A bipartisan bill proposed last month by New York representatives Kathleen Rice (D) and John Katko (R) would require members of Congress to receive annual cybersecurity and IT training.
H.Res. 355, the bipartisan Congressional Cybersecurity Training Resolution of 2019, is intended to help ensure that all House Members and staff are fully aware of the rising threat of cyberattacks and have the knowledge and skills they need to protect the integrity of data and information on government systems. New Members would be required to undergo this training within 30 days of beginning service to the House, and all Members would be required to complete annual training by January 31 of each year.
“Cyberattacks continue to pose a growing and vexing threat at nearly every level of government and Congressional Offices are no exception,” said Representative Kathleen Rice. “If we want to effectively counter those threats, then we need to make sure Members of Congress are equipped with the tools and knowledge to play an active role in this fight. Our employees and House officers are already required to take mandatory information security training, and it’s past time that Members are held to the same standard and bear the same responsibility.”
“Americans in the private and public sector are increasingly susceptible to cybersecurity attacks. Elected officials serving the House are no exception,” said Representative John Katko. “Members of Congress must be able to properly identify these risks. The staff in my official offices, as well as staff in every House office, are required to complete mandatory cybersecurity training. It is imperative Members of Congress do the same.”
While the Internet Security Alliance applauded the legislation, Larry Clinton, president and CEO of ISA, made a valid point. In a blog post, Clinton said, “The key question is WHAT do we need to teach them about cybersecurity? Most Members of Congress are digital immigrants, meaning they were not born into the digital era they now inhabit – and govern in. While typically highly knowledgeable about the various subject matters that formed the basis of their careers, they are generally not schooled in the unique issues that govern the new digital landscape, including cybersecurity.”
He stressed that senior government officials are not and should not be trained to be “mini CISOs.”
Clinton also suggested that Congress look at The National Association of Corporate Directors (NACD), which has offered a program based on its Cyber Risk Handbook for Corporate Directors that identifies the appropriate role for senior executives in managing the cyber issues affecting their broad and diverse environments.
“The NACD model is the only set of principles and standards in the cybersecurity environment that has been independently assessed and found to be effective,” Clinton said. “Specifically, PricewaterhouseCoopers (PwC) analyzed the NACD model as part of its international Global Information Security Survey and found that it increased cybersecurity budgets, enhanced cyber-risk management, created closer alignment between cybersecurity and overall organizational goals, and helped create a culture of security within organizations that used the handbook principles.”
Shlomi Gian, CEO at CybeReady, questioned the legislation, as well, saying, “The average human brain has no capacity to memorize facts taught during a single, relatively long, annual training. A better training practice includes on-the-spot training that is triggered when we have the employee’s full attention – at the moment that he or she fails to detect a simulated attack. We call that the golden moment and careless employees do not forget it quickly.”
Congress and the Trump Administration should pass the Rice-Katko bill. Yet, they should also insist that the training follow successful models and engage industry leaders, to not only provide the right type of training, but also to expand cybersecurity training beyond Congress to all members of government executive agencies.