Once again the federal government is looking at ways to improve its own cybersecurity and once again the legislation is a good news/bad news effort. The good news is that members of Congress are now recognizing the importance of cybersecurity training. The bad news is that its sponsors fall short and do not understand the need for ongoing training, not just annual training mentioned in the bill. Cybersecurity training is a great idea, but if you’re going to do it, do it right the first time.
The bill, H. Res. 355 sponsored by Rep. Kathleen Rice, (D-NY) and Rep. John Katko (R-NY), includes the following changes to Clause 4 of Rule II of the Rules of the House of Representatives:
1. The Chief Administrative Officer shall carry out an annual (emphasis added) information security training program for Members (including the Delegates and Resident Commissioner), officers, and employees of the House.
2. A new Member, Delegate, Resident Commissioner, officer, or employee of the House shall receive training under this paragraph not later than 30 days after beginning service to the House.
3. Not later than January 31 of each year, each officer and employee of the House shall file a certification with the Chief Administrative Officer that the officer or employee completed an information security training program as established by this paragraph.
While the goals of this bipartisan bill are noble, they address the key messages security experts have been saying for years. Simply put, annual training doesn’t work. Training needs to be ongoing, engaging and sometimes, completely unexpected. Training needs to reach the “students” on a personal level, making security part of their daily experience. Sitting down every new House employee for yet another training session once a year will get you exactly the results security professionals would expect: none.
While we applaud Congress for recognizing the need to train staff on the vast array of cybersecurity concerns, an annual training session is simply insufficient. One cannot train staff to identify the vast array of phishing attacks, business email compromises, and other social engineering attacks during a single session, even if it lasts all day. The Congressional Cybersecurity Training Resolution of 2019 is doomed to fail, and that is disappointing.