Thursday, March 28, 2019

HR 1592 Introduced – Cybersecurity Training

Earlier this month Rep. Langevin (D,RI) introduced HR 1592, the Cybersecurity Skills Integration Act. The bill would establish a grant program within the Department of Education to provide support to post-secondary education programs that incorporate cybersecurity training or integrate cybersecurity training into existing education programs.


Section 3(h) establishes the definitions used in this bill. The key definition in the bill is for the term ‘cybersecurity education’; it is defined as “education about ensuring the confidentiality, integrity, availability, and safety of information systems used in critical infrastructure sectors, including control systems and operational technology” {§3(h)(2)}.

Grant Program

Program grants of up to $500,000 per year may be made under this program. The bill provides for $10 million to be authorized to support the grant program {§(g)}. There is no time limit on that authorization in the language of the bill.

Moving Forward

While Langevin is not a member of the House Education and Labor Committee, the committee to which the bill was assigned for consideration, one of his cosponsors, Rep. Thompson (R,PA), is a senior member of the Committee. This means that there may be enough influence to see this bill covered in Committee.

There are no provisions in the bill that would draw any serious opposition to the bill. The main impediment to passage will be the price tag.


The general idea that cybersecurity needs to be a topic included in degree and certification programs other than computer science certainly is one worthy of discussion. Money is, of course, one of the impediments to achieving that goal, but it is only one of the problems. The other is that there are only so many classroom hours available in degree programs and adding any new classes mean that something else has to be given up to make room in the schedule.

As should be expected by most readers, I have some problems with the cybersecurity definition used in this bill. I have to acknowledge that the staffers who wrote this bill made an honest effort to ensure that industrial control system cybersecurity issues would be addressed by this grant program. As fairly usual, however, they have taken information technology language (in this case the standard ‘confidentiality, integrity and availability’ measure of security and tacked onto the end ‘including control systems and operational technology’. The fact that the CIA security standards are not directly applicable to control system security is of little matter.

It would be helpful if there were a clear delineation that different types of cybersecurity training are going to be applicable to different types of degree programs. Most students in business and liberal arts programs are going to find information technology security classes most helpful. Students in science and engineering programs, however, are going to be more concerned about protecting physical systems rather than information from cyber-attacks.

Having said that, of course, all students need some basic cyber hygiene training; passwords, two-factor authentication, phishing, etc. I am not sure, however, that these need to wait until post-secondary education. It seems to me that these types of training would be more appropriate in elementary or middle school given the widespread use of cellphones and tablets by people in that age groups.

No comments:

/* Use this with templates/template-twocol.html */