A bipartisan bill proposed last week by New York representatives Kathleen Rice (D) and John Katko (R), who co-sponsored the act, requires members of Congress to receive annual cybersecurity and IT training.
The Congressional Cybersecurity Training Resolution of 2019 adds to the existing requirement that House employees receive annual training by mandating that the House members themselves also receive cybersecurity and IT training, according to The Hill.
“The chief administrative officer shall carry out an annual information security training program for members (including the delegates and resident commissioner), officers, and employees of the House,” the act states.
“We strongly encourage support for the Congressional Cybersecurity Training Resolution,” said Jack Koziol, CEO and founder at Infosec. “Cyber-criminals are responsible for hundreds of billions of dollars’ worth of damage to the global economy and undermine democracy around the world. We know people empowered with the right training and education are the ultimate defense against cybercrime. Arming our members of Congress with this information gives them an opportunity to lead by example and also helps create a culture of protection awareness for our data-dependent society.”
Any new members, delegates, resident commissioners, officers, or employees of the House will also be required to receive training within 30 days of onboarding to the House. “Not later than January 31 of each year, each officer and employee of the House shall file a certification with the chief administrative officer that the officer or employee completed an information security training program,” the act states.
Cyber-attacks continue to pose a growing and vexing threat at nearly every level of government and congressional offices are no exception,” Rice told The Hill. “If we want to effectively counter those threats, then we need to make sure members of Congress are equipped with the tools and knowledge to play an active role in this fight."
While it is encouraging to see that lawmakers are looking to improve cybersecurity training to house members, Shlomi Gian, CEO at CybeReady, said it is unfortunate to realize that they are a few years behind when it comes to best practices.
“In the past few years, the majority of organizations that fell prey to cyber-attacks did have an annual training in place, which proved to be useless when a real attack was launched. The average human brain does not have the capacity to memorize facts taught during a single, relatively long annual training. A better training practice includes on-the-spot training that is triggered when we have the employee's full attention – at the moment that the employee fails to detect a simulated attack – we call this the golden moment and careless employees do not forget it quickly.”