Mandatory Cybersecurity Training for Congress: What Kind of Training?

July 31, 2019

by Larry Clinton

Last week, the bipartisan Select Committee on the Modernization of Congress issued a list of two dozen recommendations designed to “make Congress more reflective and responsive to the American people.” One recommendation stands out as particularly timely, visionary and practical: “Making cybersecurity training mandatory for Members.”

Finally, a cybersecurity mandate that makes good sense.
Hopefully this new mandate will become implemented fully and soon — indeed it ought to be expanded to the heads of government agencies. However, the key question is what sort of cyber training is most appropriate for members of Congress?

Obviously, members of Congress, actually everyone, ought to have the basic user hygiene knowledge for intelligent use of digital technology. However, those principles and skills are not the most important elements of cybersecurity required for members of Congress — our nation’s top policymakers — to properly fulfill their unique job.

Members of Congress are essentially the government equivalent of members of corporate boards. Boards, and Congress, are responsible for understanding and integrating the multiple and varying goals of the organization, defining the risk appetite the organization can tolerate, and balancing the use of the organization’s resources to meet both their service and security goals in a sustainable fashion. For this, they need to work with the operational people, but not become operational.

Inside the Beltway, people often speak of boards and corporate management as if they are essentially the same thing. They are not. From a cyber perspective the executive role is cyber-risk management, i.e., operations and implementation. The board’s role is policy, strategy, vision, and oversight. This is what our members of Congress need training in.

The training program designed for members of Congress needs to be tailored to meet their special and critical role and functions. Fortunately, the community of corporate board members has developed such a model, which can be fairly easily adapted to meet the uniqueness of the governmental role.

The National Association of Corporate Directors (NACD) developed a handbook in 2014 which is now being updated for the third time. The NACD handbook defines five core principles for board oversight of organizational cybersecurity and provides a series of “tool-kits” to address specific cyber issues (insider threats, supply chain, incident response, etc.) The tool kits are primarily made up of the questions board members/members of Congress ought to be asking of the operational management (e.g., government agencies) to illicit the information needed to provide management/agency with the direction and oversight required to fulfill the corporate/government goals.

Perhaps the best news is that the program designed by the NACD has been independently assessed and found to actually improve organizational cybersecurity. In their Global Information Security Survey, PricewaterhouseCoopers analyzed the NACD handbook and determined that use of the handbook led to higher cybersecurity budgets, better cyber-risk management, closer alignment of cybersecurity with overall organizational goals and helping to create a culture of security.

The tool-kits in the handbook have been reported to be the most popular and pragmatically useful element of the handbook. However, using the tools without a broader understanding of the principles of cybersecurity would be counter-productive. Perhaps the most important of the principles the NACD has found (Principle #1) is this: Cybersecurity is not an “IT” issue. It is an enterprise-wide risk-management issue. That is a very different thing that needs to be addressed differently.

This may be the most important principle for members to be educated about. Congress has shown itself to be especially vulnerable to thinking of the cybersecurity issue in an excessively technocentric fashion. Often, when Congress seeks out cybersecurity expertise, they seek almost universally specifics in the technology. Obviously, technology is part of the cyber issue, but it is not the essence of the cyber issue. The technology is simply HOW the attacks occur. To craft an effective security strategy, Congress needs to also understand WHY the attacks occur.

The cybersecurity issue is far broader and more complex than just the technology. Leading organizations are increasingly moving management of the cyber issue out of the exclusive control of the tech experts and more toward an enterprise-wide risk-management team that includes the tech perspective but is not dominated by it.

Mandatory training of members of Congress could be a real game-changing initiative, leading us to finally begin to make some progress in the fight to secure cyberspace (a fight we are currently losing quite badly). But only if Congress receives the right kind of training.