New federal cybersecurity laws: will good intentions guarantee success or pave the road to hell?
Apparently there’s at least one thing both parties in Congress can agree on — better cybersecurity.
President Biden recently signed a couple of cybersecurity bills into law that reached his desk with overwhelming bipartisan support. Which is great, but keep in mind that support doesn’t guarantee success. Will these new laws yield the intended results, making the U.S. a tougher target for cyberattackers? That, as the cliché says, remains to be seen.
There’s no question about congressional backing. One, the Federal Rotational Cyber Workforce Program Act, sailed through the Senate by unanimous consent last December and passed in the House via a voice vote in May.
The second, the State and Local Government Cybersecurity Act, is intended to improve coordination between the Department of Homeland Security (DHS) and state, local, tribal, and territorial (SLTT) governments on cybersecurity. It passed the Senate by unanimous consent and the House by a 404–14 vote.
The bills are also obviously well intended. The first establishes a program to allow certain federal employees to rotate for six months to a year through other federal agencies to boost their skills in information technology, cybersecurity, and other cyber-related functions. What’s not to like about enhanced expertise?
Same for the second — who would oppose an initiative to help state and local levels of government improve their cybersecurity and to work better together?
Reality check needed
But amid the welcome unity, there should also probably be a reality check, or at least a few questions about possible unintended consequences. The cliché about the road to hell being paved with good intentions is a cliché for a reason — it’s too often true.
For example, the rotational workforce program obviously will involve multiple agencies, not just to participate but to oversee and evaluate it. That invokes another cliché — multiple cooks in the kitchen. Maybe some of them in conflict. Individual agencies are supposed to determine whether a position involving IT or cybersecurity is eligible for the program, but that obviously means both sending and receiving agencies will have to agree on it.
Which means it’s possible that heads of proposed receiving agencies could feel that they don’t have the bandwidth to provide what amounts to a training or internship program added to their other duties.
As the bill is written, participation is voluntary, which means agency heads will have the right to decline, but there will likely be pressure to “volunteer.” In government, optics can be as important as basic performance.
The Office of Personnel Management (Remember? The victim of a catastrophic hack a decade ago that compromised the personal information of 22 million current and former federal employees) is supposed to come up with an operation plan, and the Government Accountability Office will be required to assess the effectiveness of the program.
What will “voluntary” mean?
But the bill, as written, doesn’t offer many specifics to measure effectiveness, other than “by addressing the extent to which agencies have participated in the program and the experiences of employees serving in the program.”
Which suggests that, given the usual pressure within government to show that a program is succeeding, the definition of “voluntary” might be rather elastic.
Jody Westby, an attorney and CEO of Global Cyber Risk, cites another possible unintended problem with the rotational workforce program. “It has the potential to interfere with the performance of government contracts involving private-sector entities when government personnel overseeing the performance of a contract rotate out to another agency and are replaced with personnel unfamiliar with the contract,” she said.
“It would be far better for Congress to authorize government cybersecurity personnel to work three- to six-month stints in private-sector companies. The private sector would welcome this and might even offer a private-sector employee in exchange.”
Doing so would “create an exchange in best practices and the injection of new ideas from the public and private sectors,” she said, adding that “the federal government desperately needs to get out of its hard-wired approach to cybersecurity that is increasingly creating a niche market for only a few large government contractors.”
Emile Monette, director of government contracts and value chain security with Synopsys, is more optimistic about the concept behind the new law. He said it can “generally be a great way to get the workforce cross-trained, expose workers to other agencies’ people/process/technology, plus retain and grow talent. It works especially well for new graduates and entrants to the workforce.”
Monette said military branches do similar things with their junior officers and civilian employees, “and the Presidential Management Fellows program — along with others in government — is similarly structured, and both have been successful.”
Welcome to the “turkey farm”
But he agrees that it could create logistical tension. “The challenge is that we already have demand for cyber workforce outstripping supply, so it’s not clear that this will help address that problem at all,” he said.
“And because this workforce is so precious, agencies probably won’t want to send their best employees to do rotational assignments. Instead, they’ll want to send the less productive or otherwise problematic employees, and the receiving agency will have to do training etc. and won’t get the optimal intended benefit.”
The reality, Monette said, is that it is difficult to impossible to fire anyone with civil service protection no matter how poor their performance. “Often, management looks for ways to move underperformers to other organizations instead of firing them. We used to call it ‘the turkey farm’ because every time you create a new organization or do a reorganization, you would always get stuck having to take on a couple of turkeys,” he said.
When it comes to the second law, however, which gives DHS more responsibility to work with lower levels of government on cybersecurity, both Westby and Monette are more enthused.
Westby called it “a blessing that will help push cybersecurity best practices to the SLTT levels. It will be critical that DHS grants and cooperative agreements awarded under this law specify that SLTT recipients must adhere to specified NIST [National Institute of Standards and Technology] cybersecurity standards and guidance to encourage a uniform approach to cybersecurity.”
Monette said the law doesn’t really break any new ground but does “codify the work that CISA [Cybersecurity and Infrastructure Security Agency] already does with SLTT, and maybe adds a new kind of authority to that program.”
That comes with a caveat, however. Monette said CISA’s (which is within the DHS) “ability to execute is always a question in my mind. Certainly, they could use more resources for the SLTT programs, and certain CISA field organizations or representatives are better than others of course.”
A chance for improvement
But Westby said she thinks the law will “greatly facilitate coordination among federal and SLTT entities and improve incident response. Currently, SLTT governments do not follow any specific cybersecurity best practices.”
So, she said, besides “exercises, training, and cybersecurity education and awareness, the DHS National Cybersecurity and Communications Integration Center should use this as an opportunity to improve cybercrime information sharing and investigative capabilities at SLTT levels of government. A recent Uniform Law Commission Cybercrime Study Group found that U.S. states do not have uniform cybercrime laws or standard procedures for cybercrime investigations.”
All of this is, of course, somewhat speculative, since the President’s signature has barely had time to dry on the bills, and the rotational program won’t start for at least another nine months.
Which means their success or failure goes back to that cliché “it remains to be seen.” Or “time will tell.”