Congress is no stranger to cybersecurity laws; it’s just a stranger to writing them correctly. Currently there is a new bill designed to promote cybersecurity training for congressional staffers. That’s the good news. The bad news is that it is doomed to fail for all the same reasons most corporate training fails.
If those who write cybersecurity bills would spend a few minutes listening to industry experts in the training industry, they would learn that effective cybersecurity training requires first the unlearning of “good habits” like holding doors open for strangers or responding quickly for requests to help. Instead, cybersecurity training says the person being asked to do the “good deed” must first ensure that the asker has the right to make the request and can be authenticated by the corporate security system.
H. Res. 355 calls for annual cybersecurity training that likely will include everything from phishing and social engineering to business email compromises and cybersecurity hygiene. Will it include all the nuanced training employees need to know not to be tricked into launching malware or being subject to a social engineering attack? Of course not; you can’t do all of that in a single, annual session.
The bill, sponsored by Rep. Kathleen Rice, D-NY, and Rep. John Katko, R-NY, includes the following changes to Clause 4 of Rule II of the Rules of the House of Representatives:
1. The Chief Administrative Officer shall carry out an annual (emphasis added) information security training program for Members (including the Delegates and Resident Commissioner), officers, and employees of the House.
2. A new Member, Delegate, Resident Commissioner, officer, or employee of the House shall receive training under this paragraph not later than 30 days after beginning service to the House.
3. Not later than January 31 of each year, each officer and employee of the House shall file a certification with the Chief Administrative Officer that the officer or employee completed an information security training program as established by this paragraph.
These are lofty goals but frankly, annual training just doesn’t work. Training needs to be ongoing, engaging and sometimes, completely unexpected. Training needs to reach the staff on a personal level, making security part of their daily experience. Instead of planning out on-going training, tied to regular antiphishing exercises and red team tests to ensure users are learning, we get a watered-down training session that, like so much else Congress does, makes noise but no difference.
In today’s polarized political environment, this is not surprising. Likely a lot of people are scared that training exercises will be used for political advantage by whichever party is in power. If we cannot trust our Congressional IT staff enough to be free from politics and train our Congressional employees correctly to protect the nation from nation-state interference and general social engineering mayhem, how can we trust anyone to protect the nation? Alas, the Congressional Cybersecurity Training Resolution of 2019 is doomed to fail, and that is disappointing.