from Alan Shark, the executive 
director for the Public Technology Institute.
    Witnesses will be unmuted. So, if the two witnesses who are 
here in person would mind standing and raising your right hand, 
and if our virtual witnesses could also raise their right hand, 
it is the custom of this committee and subcommittees to swear 
in witnesses.
    Do you swear or affirm that the testimony you're about to 
give is the truth, the whole truth, and nothing but the truth 
so help you God?
    Let the record show that all four of our witnesses have 
answered in the affirmative.
    Please be seated.
    Without objection, your written statements will be made a 
full part of the record, and so we would ask you to summarize 
your testimony in five minutes.
    And, with that, Mr. Robinson, you are recognized. Welcome.

   STATEMENT OF DOUG ROBINSON, EXECUTIVE DIRECTOR, NATIONAL 
        ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS

    Mr. Robinson. Thank you, Chairman Connolly, Ranking Member 
Hice, and distinguished members of the subcommittee for 
inviting me here today to speak on the numerous information 
technology challenges facing----
    Mr. Connolly. Mr. Robinson, I may ask you, if you wouldn't 
mind, bring that microphone a little closer so we can hear you 
a little bit better.
    Mr. Robinson. Certainly.
    Mr. Connolly. Thank you so much.
    Mr. Robinson. You've already mentioned some of the 
challenges, so I'm going to amplify those challenges that 
occurred during the COVID-19 pandemic and its aftermath.
    NASCIO, as you mentioned, is the national association 
representing state chief information officers, state 
information security officers, and IT executives from the 
states, territories, and the District of Columbia. As executive 
director since 2004, I am certainly humbled to represent our 
members here today as well as provide you data from our recent 
and in-progress national surveys.
    I'm going to also add that certainly it is a pleasure to be 
joined by two of my colleagues who are longtime friends, and 
we're going to cover three major topics today starting with 
cybersecurity.
    State governments remain at risk certainly based on our 
2020 Deloitte-NASCIO cybersecurity study. States experienced 
elevated cybersecurity threats during the pandemic. That's 
already been mentioned here this morning. This is not 
surprising given the need to protect an enormous load on our 
systems, networks, and also the distribution to remote work 
that happened in almost every state.
    For state CIOs, cybersecurity has been their top-ranked 
priority for the previous eight years, and I suspect it will be 
in 2021. We've been tracking data, and for the last decade, 
we've seen three consistent themes: One is inadequate 
cybersecurity funding in terms of the level of the threat (it's 
not commensurate to the level of threats, and that certainly is 
the case with ransomware today); the increasing sophistication 
of the threats; and the challenge of recruiting and retaining 
cybersecurity professionals.
    So, what have the states learned from COVID-19? And there's 
no doubt that the pandemic was a forcing mechanism to really 
accelerate the states and have them rapidly invest in short-
term technology improvements and automation to make sure they 
were serving their citizens in a largely remote and distributed 
environment.
    We asked our state CIOs to identify the top issues for 
their priorities in a post-COVID world, and while certainly 
improving digital services and legacy modernization are part of 
that, there are others. So, I will provide you with a rank 
order of those and details in my written testimony.
    No. 1, increased attention on digital government services 
and the citizen experience. Preliminary data from our ongoing 
survey finds that 94 percent of our CIOs report the demand for 
digital services has both increased and accelerated in terms of 
its speed.
    No. 2, not surprisingly, expanded work from home and those 
options will continue. At the outset of the pandemic, state 
CIOs faced enormous challenges to ensure widespread remote work 
was manageable and secure while literally sending tens of 
thousands of state employees home to work with their technology 
devices.
    Expanded use of collaboration platforms, No. 3, were 
evidenced here today as we continue to use virtual meeting 
technology, and we believe that will continue and so do the 
state CIOs.
    Investments in broadband expansion and adoption, No. 4. 
Again, I don't think this is a surprise. Broadband services 
were certainly strained during the pandemic and found to be 
inadequate. The data we have today says 81 percent of our 
survey state CIOs said that their states will now accelerate 
the implementation of their broadband strategies because of the 
demand. They've seen the inadequacy of their statewide 
infrastructure for serving their citizens.
    And, finally, a key topic of our testimony here today, 
increased investments in legacy modernization. The overwhelming 
demand for citizen services during the pandemic exposed the 
fragility of these aging systems. Many of the most significant 
and critical services were hampered by technology platforms 
that were not flexible, not scalable, and not adaptable to the 
need. Based on our preliminary data again, half of the states 
have noted that they will accelerate modernization initiatives 
with a greater focus on digital online services.
    So, if we look at the state government environment today, 
it's clear that we have a lot of work to do. There are many 
complex systems delivering state services that are funded by 
the Federal Government. The chairman mentioned this. This point 
cannot be stressed enough, as states are charged with the 
Federal Government to be the primary agents to deliver critical 
programs and services to citizens across the country. Many of 
these IT platforms were built upon legacy and outdated 
technology that needs remediation, and they remain susceptible 
to cyber attacks and the overall inability to ensure reliable 
delivery of services in a timely and secure manner. This is 
critical.
    All state CIOs aspire to have a modern IT environment. 
States maintain and operate a large and complex array of IT 
systems that are--have challenges that are similar across all 
government entities, Federal, state, and local, and these 
proprietary platforms can no longer support the necessary 
business needs of state agencies.
    So, along with this technical debt, states also face 
financial and organizational impediments. State CIOs and their 
agency partners are often unable to get sustained funding from 
their states for modernization for a necessary multiyear time 
horizon. Any modernization initiative requires a strong 
partnership, and NASCIO, in our view, requires that 
collaboration.
    Three recommendations from NASCIO related to IT 
modernization initiatives to consider today. There are nearly 
18.5 million Americans who lack basic access to broadband. As 
Congress and the Biden administration debate infrastructure 
legislation, NASCIO strongly urges improvements to this 
critical part of our digital infrastructure. Accessible 
broadband is the most fundamentally important tenet of any IT 
modernization strategy.
    No. 2, state and local modernization grant program. In the 
116th Congress, NASCIO endorsed the State and Local IT 
Modernization and Cybersecurity Act, a bipartisan bill 
introduced by Congressmen Langevin and Gallagher. Importantly, 
this legislation aimed at creating a modernizing information 
technology program to support legacy systems to new secure 
platforms in line with IT modernization strategies outlined by 
CISA. We think this is critically important, particularly in 
urging state governments to migrate to cloud services.
    And, finally, harmonization of Federal cybersecurity 
regulations, a long-term advocacy agenda of NASCIO. As state 
governments continue to implement strategies to improve their 
IT systems, they are simultaneously looking to achieve cost 
savings. One area of opportunity for the Federal Government to 
assist state governments is the further harmonization of 
Federal cybersecurity regulations.
    NASCIO appreciates the bipartisan work of numerous members 
of this subcommittee who tasked GAO in 2018 to study this issue 
and issue corresponding recommendations. In fact, in May 2020, 
GAO did issue this report: ``Selected Federal Agencies Need to 
Coordinate on Requirements and Assessments of States.'' They 
found between 49 and 79 percent of Federal agency cybersecurity 
requirements had conflicting parameters and urged the Federal 
agencies to collaborate on cybersecurity.
    Mr. Connolly. Mr. Robinson, I'm going to have to ask you to 
end there. We'll explore this further.
    Mr. Robinson [continuing]. My closing remark, Mr. Chairman. 
And thank you and Ranking Member Hice for the opportunity to 
testify today. I know we have lots of questions, so looking 
forward to answering those.
    Mr. Connolly. Thank you so much.
    Ms. Renteria. Renteria. Am I pronouncing that right?
    Ms. Renteria. You got it right. Renteria.
    Mr. Connolly. All right. I'm so sorry for that 
mispronunciation----
    Ms. Renteria. You're good.
    Mr. Connolly [continuing]. The first time. Welcome. You're 
recognized for your five-minute opening statement.

STATEMENT OF AMANDA RENTERIA, CHIEF EXECUTIVE OFFICER, CODE FOR 
                            AMERICA

    Ms. Renteria. Great. Thank you.
    And, Chairman Connolly, Ranking Member Hice, members of the 
subcommittee, and all the staff who helped out to get this 
conversation together, I really appreciate it, and we at Code 
for America appreciate being part of this discussion.
    Partly----
    Mr. Connolly. I'm going to ask you the same thing if I can, 
please, Amanda, if you wouldn't mind speaking up.
    Ms. Renteria. Oh, OK.
    Mr. Connolly. You're a little soft.
    Ms. Renteria. All right. Great. We are honored to be here 
to be part of such an important conversation around empowering 
state and local governments to be responsive, supportive, and 
fully serve constituents, especially in moments of crisis.
    Let me tell you a bit about Code for America, since I know 
not everyone here is familiar with that. We are a nonprofit 
organization that started more than a decade ago with the 
simple notion of a government by the people, for the people in 
the digital age.
    We believe government services should be as good as those 
services we are accustomed to in the private sector and that 
people-centered technology can help government improve 
outcomes, reduce costs, and treat everyone with respect and 
dignity. We work shoulder to shoulder with government to build 
digital tools and services, change policies and inform 
policies, and improve programs.
    I could give you dozens of examples of how we've partnered 
with states and local governments over the years with human-
centered technology, best practices, and service delivery 
across the country, but in our brief time together, I want to 
focus on one particular body of work from just about a year 
ago.
    Last spring, when schools closed essentially overnight, 30 
million kids who relied on school lunch programs were 
immediately cutoff all across the country. As part of the 
Families First Coronavirus Response Act, as Chairman Connolly 
mentioned, the government launched a new federally funded 
pandemic EBT program to help get resources to students and 
grocery money for their families, but it was up to states to 
actually implement that.
    In theory, states would take that data they would have 
about students, they'd load it on to debit cards commonly used 
to distribute food assistance, and they'd mail it to the 
guardian's address on record. But many states ran into serious 
challenges with their pandemic EBT programs because of a 
variety of tech complexities, particularly around data 
matching.
    The local school districts held the data on who was 
eligible for the lunch programs, while state agencies held the 
data on parents' or guardians' eligibility in public benefits 
programs. So, it was very difficult to get a single source of 
truth on each student, and many ended up in this what we called 
unidentifiable category due to this data gap.
    Plus, you had the unusual challenges around data quality, 
formatting, and out-of-date contact information that we just 
heard about from the last witness, and not to mention that 
there was a lot of work included in this period of time that 
needed to happen, coordinating with tech vendors. And, of 
course, everything happened remotely, which is an entirely new 
system.
    We are really fortunate to have had the relationships that 
we've built across the state with--in our 10-year history and 
really the experiences of helping states and cities during 
regional disasters. We were able to step in in that critical 
moment, our team of data scientists, engineers, researchers, 
product managers, and client experts, and in record time, we 
actually consulted on digital services in California, Colorado, 
Kentucky, Louisiana, Maryland, Minnesota, Mississippi, Utah, 
Virginia, and Washington. In just a--in a few months, we helped 
them connect the data, build coordinated processes, and 
distributed food assistance to families who were hungry.
    I can't stress enough how much of an unusual, really multi-
state effort there was going on in order to reach kids where 
they were. And through that what we saw is really what is 
possible when you put technology and government together to 
provide lifesaving services to people who need help.
    To make this possibility a reality, I want to leave you 
with three things that we think the government needs to do, and 
very much you're going to hear a consistent theme, I suspect. 
But No. 1 is minimize administrative burden and complexity; No. 
2, we've got to vastly improve data operations; and No. 3 is 
empower state and local governments to invest in technology, 
talent, and capabilities.
    I want to remind everybody, because it's still on my mind 
as we think at Code for America how we can help, but it was 
just a handful of months ago when all of us saw record breaking 
numbers of people who were out of work lining up in parking 
lots in need of food and basic assistance and completely unable 
to access government services.
    For us, the pandemic was a window though into what we have 
seen for a long time. When crises happen, government systems 
consistently fail. Too often in these moments they go 
completely dark. We simply can't allow that to happen in this 
country. Our government systems must be prepared for a more 
volatile future and ensure that government really does meet 
everyone's basic needs, especially in a moment of crisis.
    We've always said this at Code for America, so I'll end 
with this, which is we know that government and technology are 
the two best levers we have to change people's lives at scale. 
And as the country right now resets in this post-pandemic 
environment, we have a once-in-a-generation opportunity to 
truly transform our systems and build a resilient government 
that effectively and equitably serves all Americans.
    So, I just want to say, I welcome this discussion, and we 
really look forward to doing what we can in all corners of this 
country to really help in this effort to modernize, to upgrade, 
and make sure our systems are ready for whether it's the next 
crisis or the next disaster or really just functioning every 
single day. So, thank you very much for having us a part of 
this conversation.
    Mr. Connolly. Thank you so much, and I can't help 
editorialize your last point. The irony of the subject matter 
is it's not considered very sexy, and yet every penny this 
Congress appropriated, which was the unprecedented amount of 
money--I mean, never in history have we appropriated 
cumulatively as much money to respond to something as we did in 
this pandemic, $5.5 trillion with a T, every penny of its 
dependent for delivery in IT.
    And yet the interest from the press and Members is very 
limited, and which I think tells us about the scope of the 
problem we face, Mr. Hice and I, in our evangelical mission in 
trying to educate and make more aware our colleagues about the 
importance of the subject matter.
    Forgive that editorial comment, but you inspired me, 
Amanda. Thank you.
    Teri Takai, you are recognized for your five minutes.

STATEMENT OF TERI M. TAKAI, VICE PRESIDENT, CENTER FOR DIGITAL 
                           GOVERNMENT

    Ms. Takai. Well, thank you Chairman Connolly, Ranking 
Member Hice, and the distinguished members of the subcommittee 
for inviting me today to speak on the challenges the state and 
local governments face in modernizing their IT systems and 
digitizing critical services.
    The current state of technology services, as Mr. Robinson 
has already talked about, that state and local governments 
provide was severely tested during the COVID-19 pandemic. The 
challenges of providing critical citizen services and 
information highlighted the technical debt the government 
faces.
    In my current role as the vice president for the Center for 
Digital Government at e.Republic, I work with state and local 
governments across the country as they drive the technology in 
their jurisdictions. As a former state and Federal CIO, as well 
as having extensive experience in the automotive industry, I'm 
impressed with the work that the CIOs have done to meet the 
challenges of the pandemic, but I see the extensive work that 
lies ahead.
    I appreciate this opportunity to support their efforts and 
to meet the increased requirement to meet expanded digital 
expectations from our citizens. I'd like to highlight a couple 
of key areas because I think it's really an area where we tend 
to go to the technical first and the technology first as we 
think about how to sustain these efforts.
    But I think it is important to note that the key to 
successful technology modernization is the collaboration 
between the agencies and departments that deliver essential 
citizen services and the technology organizations that support 
them.
    Technology alone cannot solve the challenges of providing 
improved citizen services. It must be a whole-of-government of 
approach across Federal, state, and local government but also 
between executive, legislative branches, and agencies and 
departments within the jurisdiction.
    Utilization of technology to improve citizen services 
requires the examination and review of the underlying 
processes, roles, and responsibilities. And this will be 
especially true as government moves to embrace new 
technologies, like artificial intelligence, machine learning, 
and remote process automation.
    The next key point that I want to make is that the 
relationship between IT modernization, digital citizen 
services, and cybersecurity is critical. There's a risk that 
these three technology efforts will be seen separately and that 
governments will fund only a portion of what is needed.
    The driver for IT modernization is the need for greater 
digital citizen services that are protected from increasing 
cyber threats. All three are driven by demands for citizens for 
improved transparency and services. It is impossible to drive 
digital transformation without focusing on an overall 
enterprise approach.
    In closing, beyond current relief funds through the 
continuation of the CARES Act and the American Rescue Plan, 
there's a need to ensure that the realization of the importance 
of technology in the operation of government remains a high 
funding and budget priority for state and local governments.
    Moving forward, both the agencies and departments who are 
dependent on technology and the executive and legislative 
branches of government must continue to see technology as the 
infrastructure that runs government as much as roads support 
transportation. And more than pure infrastructure, technology 
can be the catalyst to reach citizens where they are and to 
build trust that all levels of government are truly there to 
service their needs.
    I have a number of specifics that I included in my written 
testimony. I'm happy to speak about any of those today. I 
really appreciate this opportunity to testify, and I look 
forward to answering any questions you may have and continuing 
the discussion. Thank you.
    Mr. Connolly. Thank you, Ms. Takai, and I like your whole-
of-government approach. I know we're going to want to explore 
that along with your recommendations.
    Last, but by no means least, we're going to hear from Dr. 
Shark. Dr. Shark, you're recognized for your five minutes.
    Mr. Shark. Thank you, Mr. Chairman. Is my mic on? Yes. 
Thank you, Mr. Chairman, and thank you, Ranking Member Hice.
    Mr. Connolly. You just need to pull that closer to you.

    STATEMENT OF ALAN R. SHARK, EXECUTIVE DIRECTOR, PUBLIC 
         TECHNOLOGY INSTITUTE (A DIVISION OF COMPTIA).

    Mr. Shark. I want to thank you for the opportunity to have 
a conversation with you today. I look forward to the questions, 
and my formal remarks have been submitted for the record.
    I would like to explain the lens in which I see things, 
which I think is very, very important. I am the executive 
director of the Public Technology Institute, and what we do is 
help local governments understand, embrace technology through 
research, professional development, and leading practices.
    We were actually formed in 1976 by the National League of 
Cities, the National Association of Counties, and the 
International City County Managers Association. In 2019, we 
emerged with CompTIA, the Computing Industry Technology 
Association, and that has been a perfect marriage as they are 
the ones who are the leading--and now us together--we are the 
ones who are a leading voice in terms of professional 
development, certifications, research, and technology across 
the globe.
    My main experience is with local governments. As a 
professor, as one who heads the technology leadership panel for 
the National Academy for Public Administration, I have many 
views, so much of what I'm going to share are those of my own, 
and, where noted, they're ones that have been endorsed by the 
organizations of which I represent.
    I see some amazing change that is occurring, and I use the 
word ``occurring'' because it hasn't stopped. And so, while 
there's been a lot of frustration with technology where it has 
failed, where it has not worked, I'm also here to say that 
there's a lot of good things happening out there.
    We witnessed what I call the great pivot. Most of the 
people I represent are CIOs from cities, counties, townships 
across the country, and they work 14, 18 hours a day remotely. 
And they learn things they never thought they would have to 
ever contemplate like teaching staff, public employees how to 
use computers, how to compute remotely, things like that, and 
to make it possible for the business of government to continue 
for construction, permitting, social services, and information, 
the ability to schedule things online, to talk to people and 
maybe even see people online.
    This was a technological revolution that came about because 
there was a major pandemic. We all saw it, and we all reacted 
appropriately. So, I see a lot of good things. But as pointed 
out in the opening remarks, it also exposed an awful lot of 
deficiencies that should be alarming.
    This hearing is about what have we learned and what can we 
do today so that if something like this happened again--by all 
means, why wouldn't it?--that we are better prepared and that 
we have taken steps to learn, including some of the issues of 
funding, totally legit.
    And I'm hoping incidentally that some of the technologies 
that we're seeing coming into the fore will help us, the use of 
artificial intelligence, the ability to go through these data 
bases and look for the anomalies, looking for where fraud may 
occur and do a much better job. This is where technology could 
really help us.
    So, in my comments, I have five areas that I address: IT 
modernization, the need, also the need for greater agility and 
resiliency, and I also am a strong believer of 
intergovernmental cooperation. We need to communicate in a more 
formal manner between state, local, and Federal agencies.
    I am worried about the significant cyber threat that we 
fall under and the enormous cost to us in terms of loss of 
business, loss of confidence among our citizens. This is huge. 
There's an abundant need, and I want to address the last two on 
the human side. It's not just about technology. Like a 
mechanic, they have to depend upon the tools of the trade. In 
today's world, technologists have to depend upon the new tools 
that are quite different.
    We need a lot of help in two areas: abundant need for 
professional development and certifications aimed at existing 
staff so they're better able to defend and protect our 
infrastructure; and, No. 2, actively address manpower shortages 
requiring more creative approaches to recruitment and retention 
in IT-related positions. Hence, I'm a strong advocate, as is 
CompTIA and PTI, of the whole issue of apprenticeships to get 
people these high-paying jobs where there's high demand.
    Mr. Chairman, Mr. Ranking Member, thank you so much. I 
wanted to stay on time. Mission accomplished.
    Mr. Connolly. Thank you, Doctor.
    Mr. Shark. Look forward to the conversation.
    Mr. Connolly. You did great. You had three seconds more, so 
thank you.
    We're now going to move to questions.
    And, Mr. Lynch, are you there?
    Mr. Lynch. I am. Thank you. Thank you.
    Mr. Connolly. So, the gentleman from Massachusetts is 
recognized for his five minutes of questioning.
    Mr. Lynch. Thank you, Mr. Chairman. This is a great topic 
and one that I think, as everybody recognizes, the pandemic has 
really put a spotlight on.
    You know, the GAO did a report back in May 2020, and they 
illustrated in their study that about half to three quarters of 
the cyber regulations that the Federal Government agencies, 
such as Social Security, the IRS, the FBI, and I forget one 
other, but 50 percent to 75 percent of the regulations that the 
Federal agencies give to the states were in conflict with 
themselves. So, IRS was in conflict with Social Security and so 
forth.
    So, in the midst of trying to keep people's information as 
secure as possible--and all those agencies have sensitive 
information going back and forth with the states, I'm just 
curious if our panelists, and we have an all-star panel here, 
do you have any recommendations on how we might harmonize the 
regulatory protocol so that we assist you in protecting that 
state-to-Federal dialog and exchange of information that is 
respectful of the privacy and security of that data that 
belongs to the people that we all represent?
    Mr. Shark, I think you probably have some insight into 
this. All of you should, but why don't we start with you.
    Mr. Shark. Well, as my colleagues have stated, 
cybersecurity is our No. 1 concern. It comes up through every 
survey that we do, and it will continue for years to come; in 
fact, it's been No. 1 for the last 10 years. One of the 
problems that we see is, again, the lack of support and 
understanding from more senior public managers in recognizing 
the need for better modernization of some of the cybersecurity 
best practices.
    We did a survey last year--we do an annual survey of local 
government cybersecurity programs. And I was surprised, when we 
asked, ``How engaged are your elected officials with regards to 
cybersecurity efforts?'' almost 54 percent said ``not 
engaged.'' And the next category was ``somewhat engaged,'' 
which was like 24 percent, even with ``very engaged.'' That is 
a small portion.
    And to me, what we see for the professionals that are on 
the forefront of protecting our infrastructure, our digital 
infrastructure, we're often lacking the support from those that 
these people report to. So, there's a real governance issue. 
There's a communications issue. It may not even be a funding 
issue as much. If this money is out there, there seems to be a 
gap in communicating the importance, the need, and where to go 
for help.
    Mr. Lynch. Well, thank you.
    Ms. Renteria, do you have any thoughts?
    Ms. Renteria. I do. I actually want to validate exactly 
what you're saying about making sure that we're protecting the 
data that we get. This is particularly important in low-income 
communities. So, we launched a program last year, 
GetYourRefund.org, and what it did is it's a very--it's a 
simple mobile app to help people through the process of VIP 
payments, of EITC, of filling out your tax formats.
    One of the big barriers to actually people submitting tax 
forms is their concern about what happens with their data. As a 
nonprofit, we actually do not, and we're very clear about we do 
not sell data. We use it for moving over to government partners 
in order to actually fill out tax forms.
    I think one of the things we should be thinking about here 
is how do we make it very clear to clients, to the customers 
what we are doing with their data as we move it through. And 
that's important, particularly as we start to reach out to low-
income communities and make sure to bring them into a system 
that not only welcomes them but treats them with dignity and 
respect as we take them through the process.
    Because that trust-building exercise from day--from that 
first conversation on your app really matters, and making sure 
that we actually express what we are doing to protect their 
data is particularly important for low-income, rural 
communities who feel often forgotten by our programs. So, we do 
that very explicitly and think more organizations should.
    Mr. Lynch. Thank you.
    Ms. Takai, I think you have 20 seconds.
    Ms. Takai. All right. Let me just give you then some key 
points. First of all, I totally agree with you. I think it's 
essential that there's a harmonization because it is a burden, 
particularly on state but more so on local government, to 
ensure compliance. That can certainly be any government agency 
and perhaps DHS in the role that they play.
    Second, I think it's important to recognize that the public 
comment process doesn't actually harmonize. It simply provides 
a public comment on a particular agency approach.
    The third is that it does really require state government 
and local government input that is heard and recognized.
    And I think that, fourth, again, I would repeat, the 
compliance efforts that state and local government go through 
are significantly challenging right now.
    And the last, I think, I would encourage us to think not 
just about cybersecurity as cybersecurity but that we also 
think about data privacy, not only data privacy legislation 
that's coming out at the Federal Government level but also at 
the state government level, because there will be a need to 
harmonize that piece of cybersecurity as well.
    Mr. Connolly. Thank you, Ms. Takai.
    The gentleman----
    Mr. Lynch. Thank you, Mr. Chairman. I yield back. Thank you 
for your courtesy.
    Mr. Connolly. Well, Mr. Lynch, just before you yield back, 
I do want to give Mr. Robinson an opportunity to respond if he 
wishes to your question, and then we'll turn to Mr. Hice.
    Mr. Lynch. Absolutely. Thank you, Mr. Chairman.
    Mr. Connolly. Thank you, Mr. Lynch.
    Mr. Robinson. Thank you, Mr. Chairman.
    And thank you, Mr. Lynch, for the question.
    It has been a longstanding advocacy opportunity for NASCIO, 
and we have specific recommendations and work exhaustively with 
GAO. We applaud their work. They spent over two years in this 
review and assessment, interviewed 50 state chief information 
security officers, and also looked at over 600--600--NIS 
controls that are used by the FBI, IRS, CMS, and Social 
Security Administration. Those are the four agencies that they 
looked at.
    And what they found, again, as Representative Lynch 
mentioned, vast duplication and overreaching in terms of the 
cybersecurity regulations that are imposed upon the states. 
States agree that these are necessary. They're very prudent to 
protect the private information of individuals. But, again, 
they're at the cost of both the overreaching cybersecurity 
regulations and also the long assessments and audits 
are[inaudible] of the states. Our recommendation is that 
Congress empower OMB. OMB is probably the only group that can 
look at this across all the agencies.
    And I certainly concur with the chairman about the need for 
intergovernmental cooperation. This is a great example of the 
need for more intergovernmental cooperation and collaboration 
on examining cybersecurity regulations, harmonizing them, 
streamlining them, and reducing the cost and burden on the 
states, which, in fact, would, we believe, result in stronger 
cybersecurity protection than the mismatch that we have today.
    Mr. Connolly. Great point. Thank you.
    Mr. Hice, you are recognized for your question.
    Mr. Hice. Thank you, Mr. Chairman.
    I have probably two primary concerns with state and local 
information technology systems and then an underlying third 
concern, if you will, with both of those. First, is their 
ability or lack thereof to keep up with citizens' demand; 
second, is their role in preventing or facilitating fraud and 
fraudulent claims; and then underlying all of that, of course, 
is the cybersecurity issue, how secure are these systems.
    So, Ms. Takai, let me begin with you. Given states, 
localities, territories, tribal governments, and so forth 
received some $500 billion in direct aid during the pandemic at 
taxpayers' expense, there have been reports of much of those 
funds being misdirected or directed in places like investing in 
state parks, for example. Given all that, how appropriate do 
you think it would be for the Federal Government to offer even 
more funding for state IT systems at this point?
    Ms. Takai. I think it's important to not differentiate the 
current issues around fraud from the cybersecurity issues. I 
think that now is a time where those two issues have actually 
come together. It increased the risk for state and local 
government at all levels, and fraud is one component of that. 
That's No. 1.
    No. 2, I think it's important then that we continue that 
focus on cybersecurity to ensure that we're actually protecting 
from some of the challenges that we have had from a fraud 
perspective.
    And, third, clearly, this is on the minds of all state and 
local CIOs. And for the local CIOs, large jurisdictions have 
many of the same responsibilities that the state CIOs have, and 
they are clearly looking at that not only from the standpoint 
of modernization but also from the standpoint of their overall 
cybersecurity plan.
    Mr. Hice. OK. Thank you. You know, I agree with you. 
Obviously, we've got to make cybersecurity a huge priority, 
but, at the same time, we have got to hold states accountable 
to not wasting taxpayer money. And where it's fraudulently 
being used or misdirected, not in the ways it should be, I 
think we have the responsibility to have oversight over that 
and to call their hand on it.
    Mr. Robinson, let me go to you now. Last spring, we saw 
that many mission-critical IT systems were woefully out of date 
and incapable of meeting the spike and the demand during the 
COVID. So, my question is, how confident can we be that states 
are taking aggressive action now to modernize their systems? 
Are they doing so?
    Mr. Hice. Well, I think we could be confident that it's 
certainly receiving greater attention. I think the challenge is 
the magnitude of the change that is going to take place and 
certainly the necessary business process, improvements, or 
business process redesigns.
    So, it's not about the availability of the technology to 
solve the problem. It's the necessary business process 
reengineering that has to take place as well as creating more 
citizen-centric opportunities, and I think that's where there 
clearly was a gap. The states had not prepared for that kind of 
magnitude of demand, and they have not scaled their systems.
    And I think two things are going to happen in the next 
couple of years: One is we're going to see the broader adoption 
and the migration to cloud services so that states can scale 
and be more flexible with their services; and the second thing 
is more collaboration with the private sector counterparts that 
have a number of solutions [inaudible].
    That's been the--I think the recipe for success in the 
number of states that were able to move very quickly was using 
those resources because the states didn't have the requisite 
capabilities and disciplines in-house to do that. So, I think 
we're going to see more of that move to private sector support.
    Mr. Hice. Well, we don't want them dragging their feet on 
all of this, and to some extent there have been. Would you say 
that states, generally speaking, and I know we've got to be 
general here, but are they prioritizing IT investments in their 
budget? Is this something that really is a priority?
    Mr. Robinson. In certain states, they are, sir, yes. But, 
again, I think----
    Mr. Hice. Can you give an estimate? Like how many state--I 
mean--and I know it's a rough estimate.
    Mr. Robinson. Well, yes. Now, based on--I'll speak for our 
state CIOs, and I prepared that data in my written comments, 
but, you know, 81 percent of them said that they increased 
their prioritization on modernization. So, that will give you a 
good handle on that. That does not mean that the entire state 
executive, legislative, and judicial branches are in concert 
with that thinking.
    But the state CIOs have the lead on that in the states, and 
they clearly understand the nature of the problem. And there's 
no doubt that many of them would note that they lagged those 
investments, and that's a complex discussion probably for 
another day about the----
    Mr. Hice. Sure.
    Mr. Robinson [continuing]. Challenges of getting the 
information technology investments they need.
    Mr. Hice. So, steps in the right direction, but we've got a 
long ways to go. We do.
    Mr. Robinson. We do, sir.
    Mr. Hice. Thank you, Mr. Chairman. I yield.
    Mr. Connolly. Do you wish more time? OK. Sure.
    The chair now recognizes the gentleman from Maryland, Mr. 
Raskin, for his questioning.
    Jamie, you're on mute. There you go.
    Mr. Raskin. Thank you, Mr. Chairman, and thanks to the 
witnesses.
    You know, even before the pandemic hit, state and local 
governments were struggling hard to find IT and cybersecurity 
talent. According to the National Association of state CIOs' 
2020 annual survey, recruiting and training qualified staff was 
a main challenge and main priority through this year.
    Mr. Robinson, what are the critical competency gaps in the 
existing state and local IT work force?
    Mr. Robinson. Yes. Thank you for the question. If we look 
at the current data, there are at least four. One is, as you 
already noted, cybersecurity, particularly advanced skills in 
cybersecurity analytics, predictive analytics, behavioral 
analytics. It gets to Representative Hice's question around 
fraud. We believe that that's going to be a critical competency 
in the future is having those skills. Application development 
is one, being able to develop and write programs. Cloud 
maintenance and cloud migration is an area where the states 
have certainly some challenges.
    And then, finally, I would note just user design or 
citizen-experience design, being able to have capabilities to 
develop citizen-centric or user-centric websites and 
capabilities on online services. So, those are probably four of 
the five top issues to states----
    Mr. Raskin. Well, I appreciate that.
    How can the state and local governments find the thousands 
of IT professionals with the right skills and competencies that 
are needed?
    Mr. Robinson. Well, I think certainly from the state 
perspective, a lot of that has to do with location and the 
availability of the work force within their jurisdiction. The 
other has to do with seeking those individuals that have a 
strong desire to serve in the public. And one of the--we are 
here talking about a kind of a post-pandemic world. One of the 
areas that we're seeing some advantages is the states are 
opening up--they're recruiting outside of their state 
boundaries. So, that may be a small part of the answer to your 
question is states being able to actually recruit and then 
employ individuals in the expertise that don't necessarily live 
in their state, and so we might find that as a post-COVID-19 
benefit is a remote work force.
    Mr. Raskin. Ms. Renteria, but what kind of skills and 
qualifications are states and local governments looking for 
when they recruit professionals to deliver digital services to 
the public?
    Ms. Renteria. So, one of the things we're really starting 
to see now is program areas, recognizing that they too need IT. 
So, largely in state and local governments, what we've seen is 
people think about IT in sort of the IT help desk or in a 
department unto itself. We have seen now a different 
conversation happening in program areas where people are 
saying, OK, WIC was put online in 2020 for the first time ever, 
and now there's an encouragement you can go online. That really 
changes the way program officers and the programs think about 
IT that is a partner from the very beginning in order to 
deliver services.
    But I do want to say, within the civic tech ecosystem, 
there has been a number of different groups that have now 
formed. U.S. of Tech, Tech Talent Project, 18F, and USDS now 
has a number of different incredible fellows, incredible people 
who have been in the administration now for two administrations 
and are out there looking and ready to join and have the kind 
of experience where they've been in government, they've been 
out of government, they've been in the private sector.
    I also wanted to mention that at GSA they're forming a 
digital corps, again, another really very good connection 
because you have tech folks coming in to get real world 
experience about how government works. We're also beginning to 
see a real movement within the civic tech space to make sure 
lived experience is a part of thinking about tech talent. So, 
in many of the apprenticeships and fellowships now, not only do 
you bring in somebody that has the tech tools but somebody 
that's actually experienced what it is like to apply for food 
assistance or not have housing. And what we have seen from that 
is when you combine lived experience with tech talent, it is 
really bringing state and local government up to a whole new 
level. But we can't do it fast enough, and that is really the 
point here is we need tech talent of all sorts in all different 
areas to bring that kind of up-leveling.
    So, if I could just say one last thing, if you think about 
just Federal employees, six percent of Federal employees are 30 
or under. If you think of a new digital native world, we need 
to make sure that we are really reaching out----
    Mr. Raskin. Along those lines, I noted in the NASCIO 
report--I don't know if that's how you pronounce the acronym, 
but, in any event, that report that I looked at--that there was 
an emphasis in this trying to recruit and training a new 
generation also on diversity and equity and inclusion. And is 
that going to be part of the solution?
    Ms. Renteria. Absolutely, it must be. If you are trying to 
serve a more diverse environment, what we've seen in a lot of 
our programs is a lot of these low-income programs particularly 
have left out certain communities, Black, Latino, indigenous, 
rural communities, and we've got to start bringing in the lived 
experience to be able to reach those communities, and those are 
the perspectives that really get to how to access, right, how 
to help people access the benefits that are there for them.
    Mr. Raskin. Thank you.
    I yield back, Mr. Chairman.
    Mr. Connolly. Well, before you yield back, I want to give 
the other members of the panel who have not responded to your 
query an opportunity to do so if they wish.
    Ms. Takai?
    Ms. Takai. Thank you.
    I think that they've covered it. The one thing that I would 
add is that the demand that government is seeing is part of a 
national demand for more science technology education programs, 
particularly amongst those that are and would be considered in 
the diversity areas. I know that I participate, I'm sure Amanda 
does, in a lot of women-in-technology programs.
    So, I think that, you know, we have to look at the context 
of government in the context of needing more technology skills 
across the board and also making sure that, as we're doing 
that, you know, we're considering the diversity and inclusion 
and equity part of making sure that they're a part of that 
skill set.
    Mr. Connolly. I'm going to give Mr. Shark, Dr. Shark, the 
opportunity to respond. And, Mr. Keller, certainly extend the 
same courtesy to you if you wish it.
    Dr. Shark.
    Mr. Shark. Thank you, Mr. Chairman.
    I just want to add a few things. Everything that has been 
said I agree with. I mean, the skill sets we're aware of, but 
as Teri said, the shortage of technology professionals is 
really a problem across the Nation in all sectors. In 
particular, though, with government and even local government, 
it's even more stressful in the sense that we can't compete 
with the private sector. So, very often we're losing some very, 
very good people, and we have to find better ways to provide 
incentives to keep those good people, let alone bring in new 
people.
    So it's kind of, like, two parts of that. Now, we have, at 
CompTIA, have devoted a whole area, a whole division with women 
in tech, bringing in more apprenticeships, bringing in more 
inclusion, diversity, developing some more outreach and 
philanthropic kind of activities, and I think that has to 
continue.
    Let me go a step further. We need to incentivize people in 
government. We have to make folks feel good, and that's why I 
think perhaps having kind of a digital service corps within 
local governments could be a help and a jump start, and I think 
that's reflected in current legislation that's being proposed. 
I would welcome that. We need a jump start. We have a problem. 
We have to address it fairly quickly, and then we have to worry 
about keeping people up to date.
    This is changing so rapidly. Imagine flying an airplane, 
getting your tax prepared by someone who is not certified or 
recertified. So, having training is terrific. Being constantly 
retrained--and this is where certifications are important. 
They're not required. You are required if you're a CPA. You're 
required if you're a pilot or a lawyer. You're not required if 
you're a technology individual, and yet you have all of this 
personal information; you have so much sensitive information at 
stake. I'm a strong proponent in continuing education.
    Mr. Connolly. Great point. Thank you so much.
    Mr. Keller.
    Mr. Keller. Thank you, Mr. Chairman.
    Now that the United States has started to fully reopen, we 
need to start examining institutions that have been changed 
forever by the COVID-19 pandemic. Moving to a post-pandemic 
environment, one of these issues is the security of our IT 
infrastructure and the relationship between the private sector, 
state, local, and Federal authorities.
    A study by the National Association of State Chief 
Information Officers shows that most States allocate less than 
three percent of their budget to cybersecurity, while financial 
services companies allocate almost 11 percent. As a result, 
states' IT infrastructure is often susceptible to waste, fraud, 
and abuse.
    A question for Mr. Robinson. Based on your organization's 
report and your experience, have you noticed a disparity 
between public and private sector cybersecurity readiness?
    Mr. Robinson. Mr. Keller, I have certainly noticed a 
discrepancy in the amount of funding and the amount of 
executive attention on the topic of cybersecurity. Our message 
is that cybersecurity is a business risk to the continuity of 
government. I think where we see the great disparity between 
the public and private sector institutions is that many private 
companies, their executive officers and their board and 
leadership has now recognized that cybersecurity is a business 
risk to the continuity of their business.
    I don't think we've gotten that message through to the 
leadership at state and local governments and in a general way. 
There are certainly individuals that have championed that, but, 
quite frankly, I think we have a long way to go to get that 
message in terms of the need to understand that. And with that 
would come the commensurate support and funding, so there is a 
gap.
    I believe the states are doing a surprisingly excellent job 
protecting their systems and their data given the constraints 
that they're operating under today, and I think that's evident 
in some of the numbers that you're seeing in terms of the lack 
of successful attacks.
    So, I think that's the challenge right now is essentially 
advancing the capabilities and disciplines of the states, but 
it's not just about additional funding. There's a lot more that 
has to happen.
    Mr. Keller. You just answered the question I was going to 
ask. Is it all funding or does it really come to the culture in 
which the emphasis is put on it?
    Mr. Robinson. No. It's the culture. I think states--you 
know we recognize that there might be actually requisite 
funding embedded in the state agencies that could be used at an 
enterprise level, and that's been one of our messages is let's 
make sure that we have a very strong assessment of the posture 
of state governments before we spend additional dollars.
    Mr. Keller. OK. Because, you know, I go into that and say 
how can Congress best work with states and localities to invest 
in cybersecurity infrastructure, to prevent more waste and 
fraud in the future, and I think some of that probably comes 
back to what you were saying as far as, would you say some of 
that is the leadership?
    Mr. Robinson. Right. We have advocated for additional 
dedicated cybersecurity grant program for state and local 
governments because we believe it's a collaboration. Local 
governments have less resources. Part of that is simply because 
of the symbiotic relationship between the states and their 
Federal counterparts. The state agencies are delivering 
services on behalf of the Federal Government. And that's why we 
believe that funding should assist them, and it hasn't come to 
fruition for the past several years. So, we will continue to 
advocate for that type of cybersecurity funding grant program.
    Mr. Keller. I appreciate that.
    And since 2003, the GAO reported that the Federal 
Government has made over $1.9 trillion in improper payments. 
This estimate does not include the reported $1.6 trillion in 
Fiscal Year 2020 budget expenditures. Agencies prior to COVID-
19 had difficulties identifying where they were making improper 
payments. For example, the Department of Defense Office of 
Inspector General reported in May 2020 that the DOD did not 
publish reliable improper payment estimates for five of its 
eight programs and did not meet its improper payment reduction 
targets.
    So, again, Mr. Robinson, I guess what I would say is, what 
do you believe are the most significant challenges to 
identifying these kinds of losses? And what can Congress do to 
ensure more transparency from the agencies?
    Mr. Robinson. Two things, Representative Keller.
    One, states only in recent months have they invested in 
advanced analytics and automated fraud detection services. So, 
I think they would all recognize that they had not prepared for 
something as extreme as the pandemic when it came to the 
magnitude of, you know, basically the volume and velocity of 
those requests coming in, and they didn't have the capabilities 
upfront to do predictive analytics to stop the fraud.
    And the second part of that I think is critical, which 
really aligns with digital government services, is a stronger 
digital identity program across the states. So, we have about 
14 states today that have embarked on citizen digital identity 
programs. We need to have all of the states. That's probably, 
if you look at their cybersecurity agenda, one of their top 
issues is how do we create a secure digital identity program 
for our constituents so we will know who's on the other side of 
that request when it's an online service, unemployment, all the 
things you mentioned in terms of fraud. Again, that doesn't 
exist in the majority of states today, so--but they are--they 
have a plan on their agenda.
    So, we think that's an important part of two acts: reducing 
fraud and also improving the citizen service experience.
    Mr. Keller. Thank you. I appreciate that.
    And I yield back.
    Mr. Connolly. Thank you, Mr. Keller. And let me just say to 
you improper payments is something that has long had my 
attention, and our subcommittee has a long history of trying to 
address it. I certainly would welcome the opportunity to 
collaborate on a legislative strategy at trying to reduce that 
number. A good chunk of it is Medicare fraud, but some of it is 
our IT systems just--you know, someone is getting something who 
is ineligible but they show up as eligible, because we're not 
getting it right in the IT identification or whatever it might 
be.
    So, I do think that's something certainly we could help 
reduce, and I think the subcommittee has done some 
groundbreaking work in identifying the problem. Now, hopefully, 
we can try and address it. So, I would be glad to collaborate 
with you and Mr. Hice trying to find----
    Mr. Keller. I would welcome that because we talk about 
improper payments. That would ensure that the help gets to the 
people who need it the most.
    Mr. Connolly. Exactly, exactly. Thank you so much.
    The gentleman from California, Mr. Khanna, welcome.
    Mr. Khanna. Thank you, Mr. Chair. Thank you for your 
leadership in convening yet another important hearing.
    One of the things that I find perplexing is our Federal 
Government basically invented the internet. I mean, at DARPA 
you had, Vint Cerf there who came up with the TCP and IP 
protocols that allowed for communication to and from computers 
basically as a military application that then goes on to become 
the internet that we use in the United States and around the 
world.
    And despite this sort of history of having government be 
the facilitator of the internet, we have seen the public 
sector, both the Federal Government and the state government, 
lag the private sector in actually the application of IT today. 
Obviously, there are a large number of issues in the Federal 
Government, but, Mr. Robinson, I wanted to get your perspective 
on why do you think that states with their enormous budgets--
maybe it's a budgetary issue, but they do have more budgets 
than most private companies. Why is it that they lag what an 
above-average private sector company does in terms of IT 
services?
    Mr. Robinson. A complex question, Representative, and lots 
of dimensions to that.
    The technology exists to make that happen. I believe 
there's a number of issues: One is certainly the organizational 
and cultural resistance to change in some cases. The lack of 
project oversight and governance, the lack of an enterprise 
roadmap, it's often done individually by agencies, and I think 
that's a problem. So, having strong leadership at the executive 
branch to kind of drive an enterprise approach, common 
standards, common approaches, and so, you know, the resources 
may be there, but I think being organized to succeed is a 
challenge at the state and local level when it comes to 
delivering those online services.
    We have a number of states that have been recognized I 
think for their excellent service delivery to their citizens, 
and I think if you look at what are the common patterns of 
success among those, a lot of it has to do with leadership, 
governance, project oversight, the imposition of standards 
across the agencies.
    So, we have examined those over a number of years and find 
some fairly common patterns. But, again, there isn't a lack of 
technology that prevents state and local governments from 
delivering on the promise of widespread digital government to 
their citizens.
    Mr. Khanna. I have one more question, but did any other 
panelists--I saw some folks shaking their heads or gesturing. 
Did anyone else want to comment on that?
    OK. Then I'll ask my next question.
    One of the challenges I have noticed is the lack of thought 
on design. You know, I represent Silicon Valley, and I think 
people don't appreciate that a lot of the successful companies 
put so much emphasis on design, more than technical competence. 
In fact, Steve Jobs famously talked about how a graphic design 
class was the most important class that he took, and Airbnb's 
success was largely a success not simply of engineering but of 
design.
    If you go to some of these websites--and, you know, this 
was the case in the Federal website when COVID started--you 
know, there are 50 different links, and people are totally 
confused about how to actually navigate the things for their 
own convenience.
    Is there a focus, Mr. Robinson, and then if anyone else 
wants to weigh in, on the design aspect in making sure that 
these things are first and foremost with the customer in mind?
    Mr. Robinson. I'll speak very quickly on behalf of the 
states. Yes, based on our recent evidence, particularly during 
COVID, that came to light as the lack of the design of citizen-
centric or a strong user experience. Many states are creating 
digital services teams and bringing those teams to bear on 
those issues. But, you're right, there has been challenges in 
that space across states and local governments, and so 
certainly my colleagues can respond to that from their 
perspective.
    Ms. Renteria. I would love to jump in.
    And thank you so much for that question because it's 
exactly what we have focused on at Code for America and our 
food assistance program. In fact, it started with seeing lines 
outside Social Services on Mission Street and recognizing what 
is going on; there's something not quite right with that 
process. And so we do with our--with the clients we work with, 
with the governments we work with, we actually take them on a 
journey, walk the shoes, right, try and apply yourself, go into 
a Social Services, see the experience, feel the experience, and 
it's easy once you do that to see that there's something wrong 
in the system, that we actually haven't designed it around the 
people we are serving.
    Part of my example at the very beginning around pandemic 
EBT is that the crisis actually made it very clear what we were 
all trying to do, and that was to reach kids. If we can design 
all of our services--and this is what we believe in at Code for 
America--if we can design all of our services starting with 
that client experience, walking in their shoes, then you build 
the program from there, and it makes an entire difference. In 
California, as an example, there is now a human-centric design. 
In Pennsylvania, Congressman Keller was just talking, we are 
working with them on the data analytics to really understand 
that user experience and address it.
    So, thank you so much for that, and we need to do more on 
that.
    Mr. Connolly. Thank you so.
    And before I call on Mr. Biggs--we'll give you time too--
does anyone else have a wish to respond?
    Dr. Shark.
    We're being a little easy today, Mr. Biggs, today, so we 
will give you extra time if you wish it as well.
    Thank you.
    Dr. Shark.
    Mr. Shark. Thank you. I'll be very brief.
    There is a lag here. I think that's the point made. I mean, 
all of a sudden we're talking about customer experience, which 
is a relatively new thing in the government realm. This was 
something that was embraced by the private sector because they 
were trying to attract and maintain customers. I have seen an 
attitude that's luckily and happily changing where we've had 
many senior public managers say: We have a captive audience. We 
don't have to worry about that. We're not fighting to get 
people away from Coca-Cola to Pepsi-Cola or anything like that. 
They're here. They're going to be here no matter what we do.
    That is changing.
    We have even begun a program on digital service 
professionals that's a certification program, and we see more 
awards programs that are recognizing, Center for Digital 
Government and ours, we're recognizing best practices and the 
word gets out. So, as I once taught a class and I talked about 
the CX experience, I had to first remind people we're not 
talking about a railroad. Now, CX--we have CX officers.
    So, yes, we've been slow to the gate, but it's starting to 
happen. I think there's going to be much more innovation about 
the user experience in our websites.
    Mr. Connolly. Ms. Takai, briefly if you wish to comment.
    Ms. Takai. Just a couple of comments. Thank you.
    One is just in answer to the question around what's 
happening out there to drive a different behavior, just one of 
the things that we do at the Center for Digital Government is 
actually a set of government experience awards. In fact, we're 
just in the process now, and those awards are totally based on 
a different citizen experience and driving a different citizen 
experience, not only on how you interact on the web but also 
utilization of mobile devices and utilization of the new 
technologies that are out there.
    The second comment that I think is so important to make as 
we think about being citizen centric is, to your comment, in 
the past, each individual agency or department within a 
jurisdiction, be that state or local, tended to think of 
pushing their information out and pushing it out based on their 
identity, if you will, in the services they provide.
    What's changing now is the concept, as the other speakers 
have said, of not thinking about how government is organized as 
a way of putting information out, but rather what the citizen 
needs and what are the services that the citizen needs. And 
that's a very big change. We're seeing a lot of progress. For 
instance, it was mentioned before in the state of Pennsylvania 
where the Governor has actually come out and specifically put 
out an executive order around how the services of Pennsylvania 
would be provided.
    But it really means that complete look, both from not just 
the technology but also from the agencies and departments, that 
they take the attitude of not what does the citizen need from 
me, but what does the citizen need across government and what 
do they need in terms of what's coming completely from my 
jurisdiction, not just one part of that jurisdiction.
    Mr. Connolly. Great point. Thank you so much.
    Mr. Biggs, thank you for your courtesy. You are recognized.
    Mr. Biggs. Thank you, Mr. Chairman. I appreciate the 
opportunity to be here today, and you could--if you need more 
time, I'm happy to yield it to you, Mr. Chairman.
    To me, I have been reflecting on this since I received the 
notice of this hearing, and having served a long time in the 
state legislature of my home state, it seems to me like so much 
of what I'm going to say revolves around what I would call an 
almost tautological circle of the relationship between the 
Federal Government and the state and local governments.
    So, when Mr. Robinson says that--or excuse me, the previous 
member who was asking questions when my friend from California 
was talking about big state budgets, they're big state budgets 
all right. Prior to the COVID relief that came into Arizona, I 
had a pretty good idea what that number would be from the state 
revenues as well as the Federal money coming in. But the 2020 
study by the National Association of State Chief Information 
Officers found 22 percent of States allocated between one and 
two percent of their total budget to cybersecurity and 20 
percent allocated three to five percent of their total budget 
to cybersecurity.
    So why do I say ``tautological''? In Arizona, we spent most 
of our time in the legislature responding to Federal mandates, 
how do we comply, how do we fund, et cetera. And then, when 
Federal money came in, I would encourage my colleagues, let's 
not take the money maybe because mandates are going to be 
coming in for sure, and we could give dozens and dozens of 
examples where we got a mandate, we received some money, but it 
was never enough.
    So, there's a squeeze on to the states on how do you supply 
all of the needs that your citizens expect you to supply. 
Whether they're constitutional or not, they expect you to 
supply those.
    So, the reason that I bring this up is I think in some ways 
this isn't the right venue for the states and local 
jurisdictions. That's their business. I remember thinking when 
I was the Senate President for years, we would really like the 
Feds to get out of our business. We think we could hire the 
best people to do the best job we possibly could, but we have 
mandates upon us, and then you have state procurement statutes 
which also impact how you do all of these things.
    So, for me, when the Feds get involved, it makes things 
usually even more difficult for states and local jurisdictions 
to respond and not--we don't facilitate stuff. We get in the 
way. And so that's part of my problem in looking and analyzing 
this hearing today and reading----
    Mr. Connolly. Can I interrupt, Mr. Biggs?
    Mr. Biggs. Only if you're going to agree, Mr. Chairman.
    Mr. Connolly. I am agreeing with you.
    I want you to take a look at my Partnership Act that Rod 
Bishop of Utah had been the original cosponsor of because we 
try to address this very issue of, well, what should be the 
right balance and how do we create a platform for states and 
localities to bring up exactly the point you just brought up, 
the helpfulness of the Federal Government, which isn't always 
helpful.
    Mr. Biggs. Yes. I mean, Mr. Chairman, not to digress, I 
know I promised the ranking member I would yield to him, and I 
will, but I can just give you examples within the education 
playground. I mean, we were--there was no way we could comply. 
If you went to our Department of Education, something like 85 
percent of employees were responding to Federal mandates as 
opposed to state-driven policies. So, it's something worth 
considering and looking at.
    Mr. Connolly. Absolutely. And I really urge you to look at 
this bill because at least it would create a mechanism for 
addressing it. And, by the way, it might surprise you, I agree 
with you. No Child Left Behind is a great example of a Federal 
unfunded mandate, good intentions going awry, and whoever wrote 
it clearly never ran a school district.
    Mr. Biggs. Exactly. Thank you.
    Mr. Connolly. I thank my friend for yielding.
    Mr. Biggs. Thank you.
    And I yield to the ranking member. Thank you.
    Mr. Hice. I thank both of you.
    You know, I've heard it over and over from states and 
individuals. Some of the most frightful words people ever here 
is, ``I'm from the government, and I'm here to help you.'' And 
that certainly applies to states as well.
    But let me just capitalize on what Mr. Biggs said. With 1, 
2, 3 percent of the enormous amounts of money the Federal 
Government has given states, only 1, 2, or 3 percent go into 
cybersecurity. What percentage, what role, what influence, Mr. 
Robinson, do you think that has had on the astronomical 
estimates of fraud that we've had when we've gotten no 
security, no cybersecurity? How has that contributed to the 
fraud, the $400 of billions and billions, 400----
    Mr. Robinson. Representative Hice, I'm not sure there's any 
way for us to determine that. Certainly our members in our 
association haven't looked at that direct relationship between 
that. However, I can tell you that, in many cases, fraud is 
outside of the general oversight of the cybersecurity programs 
and would include generally under what would be termed program 
integrity within each of those programs, so within unemployment 
insurance, within Medicaid, and other programs delivered by the 
state that up until recently have not been under the purview of 
the overarching cybersecurity umbrella within the executive 
branch of most states. So, cybersecurity was really looking at 
infrastructure, looking at networks, or looking at users, 
looking at servers, mainframes, et cetera, and only recently 
have they really begun to look at this as part of a holistic 
whole-of-state cybersecurity framework, which is very important 
to your point.
    So, I suspect that very little across the states, I'll 
speculate that very little of their cybersecurity spending in 
recent years has been spent on fraud, fraud analytics, fraud 
detection, fraud prevention.
    Mr. Hice. And I understand what you're saying.
    And, Mr. Chairman, I will yield back, and I appreciate the 
gentleman yielding.
    Mr. Connolly. If you need more time, Mr. Hice, please, 
because I took up some of his time.
    Mr. Hice. Yes, you took my yield time.
    Mr. Connolly. Yes. Please continue.
    Mr. Hice. But this is an important issue. I mean, the 
fraud, when we're talking the $400 billion, that's off the 
backs of taxpayers, and, I mean, you're saying, ``Well, we 
don't have any way that we're really looking at this.'' I mean, 
that's--this is something that has to be looked at. This is not 
something that we can just say, ``Ah, well, we're not 
responsible for that,'' or, be it cybersecurity, part of it, I 
don't know where the best eyes should be to look at this issue 
of massive amounts of fraud that's taking place. But I'm here 
to say we have a responsibility to look after the taxpayers' 
dollars, Mr. Chairman, and we are--we need a hearing to address 
this problem and to address it right on and find out who are 
the ones taking the money, where is it going, what's the 
channel, and be it the cybersecurity aspect of this or 
somewhere else, we've got to get to the bottom of this.
    And, with that, I'll yield back.
    Mr. Connolly. I would say to my friend, I agree with him, 
and I think we do need to have the subcommittee's attention on 
the subject. I think he and I might want to collaborate on 
getting some empirical data in front of us from GAO and others 
so that we can have a meaningful hearing. But I agree. I mean, 
when you're talking about the sums that we're talking about, 
inevitably, there's going to be waste, fraud, and abuse, and we 
need to identify that on behalf of the people we represent, no 
question about it.
    And I thank my friend.
    Mr. Clyde, you are recognized for your questioning.
    Is Mr. Clyde--oh, he is not with us.
    Mr. LaTurner?
    What's that? OK. Then it leaves me.
    And, Dr. Shark, I got my master's in public administration, 
and the method was the case study method. So, let me give you 
two case studies, and this will be my only question that I'll 
ask all of the panel to maybe comment upon.
    So, one case study is Federal, the Small Business 
Administration. Now, the Small Business Administration 
generally has an annual budget of $20 billion. In April of a 
year ago, we gave it $600 billion and told it move that out in 
a month, 30 times its annual budget, but do it in one month, 
not 12. We also expanded eligibility, who qualifies for those 
loans, and we also said under certain circumstances, under a 
very innovative approach, the PPP, the Payroll Protection 
Program, we might be willing and would be willing to transform 
that grant into a loan--I'm sorry, the other way around--that 
loan into a grant. The object: save mom-and-pops on Main 
Street.
    We also expanded financial institutions that could manage 
those portfolios way beyond the traditional SBA portfolio list. 
And we minimized paperwork and eligibility requirements, again, 
worried about the economy going off the cliff. This came out of 
the CARES Act, which had a huge bipartisan vote here in the 
House and the Senate. And what happened? The E-Tran system, 
their IT system, crashed. They couldn't handle--they had 
trouble programming the changes that were mandated by Federal 
law. They had trouble with the demand that overwhelmed them. I 
mean, even they couldn't foresee how many people needed relief 
or wanted relief, and there was a huge backlog that gets 
created and people who were eligible that we were targeting, we 
wanted to get relief, in fact, didn't because by the time we 
got--you know, SBA got to that part of the queue, it was too 
late. And that's one case study of, I think, where IT failed 
us, where we hadn't made the investments or anticipated the 
investments necessary to keep up with, you know, the need for 
flexibility and enormous demand under circumstances, granted 
not foreseeable.
    But, second, on a state level, unemployment insurance 
systems. Now, again, the Federal Government changed 
eligibility, added $600 a week for every unemployment payment, 
irrespective of what state you were in. We expanded eligibility 
to sole proprietors, gig workers who previously had not 
qualified for unemployment insurance. We extended the number of 
weeks by 12. So, we changed eligibility and terms and 
conditions, loosening it up, again in the spirit of save the 
economy, try to keep people, you know, in their homes, put food 
on the table, keep families together, and save the economy.
    And, again, under unemployment, you have got 50 different 
IT systems because we don't distribute unemployment; they do. 
And my anecdotal observation would be it was not a pretty 
picture out there. Some states maybe did well, but most did 
not. And I'll speak for my own state of Virginia, you know, we 
had problems. We had problems programming it and, frankly, 
getting that assistance to the people who needed it. And, I 
don't know about your state, Mr. Hice, but maybe they struggled 
too.
    Now, granted, you know, unprecedented circumstances, but 
what became clear was they were also paying a price for years 
of neglect and disinvestment.
    So, I give you two case studies, one state, one Federal. 
What have we learned from that? How do we do better moving 
forward? What lessons did you all learn from or do you think we 
should learn from? I'm using those two examples. There could be 
others and feel free to throw in others if you wish. But I'll 
give you those two case studies to start with, and then I'll 
shut up.
    Dr. Shark?
    Mr. Shark. Well, you raised some really good issues here. I 
have a couple of responses, and this cuts across the board with 
local, state, and Federal Government, and that is often IT is 
brought to the table kind of late in the game. We hear this at 
the local level. We hear it at the state level and the Federal 
level.
    So, you have a group of people who have a great idea, great 
concept with all of the right ideals, and then all of a sudden 
it's passed, and then suddenly technology is brought into it as 
almost an afterthought with the idea ``they will be able to do 
it, no problem,'' and there is a problem at every level of 
government. I see this at local governments, where local 
government fire department, police department get a wonderful 
grant. They say: Go, we just got this new device, a new toy, 
new software, go implement it.
    Well, wait a minute. Have you checked it out? Is it 
compatible with our existing network?
    So, part of the problem is when IT is brought in to at 
least give feedback as to what this may entail. And, second, I 
think the pandemic has shown us at every level of government, 
we have to be more agile. We don't have agility built into our 
systems. So, we're adding that to legacy systems that plague 
all of us. Look at the Social Security Administration. I mean, 
look at all of the different agencies that are dealing with 
programs that we can't even find programmers to program. It's 
easier to find someone with hieroglyphics than it is for 
Cobalt.
    So, we have a problem. We've got to modernize with the idea 
of making all of these systems capable of rapid change, and 
today they are not.
    Mr. Connolly. Ms. Takai, I think maybe you could comment 
next because you talked about a whole-of-government approach, 
which to me also implies you've got to view IT as integral to 
the mission. It's not--you know, it's not something that's an 
ancillary thought, and that drives investments as well.
    Your comment?
    Ms. Takai. Absolutely. That's exactly where my comments 
were going.
    I think that very often bills and legislation, while it's 
important to focus on what goes to the citizen, it's important 
to also focus on the mechanisms and the timeframes in order to 
make sure that there's the underlying technology and process 
infrastructure to be able to support that.
    I would give you an example that many of the states' issues 
weren't just around the technology of getting the dollars out 
there. It was around things like call centers and people able 
to answer citizen questions in a meaningful way.
    So totally, you know, back to my prior comments, it is 
important that--and this isn't just crisis funding, but any 
funding, whether it comes from the Federal Government, down to 
the states, whether the states allocate it or it's allocated at 
the local level, there has to be the ability, as Dr. Shark 
said, to bring the technology people in at the beginning, 
include the technology cost in the cost of the administration 
of that program and include the technology and the processes as 
a part of the timeline that those services are going to be 
deployed. Because I think, without that, you run the risk of 
putting in short-term measures, short-term processes and, 
worse, short-term technology, even if the technology platform 
is ready, that then leads to the challenges of it not being 
administered correctly and, in fact, leads to challenges around 
potentially misappropriation, if you will, of the way that 
those funds are being distributed.
    So, I can't emphasize enough, No. 1, technology has to be a 
critical part of the administration of these programs, and that 
has to be done in partnership with the processes that are 
developed by the organization that is responsible for those 
funds, and those two together really need to be a part of 
establishing the timing and the method for distribution of 
services to citizens.
    Mr. Connolly. Thank you.
    Mr. Robinson. And then, Ms. Renteria, you will have the 
last word.
    Mr. Robinson. Thank you, Mr. Chairman.
    I certainly concur with my colleagues about some of the 
challenges and some of the potential remedies.
    I think what I would comment on is your two case studies 
were termed ``IT failures,'' and I think that's a term that we 
hear often used. If those two projects had been successful, we 
might called them business successes or program successes. But, 
in fact, they're often termed IT failures, and it's a much 
broader discussion than simply IT. Project management, 
streamlining the process, bringing the technology experts in 
are all critical to that, and I think there's certainly one 
word that Alan used, ``agility,'' and that's going to be the 
hallmark of the future.
    My basic comment would be that, in order to address some of 
these issues, when you look at state governments, a large 
percentage of their technology budget is the result of 
complexity and diversity, and that complexity and diversity 
causes challenges, and that is what we really need to focus on, 
reducing and streamlining the business process, and, again, we 
would then be not terming these IT failures. We might be 
talking about, you know, a failure of leadership, a failure of 
project governance, a failure of adequate resources. But, 
again, IT is just one component of these dysfunctions that have 
occurred. You know, certainly there has been an epiphany within 
the state governments around the need to scale and around to 
modernize, and certainly from our association, that's what we 
hope we will see in the very near future as state governments 
address these deficiencies.
    Mr. Connolly. Yes. And before I call on Ms. Renteria, one 
could add, if you're worried about privacy and you're worried 
about encryption and cybersecurity and you're worried about 
minimizing fraud and ransomware, modernizing your IT is not 
incidental to all of those goals.
    Mr. Robinson. Right.
    Mr. Connolly. Ms. Renteria--and I misspoke--I said you're 
going to have the last word, and you're going to have the last 
word on my round of questioning, but we have been joined by the 
Congresswoman from the District of Columbia, we're so grateful, 
so once you finish answering, Ms. Renteria, Ms. Norton will 
have the final word of this hearing.
    Ms. Renteria.
    Ms. Renteria. Well, thank you. And I never mind waiting for 
other Members of Congress to have questions or speak as well, 
so I'm open to more questions if that's the case.
    I want to pick up where you left off, which is the way we 
design our programs is absolutely with cybersecurity and 
security in mind. As an example, we often talk about 
cybersecurity as a world that is different than the program 
implementation. And I have to tell you, when we talk to states 
all across the country who want to partner, they're No. 1 issue 
is cybersecurity. It's why we have states who want to integrate 
nine different safety net programs, make it easier for the 
user, and also allow them on the back end an ability to 
actually track what's happening. Instead of having nine 
different cybersecurity teams for nine different programs, you 
can have one collective talented team.
    In addition, when you do that, when you improve the 
modernization of it and you can see the data, it allows you to 
see the spikes. So, if there's a fraud problem, if something is 
happening--as an example, when we started the pandemic, we were 
able to see in our food assistance programs in the state of 
California, we were able to see that spike and actually called 
California and said: Hey, you will have to be ready for what is 
coming at you because we are seeing an uptick in applications 
like we've never seen before, so here is what is coming to you.
    So, I don't want to--I want to make sure that those two are 
married and that we understand by making systems smoother and 
user friendly, people-centered, you actually are improving the 
ability to see fraud. It's why Bank of America tells you they 
see something weird in your activity as a first step of 
security.
    The second or the last point I want to make is I want to 
end with, again, where I began, with this case study of 
pandemic EBT. There were two things that were incredibly 
important in that moment. No. 1, everybody, states all across 
the country, were very clear on being kid-centered and really 
oriented that program around that. But the second piece that 
was really important in that moment is it was iterative.
    So, as we were going through it in real-time for six months 
together, we were talking very closely with USDA. We were 
talking very closely with state leaders and saying what are the 
key barriers here and how can we at least temporarily move 
those so that we can get to kids better, faster, and we can 
actually look at the data and see what's going on.
    I want to not make sure that this committee, that as we 
talk about technology going forward, that we don't lose sight 
of what's been learned in a moment of crisis because I think 
there are some incredibly positive lessons to be learned where 
we can change our government to be people-centered, iterative, 
and the last thing I want to say is proactive.
    What we saw in one of our states was that they learned that 
a government can be proactive, and they learned about 
notifications, and when the pandemic happened, they actually 
proactively sent out notifications to food stamp recipients, to 
food assistance recipients and said: If you are struggling, 
here is where you can go.
    That's the kind of government I think we all want to see is 
when it shows up at your moment of crisis and says: We know who 
you are. Here is where we can help you. You've been in our 
system before.
    That allows you to then own the relationship and make sure 
that not only is it user friendly, but you can see what's 
happening on the data and when there are problems as well with 
fraud.
    Thank you very much.
    Mr. Connolly. Great points. Thank you so much.
    And our final member questioning is Congresswoman Norton of 
the District of Columbia.
    Ms. Norton. I thank you very much, Mr. Chairman. I really 
thank you for this hearing.
    I was out in the district and wanted to get back in time to 
ask a question because I have been struck by how the pandemic 
has led to the rise of digital government. I mean, we're using 
it right now. Before the pandemic, I would have been sitting 
right there in the hearing room, and here I am in my office, 
and I think most Members have been, and asking questions. So, 
the pandemic wasn't good for a great deal, but as with any 
crisis, it has moved us forward, at least in this way. It 
certainly led to digital innovations that have become popular 
because of the pandemic.
    For example, many states moved simple interactions or 
transactions with departments like the Department of Motor 
Vehicles, like renewing drivers' licenses and vehicle 
registrations to online. Without the pandemic, I'm not sure we 
would have moved to that simple innovation. We had the 
technology right there, but we would never have used it.
    Let me ask, Mr. Robinson, could you briefly describe other 
examples? I have given you the example of the Department of 
Motor Vehicles going online to renew licenses. Could you give 
perhaps other examples of states digitizing critical services 
during the pandemic?
    Mr. Robinson. Yes, certainly, Congresswoman Norton.
    There are a number of examples, and we were very proud of 
our states, you know, the transformation and the resiliency 
that they showed during the pandemic and many of them moving 
very quickly. So, a few quick examples. One was the adoption 
very quickly of virtual agents or chatbots on their websites. 
They knew that they could not handle the magnitude, the crush 
of citizens coming in, particularly in the unemployment space, 
and so they, within a matter of days, implemented chatbots or 
virtual agents to help answer those questions; streamlined some 
of their services through robotic process automation, again, a 
component of artificial intelligence; deployed voice bots to be 
able to answer calls in their call centers because, again, they 
were overwhelmed, and so they were using technology. We saw 
many, I think after the magnitude of fraud was recognized, 
moved to automated fraud detection analytics, simply just not 
enough eyeballs within the state employee ranks to be able to 
monitor the fraud that was taking place, and they needed to 
automate that and, again, under an overwhelming demand that we 
saw.
    And I think, finally, one area that has seen a strong level 
of adoption is low-code/no-code development, and I think that's 
going to be very, very promising. We see that, kind of an 
emerging technology that's going to be used across the states, 
and it provides the ability to be able to, in a Lego block type 
of fashion, build applications that can be deployed very 
quickly to serve citizens. So, we see that as another area.
    But, again, I think these are all part of the 
transformation and innovation that we've seen and accelerated 
adoption. And since we were tracking those with our surveys, we 
had a baseline in 2019, particularly around things like virtual 
agents, and we could see the dramatic adoption move from less 
than a quarter of the states to over 80 percent move very 
quickly. So, we knew that innovation was taking place at the 
state government level.
    Ms. Norton. Thank you. Those are interesting examples.
    Mr. Robinson mentioned websites. Ms. Renteria, during the 
pandemic, what have we learned about the importance of making 
government websites more accessible and user friendly?
    Ms. Renteria. We learned--I would say we learned how they 
weren't user friendly and accessible. That was the really hard 
part throughout this pandemic is governments really had a 
chance to take a look at what was happening.
    The other thing I just want to point this committee to is 
Code for America did a 50-state-wide study scorecard, if you 
will, about safety-net benefits, and through that you're able 
to see what was online, how easy to use is it, and that got a 
lot more pickup during the pandemic because people were trying 
to figure out where can I go, which states are working, which 
states aren't working.
    But the other thing I want to also point out is we were 
part of Get Your Refund, a VITA or EITC, VITA sites, which are 
Volunteer Income Tax Assistance sites, all had to go from in-
person to online, and they did. Many of them figured out that 
process. And when you think about accessibility to working 
families, to folks who are eligible for EITC or now the Child 
Tax Credit, it has been a huge step function for a lot of these 
volunteer assistance programs to really think of themselves as 
in-person and now online. And I hope that we take that with us 
as we go forward as well as a lesson that if you are in person, 
you can actually even access more people if you can figure out 
a way to reach them online. And we look forward to talking to 
this committee about how to continue to do that kind of work.
    Ms. Norton. Dr. Shark, what areas of state and local 
digital infrastructure are the most critical focus? How has the 
pandemic highlighted needed improvements in these areas, state 
and local digital infrastructure?
    Mr. Shark. Thank you, Ms. Norton.
    I would like to--my next book should be ``You're on Mute: 
Lessons Learned from Local Government.'' I think all of us, all 
of the panelists here today really are in awe of all of our 
public managers that we work with every single day at local 
government.
    Now, my focus is mostly local government, but I observe 
what's going on in the state as well, but they really pivoted 
and came up with some very inventive workarounds. Now, I don't 
want to leave here saying there's no work to be done, but I 
also want to leave here by saying we haven't done a fantastic 
job up to this point.
    At the local level, we spend a lot of time collectively 
looking at solutions to enable citizens to be able to find 
places of testing and what are the requirements, and we too 
adopted chatbots and came up with all sorts of automated 
workarounds when you have these routine questions over and over 
again so we could field questions, and they were rated very 
highly.
    And then we went the next step and found ways in which to 
help people map out and help them plot where they would go for 
a vaccination, even to the point where they had waiting lines 
and countdown timers to give people when is the best time to go 
if you didn't have an exact appointment.
    So, between the pandemic, where we had to have the 
extraordinary allowances for these new kinds of services, we 
still had to keep business of government going, and we did that 
because, at the local level, we're doing marriage certificates, 
death certificates. We're doing birth certificates. We're doing 
all of these things that have to occur every single day. For 
construction, all the permitting, all the real estate 
transactions, it went on without a miss, and that is pretty 
amazing.
    Now, did we take some hits on the cyber end? Yes, because 
as we moved 60 to 80 percent of our work force to a remote 
environment, we became even a more attractive target to those 
criminal elements. So, yes, there's a lot of good stuff 
happening, and I'm thanking that you're asking this at the 
close because there is some very, very positive and good news. 
And, yes, we want to learn from this. There are things that 
have been exposed that we want to address, but where there's 
political pressure, there is change. And so a lot of things 
that we're wrestling with we're seeing definitely a willingness 
to think differently, to operate differently and, hopefully, to 
spend differently.
    Thank you.
    Ms. Norton. Thank you, Mr. Chairman. This is very 
enlightening.
    Mr. Connolly. Thank you so much, Ms. Norton.
    And I will just say, Dr. Shark, in listening to you, I 
think it is important to note that between the CARES Act and 
the COVID Relief Bill we passed earlier this year, you're 
talking very substantial moneys floating to states and 
localities finally, and I supported it, and I come from local 
government too. But it would be great if states and localities 
used some of those resources to set aside for IT investment, 
which can clearly be justified given the litany you just went 
through. These are COVID-related activities that had to be 
transferred to a technology platform that allowed us to do it 
remotely. And so it's a perfect time with resources to upgrade 
those systems and to protect them, and I hope states and 
localities will use the opportunities to do just that because 
that will have a long-term return on it. And it's--you know, it 
can be a one-time investment and not get baked into the 
baseline of their budgets.
    I want to thank our panel for really a thoughtful 
discussion and wonderful testimony, and you have been great 
resources, and we're going to call on you for followup because 
you have provoked some really great thoughts today, and the 
subcommittee certainly wants to continue down this line in 
terms of lessons learned from the pandemic and how can we do 
better and what were best practices that emerged during this 
pandemic and what were lessons learned that maybe weren't so 
great so that we're not repeating the cycle.
    Without objection, all members will have five legislative 
days within which to submit additional written questions for 
our witnesses through the chair, which will be forwarded to the 
witnesses for their responses, and we would just request that 
our witnesses do their best to respond as expeditiously as 
possible to any such questions.
    With that, this hearing is adjourned.
    [Whereupon, at 12:03 p.m., the subcommittee was adjourned.]

                                 [all]