Earlier this month Rep. Langevin (D,RI) introduced HR 1592,
the Cybersecurity Skills Integration Act. The bill would establish a grant program
within the Department of Education to provide support to post-secondary
education programs that incorporate cybersecurity training or integrate
cybersecurity training into existing education programs.
Definitions
Section 3(h) establishes the definitions used in this bill.
The key definition in the bill is for the term ‘cybersecurity education’; it is
defined as “education about ensuring the confidentiality, integrity, availability,
and safety of information systems used in critical infrastructure sectors,
including control systems and operational technology” {§3(h)(2)}.
Grant Program
Program grants of up to $500,000 per year may be made under
this program. The bill provides for $10 million to be authorized to support the
grant program {§(g)}.
There is no time limit on that authorization in the language of the bill.
Moving Forward
While Langevin is not a member of the House Education and
Labor Committee, the committee to which the bill was assigned for
consideration, one of his cosponsors, Rep. Thompson (R,PA), is a senior member
of the Committee. This means that there may be enough influence to see this
bill covered in Committee.
There are no provisions in the bill that would draw any
serious opposition to the bill. The main impediment to passage will be the price
tag.
Commentary
The general idea that cybersecurity needs to be a topic
included in degree and certification programs other than computer science
certainly is one worthy of discussion. Money is, of course, one of the impediments
to achieving that goal, but it is only one of the problems. The other is that
there are only so many classroom hours available in degree programs and adding
any new classes mean that something else has to be given up to make room in the
schedule.
As should be expected by most readers, I have some problems
with the cybersecurity definition used in this bill. I have to acknowledge that
the staffers who wrote this bill made an honest effort to ensure that
industrial control system cybersecurity issues would be addressed by this grant
program. As fairly usual, however, they have taken information technology
language (in this case the standard ‘confidentiality, integrity and
availability’ measure of security and tacked onto the end ‘including control
systems and operational technology’. The fact that the CIA security standards
are not directly applicable to control system security is of little matter.
It would be helpful if there were a clear delineation that
different types of cybersecurity training are going to be applicable to
different types of degree programs. Most students in business and liberal arts
programs are going to find information technology security classes most
helpful. Students in science and engineering programs, however, are going to be
more concerned about protecting physical systems rather than information from cyber-attacks.
Having said that, of course, all students need some basic
cyber hygiene training; passwords, two-factor authentication, phishing, etc. I
am not sure, however, that these need to wait until post-secondary education.
It seems to me that these types of training would be more appropriate in
elementary or middle school given the widespread use of cellphones and tablets
by people in that age groups.
Posts
No comments:
Post a Comment