← Back to Insights
Governance

The Price of Not Knowing

Cybersecurity, AI contracts, and the discipline Guam's government keeps skipping

By Samuel S. Kim
May 28, 2026
The Price of Not Knowing
Photo by Scott Graham on Unsplash
Two legislative proceedings and one AI contract reveal what happens when government appropriates $890,000 for cybersecurity while simultaneously signing an AI deal with no data security provisions — not out of malice, but because no one paused to ask the right questions in the right order.

There is an old carpenter's maxim that applies well beyond woodworking: measure twice, cut once. The cost of careful preparation is always less than the cost of rework, waste, or a structure that does not hold. In governance: define the problem, plan the solution, estimate the cost, and only then commit public funds. Skip any step and you risk spending money you cannot account for, on results you cannot measure, against a problem you never fully understood.

Two recent proceedings at the Guam Legislature — a committee hearing on a cybersecurity appropriation and an oversight hearing on the Office of Technology — reveal what happens when this discipline is absent. Together with an AI services contract executed by the Committee on Rules, they form a case study in how a government can appropriate $890,000 for cybersecurity while simultaneously signing an AI contract that contains no data security provisions at all — not because anyone intended harm, but because no one paused long enough to ask the right questions in the right order.

The first step in solving any problem is understanding what the problem actually is. Not the symptoms. Not the anecdotes. The problem — defined precisely enough that a solution can be designed, costed, and evaluated against it.

On February 16, 2026, the Committee on Finance and Government Operations held a public hearing on Bill No. 262-38, a measure to appropriate $890,000 from excess General Fund reserves for the Legislature's cybersecurity and IT modernization needs.1 The testimony painted a vivid picture of the symptoms: network hardware dating to the 2016 reconstruction of the Guam Congress Building, firewalls that cannot detect modern threats, a fiscal server that failed in May 2025 and took three and a half weeks to restore because no current offsite backup existed.2 The Legislature's IT Support Officer described malware infections from compromised USB drives, pirated software inherited from a previous administration, email accounts hacked, and live-streaming failures during public hearings.3 The Executive Director called the upgrades "not about luxury technology" but about "meeting minimum nationally recognized cybersecurity standards."4

These are real problems. But a catalog of symptoms is not a diagnosis. The hearing never established, with the specificity required for responsible spending, which systems were most critical, which vulnerabilities posed the greatest risk, or what the priority sequence for remediation should be. There was no needs assessment, no risk matrix, no architecture review — only anecdotes and urgency, which are powerful motivators but insufficient foundations for an $890,000 appropriation.

Three months later, the OTECH oversight hearing chaired by Senator Telo Taitague provided the broader context that the Bill 262-38 hearing lacked.5 Acting Chief Technology Officer Bea Santos described an agency stretched to its limits: twenty-one staff members supporting forty agencies on a $5.3 million annual budget, with the government's central data sitting on the first floor of a building in a flood zone.67 The IBM Power 7 hosting all of Public Health's applications, including SNAP benefits processing, has been end-of-life since 2020 and still has not been replaced.8 OTECH has zero dedicated cybersecurity personnel — no Security Operations Center, no 24/7 monitoring.9 When a zero-day vulnerability was exploited in late April 2026, defacing multiple GovGuam websites, the vendor's recommended patches were sitting in procurement waiting for a purchase order.10

Santos's testimony revealed something more fundamental than a list of broken systems. It revealed a pattern. OTECH's virtual server hardware, purchased in 2018, is already approaching obsolescence — Santos estimated two to three years before replacement.11 The Legislature's network hardware from 2016 is past its recommended lifecycle. GovGuam buys equipment, runs it until failure, then scrambles for the next appropriation. Every five to seven years the cycle repeats — and each time, replacement costs more, security gaps widen, and procurement takes longer. This is not a problem that another hardware purchase will solve. It is a structural problem — a model of technology ownership that a territory of Guam's size and budget cannot sustain.

The second discipline is planning — specifying what will be done, in what order, with what resources, before committing funds. A fair objection here is that cybersecurity threats do not wait for perfect plans, and that urgency sometimes justifies imperfect action. That is true. But neither the $890,000 appropriation nor the Legislature's AI contract included even an imperfect plan — they included no plan at all. A serious plan serves two functions: it forces the people proposing the expenditure to think through the details, and it gives the people approving the expenditure a basis for judgment.

Neither function was served in the case of Bill 262-38. When Senator Therese Terlaje asked to see the plan — the document that would specify what the $890,000 would actually buy, in what priority, at what cost per line item — she was told no such plan was in front of the committee.12 The IT Support Officer quoted costs "off the top of my head" when asked about a backup server — somewhere between $10,000 and $20,000 — and acknowledged that item was "not originally in the plan."13 The Bureau of Budget and Management Research, in its fiscal note, marked "N/A" when asked whether the appropriation was adequate to fund the bill's intent.14 BBMR could not evaluate what nobody had specified. The committee voted 6-0 to pass the bill anyway.

The absence of a plan is not a minor procedural gap. It is the gap that makes every other gap possible. Without specifications, there is no basis to estimate costs. Without cost estimates, there is no basis to determine whether $890,000 is too much, too little, or roughly right. And without measurable objectives, there is no way — after the money is spent — to determine whether it was spent well.

The same planning deficit appears in the Legislature's AI contract. On or about May 20, 2026, the Committee on Rules executed Contract No. 2638C0025 with TRST-GUAM, LLC for a platform called Talleyrand Systems — an AI-assisted legislative drafting workflow comprising three components: TalleyrandAI for conversational bill drafting, RennaeAI for clerk intelligence review, and a Dashboard for workflow tracking.15 The total contract value is $198,750 — six monthly payments of $33,125 — with additional write-access seats available at $1,500 per seat per month.16

State legislatures across the country are exploring AI for bill drafting and legal research.17 But the fourteen-page contract contains no technical specifications describing what AI models or infrastructure power the platform.18 Whether Talleyrand Systems operates on a single commercial large language model with a lightweight interface, or on a sophisticated retrieval-augmented generation architecture indexing the entire Guam Code Annotated with multi-model consensus checking and legal domain training — two architectures separated by orders of magnitude in complexity and value — is unknowable from the contract.19 The document also contains no data security provisions whatsoever: no clause on where data is stored, no compliance requirement for NIST or FedRAMP, no data residency mandate, no audit right, no breach notification provision, and no restriction on whether user inputs — defined in the contract as "Legislative Work Product" including drafts, bills, and committee reports — will be used to train AI models.20

For a government body that simultaneously argues it needs $890,000 for cybersecurity, signing an AI contract with no data security provisions is a contradiction that no amount of good intention can resolve. Without specifications, the public cannot know what the $198,750 buys — and the Legislature apparently did not ask.

Senator Chris Barnett raised the question directly at the OTECH hearing one week later: was OTECH consulted before the contract was signed? Santos confirmed it was not.21 This is the same agency whose statutory mandate includes reviewing IT projects across GovGuam — the same agency whose staff, at that very hearing, warned legislators to read the fine print on AI contracts and cautioned that many AI products record user data and share it with affiliates.22 Barnett also noted that the contracting company was reportedly formed around the time the contract went into effect.23

The third discipline — and the one most relevant to Guam's long-term technology strategy — is knowing when in-house capacity is insufficient and outside expertise is required. This is not a concession of failure. It is a recognition of reality.

Santos acknowledged at the OTECH hearing that GovGuam cannot compete on salary with federal agencies, autonomous entities, or defense contractors for qualified cybersecurity professionals.24 The position creation process through the Department of Administration takes roughly six months before recruitment can even begin. Building talent pipelines through the University of Guam and Guam Community College is valuable — the training itself equips individuals with marketable skills. But the economic reality is unforgiving. A cybersecurity analyst trained on Guam and certified to industry standards will find offers from CISA, DoD, Leidos, or Booz Allen Hamilton that GovGuam's classified pay scales cannot match. The island will invest in developing professionals who leave for better compensation — not out of disloyalty, but because labor markets work the way labor markets work. Until Guam can offer salaries competitive with the federal and contractor positions already on island, a strategy built on growing and retaining a dedicated cybersecurity workforce will remain aspirational.

The same logic applies to hardware. Every physical server OTECH purchases begins depreciating the day it is installed. The 2018 virtual server infrastructure needs replacement within two to three years. The Power 7 has been obsolete for six years. The Legislature's 2016 equipment is past its lifecycle. Replacing all of it means another round of capital outlays, another round of procurement delays, and another clock counting down to the next obsolescence cycle.

The alternative is not to abandon technology. It is to stop owning what can be managed by organizations that do it better, more securely, and at a scale Guam cannot replicate. Google, Amazon, and Microsoft employ thousands of cybersecurity professionals whose full-time work is protecting the infrastructure that government data resides on. They operate Security Operations Centers that monitor threats globally, around the clock, using the AI-driven threat analysis that Santos described wanting to build. A managed security services agreement with an established provider would deliver overnight what GovGuam cannot build in years.

Guam does not need to negotiate these arrangements from scratch — the federal General Services Administration has already pre-negotiated contracts with major technology providers at pricing that state, territorial, and local governments can access through cooperative purchasing on the GSA Multiple Award Schedule.25 Anthropic, Google, and OpenAI are all listed on the MAS, and GSA's eligibility rules explicitly include U.S. territorial governments.26 Claude for Enterprise and Claude for Government are both FedRAMP High authorized, with contractual commitments not to train on customer data.27 Claude is also deployable through Amazon Bedrock in AWS GovCloud and Google Vertex with Assured Workloads, both FedRAMP High environments.28 OTECH already permits Google Gemini and Microsoft Copilot across GovGuam line agencies under enterprise agreements that keep data within the security perimeter.29 Santos herself recommended these cooperative purchasing vehicles at the oversight hearing as a path to volume discounts and standardized technology.

For Guam specifically, the strategic calculus extends to physical resilience. The island is a major Pacific cable hub — twelve submarine cables currently land on Guam, with more under construction — but that connectivity depends on geographically concentrated landing stations exposed to typhoons, seismic events, and the geopolitical tensions of the Indo-Pacific.30 AWS Outposts and Google Distributed Cloud offer on-premises deployments that operate locally while synchronizing to the broader cloud when connectivity permits.31 The cost of a managed cloud environment with local failover, amortized across forty agencies and three branches of government, would almost certainly be less than the aggregate cost of each entity buying, maintaining, securing, and periodically replacing its own hardware.

OTECH would still need local staff to manage provider relationships, coordinate across agencies, and handle end-user support. But managing a cloud environment requires a different — and more broadly available — skill set than the specialized cybersecurity expertise the current model demands and cannot retain.

There is one final discipline that neither hearing addressed, and that the Legislature's technology spending has never practiced: the post-mortem. After the money is spent, after the systems are installed or the contracts fulfilled, someone must ask whether the analysis was accurate, whether the plan was followed, whether the estimates held, and whether the implementation delivered what was promised. The answers must be recorded — not to assign blame, but to build institutional memory.

The cost of not doing this is visible in the evidence itself. When the Legislature's fiscal server failed in May 2025, recovery took three and a half weeks — extended, according to MIS testimony, by the absence of up-to-date offsite backups and the lack of standardized configuration documentation.32 Had a post-mortem been conducted after prior system incidents — the malware infection from a compromised USB drive, the pirated software discovered on AV department systems, the email compromises — the backup gap and documentation deficit would have been identified and corrected before a critical server failed. Instead, each incident was treated as a standalone event, and each lesson was lost.

The pattern extends beyond individual incidents. Across GovGuam, technology spending follows the same arc — appropriate, purchase, move on — with no record of what worked, what failed, or what cost more than expected. Each appropriation reinvents the process, and each failure reinvents the surprise.

A disciplined post-mortem would change this. It would create a body of evidence, specific to Guam's government, about realistic procurement timelines, actual versus estimated costs, vendor performance, and the useful life of hardware in Guam's climate and operating conditions. The mechanism need not be elaborate: a standardized project closeout report — comparing planned scope, budget, and timeline against actual results — filed with OTECH or the Office of Public Accountability after every technology expenditure above a reasonable threshold. Over time, this evidence base would make every subsequent step — analysis, planning, estimation, procurement — more accurate and more accountable.

The people of Guam deserve a government that invests in technology with the same rigor it would expect from anyone spending someone else's money — defining before proposing, planning before requesting, estimating against specifications rather than anecdotes, procuring expertise honestly when in-house capacity falls short, and reviewing every outcome so that each project makes the next one sharper.

Bill 262-38 and the Talleyrand Systems contract both began with genuine needs. But appropriating $890,000 without an itemized plan, and committing $198,750 to an AI platform with no technical specifications and no data security provisions — from a company with no discoverable track record, without consulting the government's own technology authority — is not modernization. It is spending money that cannot be accounted for, on results that cannot be measured, against a problem that was never fully defined. Good stewardship does not require perfection. It requires the discipline to measure before cutting — and the humility to acknowledge, when in-house solutions cannot keep pace, that better options already exist and are within reach.

Footnotes

  1. Committee Report on Bill No. 262-38 (LS), As Amended, 38th Guam Legislature, Committee on Finance and Government Operations, filed March 5, 2026. Available via the Guam Legislature website.

  2. Ibid. Testimony of Joann Camacho, Executive Director, and Justin Peredo, IT Support Officer, MIS Department.

  3. Ibid., Committee Report Digest, testimony of Justin Peredo and Senator Sabrina Salas Matanane, pp. 4–23 of 27.

  4. Ibid., testimony of Joann Camacho.

  5. Oversight Hearing, Committee on Economic Investment, Military Buildup, Regional Relations, Technology, Regulatory Affairs, Justice, Election, and Retirement, Senator Telo T. Taitague, Chair, May 27, 2026. Testimony of Bea Santos, Acting Chief Technology Officer, OTECH.

  6. Ibid. Santos testified that OTECH manages approximately 350 virtual servers across 25 physical servers in four environments, serving roughly 3,000 users across 40 agencies in approximately 50 locations.

  7. Ibid. Senator Taitague noted OTECH's location in a flood zone with asbestos in floor tiles; Santos confirmed the data center is on the first floor.

  8. Ibid. Santos testified the IBM Power 7 reached end-of-life with IBM in approximately 2020 and still hosts all Public Health applications including SNAP. The Power 11 upgrade is estimated at $500,000.

  9. Ibid. Santos confirmed OTECH has no dedicated cybersecurity personnel; general IT staff handle cyber defense as an additional duty.

  10. Ibid. Santos described the April 2026 zero-day vulnerability attack and noted that the vendor's recommended patches were awaiting a purchase order for support services when the attack occurred.

  11. Ibid. Santos testified the virtual server hardware was purchased in 2018 and estimated it would need replacement "in about another two or three years, or even sooner."

  12. Committee Report on Bill No. 262-38 (LS), Committee Report Digest, testimony of Senator Therese M. Terlaje, pp. 15–21 of 27.

  13. Ibid., testimony of Justin Peredo, pp. 11–12 of 27.

  14. Bureau of Budget and Management Research, Fiscal Note for Bill No. 262-38 (LS), prepared by Aubrey Olivia Reyes, signed by Director Lester L. Carlson Jr., dated February 10, 2026. The adequacy question was marked "N/A."

  15. Independent Contractor Agreement between I Liheslaturan Guåhan and TRST-GUAM, LLC, Contract No. 2638C0025, effective April 1, 2026. Section 1.0(i)(a), Definitions.

  16. Ibid. Section 2.0, Payment Terms ($198,750 total; $33,125 monthly). Section 1.0(ii)(d)(iv), additional write-privileged seats at $1,500 per month.

  17. National Conference of State Legislatures, "Legislative Use of Artificial Intelligence 2025 Survey," August 2025. The NCSL survey received responses from staff in 35 states, Puerto Rico, and the U.S. Virgin Islands regarding their use of generative AI tools for legislative work. https://www.ncsl.org/center-for-legislative-strengthening/legislative-use-of-artificial-intelligence-2025-survey

  18. Ibid. The 14-page contract contains sections on Definitions, Payment Terms, Availability of Funds, Contract Period, Representations and Warranties, Covenants, Notices, Waiver, Integration, Amendments, Termination, Payment Upon Termination, Governing Law, Remedies, Severability, and Signatures. No section addresses data security, data privacy, data residency, cybersecurity compliance, or breach notification.

  19. A basic AI interface wrapping a single commercial LLM with legislative prompting could be built for a small fraction of the contract price. A retrieval-augmented generation (RAG) system indexing the full Guam Code Annotated, Guam Administrative Rules and Regulations, and 50-state legislative databases — with multi-model consensus checking and legal domain validation — would represent a materially more complex and valuable product. The contract does not describe which architecture applies.

  20. Ibid. Section 1.0(i)(d) defines "Legislative Work Product" as "drafts, bills, collaborations, reports, and other legislative documents, data, and outputs created by Authorized Users through the Platform." No provision restricts the contractor's use of this data for model training or other purposes.

  21. OTECH Oversight Hearing, May 27, 2026. Senator Chris Barnett asked whether OTECH received any communication from the legislative body regarding the AI platform procurement. Santos responded: "No, we did not."

  22. Ibid. Michael Ford, Systems Programmer, OTECH, testified that AI products may record IP addresses, save all input data, and share it with affiliates, urging agencies to "read the fine print." Staff member Nicole Nelson concurred on the risks of untested vendors.

  23. Ibid. Senator Barnett stated during questioning that the contracting company "was formed the day the contract went into effect, or a couple days before."

  24. Ibid. Santos stated: "We're not going to be able to compete with even other autonomous agencies and for sure the federal agencies here." She proposed university pipeline programs as a partial mitigation but did not address the retention gap.

  25. U.S. General Services Administration, Multiple Award Schedule, Cooperative Purchasing. State, local, tribal, and territorial governments are eligible to purchase through the GSA MAS. https://www.gsa.gov/buy-through-us/purchasing-programs/multiple-award-schedule/onegov. For context on pricing aggressiveness, GSA's OneGov agreement with Anthropic makes Claude available to federal agencies for $1 per agency per year (https://www.gsa.gov/about-gsa/newsroom/news-releases/gsa-strikes-onegov-deal-with-anthropic-08122025); the MAS pricing available to territorial governments would be separately negotiated but still competitively pre-set by GSA.

  26. U.S. General Services Administration, Eligibility Determinations. GSA's eligible entity categories explicitly include "U.S. federal, including U.S. territories" and "U.S. state and local" governments, as well as "tribal or territorial governments." https://www.gsa.gov/policy-regulations/policy/acquisition-policy/eligibility-determinations

  27. Anthropic Privacy Center, "Is my data used for model training?" Updated March 2026. "By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models." https://privacy.claude.com/en/articles/7996868-is-my-data-used-for-model-training

  28. Anthropic, Public Sector FAQs. Claude for Government, Claude via Amazon Bedrock in AWS GovCloud, and Claude via Google Vertex with Assured Workloads are all FedRAMP-High authorized. https://support.claude.com/en/articles/13756069-public-sector-faqs

  29. OTECH Oversight Hearing, May 27, 2026. Santos confirmed OTECH allows only enterprise-level AI agreements (Google Workspace Gemini and Microsoft 365 Copilot) across GovGuam line agencies, as the enterprise agreements limit AI use within the government perimeter.

  30. GTA TeleGuam, Cable Landing Station on Guam. GTA reports 12 current submarine cables connecting Guam to major Asia-Pacific population centers, with additional cables under construction. https://www.gta.net/cable-landing-station

  31. AWS Outposts provides on-premises AWS infrastructure for hybrid cloud deployments (https://aws.amazon.com/outposts/). Google Distributed Cloud offers managed hardware and software that extends Google Cloud to the customer's location (https://cloud.google.com/distributed-cloud). Both support operations in disconnected or intermittent connectivity environments.

  32. Committee Report on Bill No. 262-38 (LS), MIS presentation slides, pp. 19–22. The May 2025 fiscal server incident was attributed to "operating system failure caused by prior system misconfiguration under a previous MIS administration." Recovery was extended due to "the absence of an up-to-date offsite backup system" and "configuration inconsistencies and lack of standardized documentation."

Tags

GovernanceCybersecurityAI PolicyTechnologyGuam LegislaturePublic Accountability

Related Articles

Governance

The Procurement Trap

Nearly two thousand students at Simon Sanchez High School have attended double sessions for years while a $100 million rebuild sits frozen by an automatic stay, an undercertified workforce, and a procurement process that hasn't changed since the era of paper requisitions. The fixes are not theoretical — other jurisdictions have already built them.

Governance

5,000 Boxes and a Broken System

Guam's Office of Public Accountability couldn't answer a simple question about alcohol imports because the data lives in cardboard boxes. Here's what the audit found, why the fix has stalled, and what Guam can do now.

Technology & Society

The Build-or-Buy Question, Revisited

For thirty years, building custom software meant accepting dangerous vendor dependency. AI-assisted development has changed the cost math. But the dependency problem — the real reason buy always won — is now solvable too, if you design for it from day one.

Let's continue the conversation

Have thoughts on this article? I'd love to hear from you.

Get in Touch
EmailLet's Talk