A bill introduced last week requires all members, officers and employees of the U.S. House of Representatives to undergo annual cybersecurity training.
The Congressional Cybersecurity Training Resolution of 2019 is sponsored by Rep. Kathleen Rice and Rep. John Katko. It requires the U.S. House’s Chief Administrative Officer to carry out annual cybersecurity trainings to ensure that members and staff are aware of the threat of cyberattacks and they have the knowledge and skills needed to protect government systems.
This type of training is already required for House employees and officers, but the bill wants to make it mandatory for all members. The annual training would need to be completed every year by January 31.
The bill orders new members to undergo cybersecurity training within 30 days after beginning service.
“If we want to effectively counter those threats, then we need to make sure Members of Congress are equipped with the tools and knowledge to play an active role in this fight. Our employees and House officers are already required to take mandatory information security training, and it’s past time that Members are held to the same standard and bear the same responsibility,” Rep. Rice said.
Some cybersecurity professionals have applauded the initiative.
“We know people empowered with the right training and education are the ultimate defense against cybercrime. Arming our members of Congress with this information gives them an opportunity to lead by example and also helps create a culture of protection awareness for our data-dependent society,” said Jack Koziol, CEO and founder of Infosec, a provider of IT security education and workforce security awareness training solutions.
However, others are not convinced it would be as efficient as its initiators hope.
“While it is encouraging to see that lawmakers are looking to improve cybersecurity training to house members, it is unfortunate to realize that they are a few years behind when it comes to best practices. In the past couple of years, the majority of companies that fell prey to cyber-attacks had an annual training in place which proved to be worthless when a real attack was launched,” Shlomi Gian, CEO at CybeReady, a provider of autonomous cyber security awareness solutions, told SecurityWeek.
“The average human brain has no capacity to memorize facts taught during a single, relatively long, annual training. A better training practice includes on-the-spot training that is triggered when we have the employee’s full attention – at the moment that he or she fails to detect a simulated attack. We call that the golden moment and careless employees do not forget it quickly,” Gian added.