[House Report 107-355]
[From the U.S. Government Publishing Office]
107th Congress Rept. 107-355
HOUSE OF REPRESENTATIVES
2d Session Part I
======================================================================
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
_______
February 4, 2002.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Boehlert, from the Committee on Science, submitted the following
R E P O R T
[To accompany H.R. 3394]
[Including cost estimate of the Congressional Budget Office]
The Committee on Science, to whom was referred the bill (H.R.
3394) to authorize funding for computer and network security
research and development and research fellowship programs, and
for other purposes, having considered the same, report
favorably thereon without amendment and recommend that the bill
do pass.
CONTENTS
Page
I. Purpose of the Bill.............................................2
II. Background and Need for the Legislation.........................2
III. Summary of Hearings.............................................5
IV. Committee Action................................................6
V. Summary of Major Provisions of the Bill.........................6
VI. Section-By-Section Analysis (By Section)........................8
VII. Committee Views................................................11
VIII. Cost Estimate..................................................17
IX. Congressional Budget Office Cost Estimate......................17
X. Compliance with Public Law 104-4 (Unfunded Mandates)...........19
XI. Committee Oversight Findings and Recommendations...............19
XII. Constitutional Authority Statement.............................19
XIII. Federal Advisory Committee Statement...........................19
XIV. Congressional Accountability Act...............................19
XV. Statement on Preemption of State, Local or Tribal Law..........19
XVI. Changes in Existing Law Made by the Bill, as Reported..........19
XVII. Committee Recommendations......................................23
XVIII.Statement on General Performance Goals and Objectives..........23
XIX. Exchange of Committee Correspondence...........................23
XX. Proceedings of Full Committee Markup...........................25
I. Purpose of the Bill
The purpose of the bill is to authorize funding for
computer and network security education, research and
development.
II. Background and Need For Legislation
The terrorist attacks of September 11, 2001 brought into
stark relief the Nation's physical and economic vulnerability
to an attack within our borders. The relative case with which
terrorists were able to implement their plans serves as a
pointed reminder of the need to identify critical ``soft
sports'' in the nation's defenses. Among the Nation's
vulnerabilities are our computer and communications networks,
on which the country's finance, transportation, energy and
water distribution systems, and health and emergency services
depend. These vulnerabilities have called into question whether
the Nation's technological research programs, educational
system, and interconnected operations are prepared to meet the
challenge of cyber warfare in the 21st century. The Los Angeles
Times in a recent editorial emphasized the importance of
meeting this challenge: ``A cyberterrorist attack would not
carry the same shock and carnage of September 11. But in this
information age . . . [a cyberterrorist attack] could be more
widespread and just as economically destructive.''
We will not be able to address these vulnerabilities
without conducting more research on cybersecurity. H.R. 3394 is
designed to address four inadequacies with current research
efforts:
(1) The Federal Government has chronically
underinvested in cybersecurity, an area in which the
private sector has little incentive to invest.
(2) This is true, in part, because no Federal agency
has the responsibility of ensuring that the Nation has
a robust cybersecurity research enterprise;
(3) As a result, what little research has been done
on cybersecurity has been incremental, leaving the
basic approaches to cybersecurity unchanged for
decades; and
(4) As a field with relatively little money, few
researchers and minimal attention, cybersecurity fails
to attract the interest of students, perpetuating the
problems in the field.
Vulnerabilities of the National Information Infrastructure
The Internet has been a tremendous success--connecting more
than 100 million computers and growing--far outstripping its
designers' wildest expectations. Yet the Internet was not
originally designed to control power systems, connect massive
databases of medical records or connect millions of home
appliances or automobiles, yet today it serves these functions.
It was not designed to run critical safety systems but it now
does that as well. We now heavily rely on an open network of
networks, so complex that no one person, group or entity can
describe it, model its behavior or predict its reaction to
adverse events.
The porous fabric of the U.S.'s network infrastructure
leaves the Nation open to the constant possibility of cyber
attack. Attacks can take several forms, including: defacement
of web sites and other electronically stored information in the
United States and other countries to spread disinformation and
propaganda; distributed denial of service attacks that
overwhelm a server with access requests; use of unprotected
``zombie'' computers (located anywhere) as conduits for wide-
scale distribution of destructive worms and viruses throughout
the computer network; and unauthorized intrusions and sabotage
of systems and networks belonging to the U.S. and allied
countries, potentially resulting in critical infrastructure
outages and corruption of vital data.
The wide-scale attack by the so-called ``Nimda'' worm is
one example of these techniques; the virus modified web
documents and certain executable files found on the systems it
infected, and then created numerous copies of itself under
various file names. This followed the ``Code Red,'' ``Code Red
II'' and ``SirCam'' attacks which affected millions of
personal, commercial and government computers, shut down web
sites, slowed Internet service, and disrupted business and
government operations, causing billions of dollars of damage.
These attacks no longer represent isolated or infrequent
events. Carnegie Mellon University's CERT'
Coordination Center, which serves as a reporting center for
Internet security problems, received 2,437 vulnerability
reports in calendar year 2001, almost 6 times the number in
1999. Similarly, the number of specific incidents reported to
CERT grew enormously--from 9,859 in 1999 to 52,658 in 2001. yet
CERT estimates that this may represent only about 20 percent of
the incidents that actually have occurred.
Interdependence of Critical Infrastructures
To better understand our vulnerabilities to cyber terrorism
and the potential consequences of cyber attacks, the Internet
must no longer be studied solely as a separate system but also
as a network of interdependent critical infrastructures. It
also has links to many ostensibly private networks, such as
those used by the financial services industry. While some
research is being done to better understand the threats to the
Internet itself, little has been done to assess and project the
dramatic or subtle impact that these threats may have on other
critical infrastructures. These problems are not hypothetical.
While not the result of a cyber attack, the 1998 failure of the
Galaxy 4 communications satellite disrupted the use of 90
percent of the Nation's pagers and disrupted credit card
purchases and ATM transactions. The failure also disrupted the
communications of health care providers and emergency workers.
Information Warfare Simulations--``Eligible Receiver''
In 1997, the Pentagon conducted an information warfare
exercise that illustrated some of the implications of
infrastructure interdependence. Known as Eligible Receiver, the
exercise simulated a rogue state attempting to attack
vulnerable U.S. information systems. A ``Red Team'' comprising
35 National Security Agency computer specialists used off-the-
self technology and software to simulate attacks against power
and communications networks in Oahu, Los Angeles, Colorado
Springs, St. Louis, Chicago, Detroit, Washington, D.C.,
Fayetteville, and Tampa. According to the Congressional
Research Service, it is generally believed that government
(including unclassified military computer networks) and
commercial sites were easily attacked and penetrated. Air Force
Major General John H. Campbell, commander of the DoD Joint Task
Force--Computer Network Defense, wrote that the exercise
``clearly demonstrated our lack ofpreparation for a coordinated
cyber and physical attack on our critical military and civilian
infrastructure.'' Officials familiar with the exercise later said that
Eligible Receiver showed in ``real terms how vulnerable the
transportation grid, the electricity grid, and others are to an attack
by people using conventional equipment.'' The National Security Agency
subsequently recommended that all Federal Internet accessible computer
networks that process or provide access to classified, confidential, or
sensitive data should have mandatory access controls.
Underlying Causes of the Nation's Vulnerability to Cyber Attack
Weaknesses in research and development in the cyber
security arena contribute significantly to the vulnerability of
the Nation's information infrastructure. While a number of
information technology companies support R&D on network
security, security inadequacies cannot be addressed solely
through short-term industry-based applied research, which is
underfunded in any event. Industry relies on the fundamental
research supported by the Federal Government and on the
training of future researchers--computer scientists,
mathematicians, and many others--that these federally funded
research programs support.
Unfortunately, with the possible exception of encryption
related research, cyber security research has been chronically
underfunded, and basis research into fundamental cyber security
challenges is not robust enough to meet the Nation's needs.
Simply put, when it comes to computer security, too few people
are paying too little attention and coming up with too few
ideas.
Cyber security has been a neglected field. Although numbers
are difficult to come by, federally funded cyber security
research may amount to less than $60 million per year. Experts
believe that fewer than 100 U.S. researchers have the
experience and expertise to conduct cutting edge research in
cyber security. This is true even though a computer science
department at a single research university may have 60 or more
faculty members.
This chronic under-investment does not merely pose problems
for the academic and research community. Federal agencies are
finding it increasingly difficult to recruit and hire
professional staff to manage and secure their own computer
networks. The National Science Foundation (NSF), in
consultation with the National Security Council, the National
Security Agency, the Critical Infrastructure Assurance Office,
and the Office of Personnel Management established in July 2000
a scholarship-for-service program designed to train students
who would then help ensure the security of the Federal
information infrastructure. This program was funded at the
level of $1.2 million for FY 2001 and was expected to provide
scholarship funds for approximately 180 undergraduate and
graduate students. The National Aeronautics and Space
Administration has requested similar scholarship-for-service
authority to recruit students with expertise in computer
science and other technical fields. Other agencies are likely
to follow. NSF has also recently established another program
designed to enhance research in information assurance and build
a well-trained cyber security workforce. NSF's Trusted
Computing program, established in FY 2001, will award between
$4 million and $6 million in FY 2002 to support research on
computer and network security.
In addition, The National Institute of Standards and
Technology (NIST) within the Department of Commerce provides
grants for research to develop commercial solutions to IT
security problems central to critical infrastructure
protection. NIST recently announced the award of grants under
its Critical Infrastructure Protection Grants Program aimed at
improving the security of the computer and telecommunications
systems that support essential services.
While private industry has rapidly advanced many aspects of
information technology, it has had little incentive to focus on
the development of cyber security. The market demands faster,
cheaper, more powerful products, not more secure ones. In the
wake of the September 11th attacks, security has a slightly
higher profile in the private sector, but real advances in
information assurance will still rely on efforts by the Federal
Government.
Two studies conducted by the firm Metricnet suggest that 80
percent of companies spent less than 5 percent of their
information technology budget on information security prior to
September 11th. In November that was still true of two-thirds
of the companies.
Yet the Federal Government has not been filling the
research gap left by the private sector. The Federal Government
has chronically under-invested in this area. As a result, too
little cyber security research is being conducted and too few
researchers are prepared to meet our current and projected
cyber security research needs. In addition, the research that
is funded is incremental and unlikely to lead to the
development of breakthrough approaches to cyber security.
This lack of Federal focus has also limited the number of
undergraduate and graduate students pursuing studies in cyber
security. Despite these problems and the inadequate
coordination between government, academia, and industry, no
Federal agency has stepped forward to take the lead in
supporting cyber security research. The Cyber Security Research
and Development Act responds to these challenges by authorizing
a focused, long-term Federal investment in cyber security
research, designed to increase the cadre of researchers in this
field over the long-term and to yield innovative new approaches
to cyber security.
III. Summary of Hearings
On Tuesday, July 31, 2001, the House Science Committee's
Subcommittee on Research held a hearing to examine the impact
Federal investment has had on promoting innovation in
information technology and fostering a variety of sophisticated
applications that infuse information technology into areas such
as education, scientific research, and the delivery of public
services. Witnesses described the increasing reliance
oninformation technology by all sectors of the research community and
the general public, and specifically discussed applications of
information technology to pharmaceutical research, biotechnology,
education, emergency management, air and ground traffic coordination,
and predictive weather and climate modeling. Witnesses discussed the
need for new information tools and technologies to be available to all
sectors of the community and emphasized the increasing need for system
reliability and security given the increasing dependence on information
technology for even the most basic human services. Witnesses agreed,
however, that there has been a lack of focus and effort in the areas of
computer and network security, privacy, and information assurance, and
that the ability to protect key infrastructures lags behind their
development and implementation.
On Wednesday, October 10, 2001, the House Committee on
Science held a hearing to examine the vulnerability of our
Nation's computer infrastructure and related research needs.
Witnesses described the vulnerability of our Nation's critical
infrastructure to cyber attacks, the lack of market incentives
for the development and inclusion of robust information
assurance software in commercial applications, and the
consequences of chronic underfunding of cyber security research
by the Federal Government. Witnesses called for: the
designation of a lead Federal research agency that would take
primary responsibility for supporting cyber security research
and development; the development of innovative new approaches
to cyber security and cyber security research; and for
significant increases in the number of researchers capable of
doing world-class cyber security research.
On Wednesday, October 17, 2001, the House Committee on
Science held a second hearing to examine the vulnerability of
our Nation's computer infrastructure. In this hearing the
Honorable James S. Gilmore, III, Governor of the Commonwealth
of Virginia and Chairman of the Advisory Panel to Assess
Domestic Response Capabilities for Terrorism Involving Weapons
of Mass destruction, stated that, ``Critical information and
communication infrastructures are targets for terrorists
because of the broad economic and operational consequences a
shutdown can inflict.'' Governor Gilmore called for ``a
comprehensive plan for research, development, test and
evaluation of processes to enhance cyber security in the same
manner as we must do for other potential terrorist attacks.''
IV. Committee Action
On December 4, 2001, Science Committee Chairman Sherwood
Boehlert and Ranking Minority Member Ralph Hall introduced H.R.
3394, the Cyber Security Research and Development Act, a bill
to authorize appropriations for computer and network security
education, research and development for Fiscal years 2003
through 2007. The bill incorporates major provisions of H.R.
3316, the Computer Security Enhancement and Research Act,
introduced by Rep. Brian Baird.
The House Committee on Science met on December 6, 2001, to
consider the bill. With a quorum present, Mr. Hall moved that
the Committee favorably report the bill to the House with the
recommendation that it pass, and that the staff be instructed
to make technical and conforming changes to the bill and
prepare the legislative report, and that the Chairman take all
necessary steps to bring the bill before the House for
consideration. The motion was agreed to by a voice vote.
V. Summary of Major Provisions of the Bill
Authorizes the NSF to award grants to institutions
of higher education for basic research on innovative approaches
to enhancing computer and network security through hardware and
software solutions. Includes research in a variety of areas
including authentication and cryptography, computer forensics
and intrusion detection, reliability of computer and network
applications, middleware, operating systems and communications
infrastructure, and privacy and confidentiality. This program
is authorized at $35 million for FY 2003, $40 million for FY
2004, $46 million for FY 2005, $52 million for FY 2006, and $60
million for FY 2007.
Authorizes NSF to award grants to institutions of
higher education to establish multidisciplinary Centers for
Computer and Network Security Research. Applicants may partner
with government laboratories and/or for-profit institutions.
These centers are designed to advance the research agenda and
to train additional qualified computer and network security
researchers and professionals. Instructs NSF to convene an
annual meeting of Center investigators to facilitate
information exchange. This program is authorized at $12 million
for FY 2003, $24 million for FY 2004, $36 million for each of
fiscal years 2005 through 2007.
Authorizes NSF to establish a program to award
grants to institutions of higher education to establish or
improve undergraduate and master's degree programs in computer
and network security, to increase the number of students who
pursue undergraduate or master's degrees in fields related to
computer and network security, and to provide students with
experience in government or industry related to their computer
and network security studies. Funds may be used for curriculum
development, faculty development, equipment acquisition,
student recruitment and/or the establishment of bridge programs
with two-year colleges and industry internship programs for
students. This program is authorized at $15 million for FY 2003
and $20 million for each year from FY 2004 through FY 2007.
Authorizes NSF to expand the activities of the
Advanced Technological Education Program, established under the
Scientific and Advanced Technology Act of 1992, to support
improved education and technical training in fields related to
computer and network security. This program is authorized at $1
million for FY 2003, and $1.25 million for each of fiscal years
2003 through FY 2007.
Authorizes NSF to establish a program to support
graduate traineeships in computer and network security at
institutions of higher education. Grant awards can be used to
provide student fellowship support, to pay tuition and fees for
students who are fellowship recipients, to establish internship
programs for students in computer and network security at for-
profit institutions or government laboratories, and
toadminister the program. This program is authorized at $10 million for
FY 2003, and $20 million for each of fiscal years 2005 through FY 2007.
Authorizes NSF to list computer and network
security as a field of specialization under the NSF Graduate
Research Fellowships program established by the National
Science Foundation Act of 1950.
Amends the National Science Foundation Act of 1950
to charge NSF with taking a lead role in fostering and
supporting research and education activities to improve the
security of networked information systems.
Authorizes NIST to establish a program of
assistance for institutions of higher education that enter into
partnerships with for-profit entities (which may also include
government laboratories), to support long-term, high-risk
research to improve the security of computer systems. Instructs
NIST to include research directed toward addressing needs
identified through the activities of the Computer System
Security and Privacy Advisory Board. This program is authorized
at $25 million for FY 2003, $40 million for FY 2004, $55
million for FY 2005, $70 million for FY 2006, and $85 million
for FY 2007.
Authorizes NIST to establish a program to award
post-doctoral research fellowships to citizens, nationals, or
lawfully admitted permanent resident aliens of the U.S. who are
seeking research positions at an institution, including the
Institute, engaged in cyber security research. Also authorizes
NIST to establish a similar program to provide research
fellowships to senior researchers who wish to change research
fields and pursue studies related to the security of computer
systems. Authorizes $6 million for FY 2003, $6.2 million for FY
2004, $6.4 million for FY 2005, $6.6 for FY 2006, and $6.8 for
FY 2007.
Authorizes NIST to recruit existing NIST employees
or identify additional individuals who will serve as program
managers to administer the activities established under this
Act.
Instructs NIST to periodically review the
portfolio of research awards funded under this Act, in
consultation with the Computer System Security and Privacy
Advisory Board, to ensure that appropriateness of the research
goals and the quality and utility of the research projects
funded under this Act.
Directs NIST to enter an arrangement with the
National Research Council for a comprehensive review of the
research program established by this Act. This review shall
occur during the fifth year of the program, the results of
which shall be reported to Congress no later than six years
after the initiation of the program.
Authorizes the Computer System Security and
Privacy Advisory Board to identify emerging issues, including
research needs, related to computer security, privacy, and
cryptography and to convene public meetings and distribute
reports on those subjects. Authorizes $1.06 million for FY 2003
and $1.09 million for FY 2004 for these purposes.
Amends the National Institute of Standards and
Technology Act to explicitly allow intramural research on the
security of networked computer systems, including those systems
integral to process control and essential infrastructure.
Directs NIST to enter into an arrangement with the
National Research Council of the National Academy of Sciences
to conduct a study of the vulnerabilities of the Nation's
network infrastructure and make recommendations for appropriate
improvements, and to transmit a report of the findings to
Congress within 21 months of the enactment of this Act.
Prohibits the Director from including classified or sensitive
information regarding vulnerabilities in any publicly released
version of this report. Authorizes appropriations of $700,000
for this study and report.
VI. Section-by-Section Analysis (by Section)
SEC. 1. SHORT TITLE
``Cyber Security Research and Development Act''.
SEC. 2. FINDINGS
Discuss the interdependent nature of critical
infrastructures brought about by advancements in computing and
communications technology; the increased consequences of
failure of communications and other critical services caused by
exponential increases in interconnectivity; the Nation's lack
of preparedness for a coordinated cyber and physical attack;
the lack of sufficient long-term research funding and the
shortage of outstanding researchers in the field of cyber
security; and the lack of coordination among government,
academia, and industry for computer security; and the need to
significantly increase the Federal investment in computer and
network security research and development.
SEC. 3. DEFINITIONS
Defines the term ``Director'' as the Director of the
National Science Foundation (Note that where the term
`Director' is used in section 8 it refers to the Director of
the National Institute for Standards and Technology). Uses the
definition for `institution of higher education' found in the
Higher Education Act of 1965.
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH
(a) Establishes an NSF program to award merit-based grants
for basic research on innovative approaches to enhance computer
security. Research areas for which grants can be used include
authentication and cryptography, computer forensics and
intrusion detection, reliability of computer and network
applications, and privacy. Authorizesappropriations of $35
million for FY 2003, $40 million for FY 2004, $46 million for 2005, $52
million for FY 2006, and $60 million for FY 2007.
(b) Establishes an NSF program to award multi-year grants
to institutions of higher education (or consortia thereof) to
establish multidisciplinary Centers for Computer and Network
Security Research. Consortia applying for grants may include
one or more government laboratories or for-profit institutions.
Applications for Center grants are to be reviewed on the basis
of criteria that include: the ability of the institution (or
consortium) to generate innovative approaches to computer and
network security research; the applicant's support for students
pursuing research in computer and network security; and the
extent to which government laboratories or industry partners
will participate in the Center's research activities. Requires
the Director to convene an annual meeting of Centers to foster
greater collaboration and communication. Authorizes
appropriations of $12 million for FY 2003, $24 million for FY
2004, and $36 million for each of fiscal years 2005 through
2007.
SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY
PROGRAMS
(a) Establishes a competitive, merit-based NSF program to
award grants to institutions of higher education (or consortia
thereof) to create or improve undergraduate and master's degree
programs in computer security. Allowable uses of grants include
curriculum development, equipment acquisition, faculty
enhancement, and student internship programs in government or
industry. Requires applicants to describe the plan for building
increased capacity in computer and network security, to specify
the roles and responsibilities of each partnering institution
or collaborative group, and to provide evidence of high
potential for success in educating and placing students in
relevant jobs or graduate programs. Instructs the Director to
evaluate the impact of the program on increasing the quality
and quantity of computer and network security professionals.
Authorizes $15 million for FY 2003 and $20 million for each of
fiscal years 2004 through 2007.
(b) Expands NSF's existing program for community colleges
(established by the Scientific and Advanced Technology Act of
1992) to include grants to improve education in fields related
to computer and network security. Authorizes $1 million for FY
2003 and $1.25 million for each of fiscal years 2004 through
2007.
(c) Establishes a competitive, merit-based NSF program to
award grants to institutions of higher education to establish
programs for students pursuing studies in computer and network
security research leading to a doctorate degree. Grant funds
are to be used to support student fellowships of at least
$25,000 per year, to pay student tuition and fees, and to
support students in scientific internship programs. Authorizes
appropriations of $10 million for FY 2003, and $20 million for
of each fiscal years 2004 through 2007.
(d) Directs NSF to include computer and network security as
an approved field of specialization under its current Graduate
Research Fellowships program.
SEC. 6. CONSULTATION
Requires the NSF Director to consult with other Federal
agencies in carrying out the programs described in Sections 4
and 5.
SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK
SECURITY
Amends the National Science Foundation Act of 1950 to
require NSF to take a lead role in fostering and supporting
research and education in computer and network security.
SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY RESEARCH PROGRAM
Amends the National Institute of Standards and Technology
Act to establish a program of assistance to institutions of
higher education that partner with for-profit entities to
support multidisciplinary, long-term, high-risk research to
improve the security of computer systems. Partnerships may also
include government laboratories. Authorizes the Director to
award research fellowships to post-doctoral researchers engaged
in computer security research and to senior researchers who
wish to move from other research fields to computer security
research. Instructs the NIST Director to select Program
Managers who are responsible for establishing the research
goals for the program, soliciting applications for specific
research projects to address these goals, and selecting
research projects for funding. Calls for the NIST Director to
periodically review the portfolio of research awards in
consultation with NIST's existing Computer System Security and
Privacy Advisory Board. Also instructs the Director to enter
into an arrangement with the National Research Council to
conduct a formal review of the program and to submit a report
of this review to Congress.
SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION
Authorizes $1,060,000 for FY 2003 and $1,090,000 for FY
2004 to enable NIST's Computer System Security and Privacy
Advisory Board to identify emerging issues, including research
needs related to computer security, privacy, and cryptography
and, as appropriate, to convene public meetings on those
subjects, receive presentations, and generate reports for
public distribution.
SEC. 10. INTRAMURAL SECURITY RESEARCH
Amends the National Institute of Standards and Technology
Act to authorize NIST to pursue, as part of the agency's in-
house research program, research related to computer security,
including the development of emerging technologies to ensure
security of networked systems assembled from components,
improved security of real-timecomputing and communications
systems used in industrial and critical infrastructure operations, and
improved security of computer systems.
SEC. 11 AUTHORIZATION OF APPROPRIATIONS
Authorizes appropriations for sections 8 and 10 of the
bill. For the research programs in section 8, provides $25
million for FY 2003, $40 million for FY 2004, $55 million for
FY 2005, $70 million for FY 2006, $85 million for FY 2007, and
such sums as may be necessary for fiscal years 2008 through
2012. Authorizes appropriations for section 10 at $6 million
for FY 2003, $6.2 million for FY 2004, $6.4 million for FY
2005, $6.6 million for FY 2006, and $6.8 million for FY 2007.
SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK
SECURITY IN CRITICAL INFRASTRUCTURES
Directs the Director of NIST to enter into an agreement
with the National Research Council to conduct a study of the
vulnerabilities of the Nation's critical infrastructure
networks and make recommendations for appropriate improvements.
The study requires the NRC to review existing data to identify
gaps in the security of critical infrastructure networks, make
recommendations for research priorities to address these gaps,
and review the security of network-related infrastructure
including industrial process controls. A report of the study
results is to be submitted to Congress. Authorizes $700,000 for
the purpose of carrying out the study.
VII. Committee Views
The Committee on Science believes that the Nation's cyber
security research and development enterprise clearly needs
strengthening. Not only is too little research in this
important area being conducted, but the research that this
being performed is too incremental to lead to breakthroughs. In
addition, too few students are being trained in this field,
perpetuating its current failings. The Cyber Security Research
and Development Act raises the level of Federal funding for
cyber security research significantly, investing in two of the
Federal Government's key scientific research agencies: NSF and
NIST.
Building on NSF's proven capacity to mobilize the academic
research community, the Act authorizes NSF to fund new academic
centers and instructs NSF to fund research that is particularly
innovative. Awardees selected under this program are to be
selected through NSF's standard merit-review procedure. The
merit-review system has been a key to NSF's success. The
Committee recognizes, however, that review by outside panels
has limitations, especially in underfunded fields, as the
shortage of funds can lead review panels to reject research
that is especially risky and lies outside the boundaries of the
current paradigms.
In part for that reason, the Act also authorizes a grant
program at NIST that is aimed at supporting the kind of high-
risk research that might be overlooked by a system based on
outside review. The Act authorizes NIST to use an
administrative model that has been successfully implemented at
the Defense Advanced Research Projects Agency (DARPA). In that
model, talented project managers are invested with broad
latitude to establish research objectives and to solicit and
fund promising research proposals. This structure shortens the
approval time for research proposals and allows the project
manager to move quickly to invest in promising new ideas. In
addition, the proposals submitted to NIST are expected to be
focused on specific questions of more immediate interest to
industry than are those submitted to NSF.
Recongizing that the lack of Federal leadership in the area
of cyber security research has impeded progress, the Committee
believes it is important that an agency assume a leadership
role in the funding of computer and network security research.
Thus the Act amends the NSF Organic Act--NSF's basic operating
statute--to explicitly give NSF a leading role in cyber
security research and education.
National Science Foundation Research
The Committee recognizes NSF's important role in computer
and information science, including the agency's important
contributions to the development of the Internet. The Committee
also realizes that the NSF has already acknowledged the need
for greater research in information assurance and has
established the Trusted Computing program to fund small-scale
academic research projects related to information assurance.
However, the Committee believes that the expected level of
funding for that program--between $4 million and $6 million--is
insufficient to address the Nation's needs.
This Act provides significant additional funding--
approximately $570 million for FY 2003 through FY 2007--for
cyber security research. The Committee emphasizes that the list
of research areas in section 4 is illustrative and not
exhaustive.
While individual investigator research is needed to lay a
firm foundation in information assurance, the Committee
recognizes that large multidiciplinary efforts will be required
to address the complex problems in this field. The Act provides
funding to establish Computer and Network Security Research
Centers to promote large-scale, multidisciplinary
collaborations that exploit the collective knowledge of
computer scientists, programmers, mathematicians,
cryptographers, systems engineers, software engineers, social
scientists, and network architects, among others.
The Committee also recognizes the need for sustained
funding over a substantial period of time to ensure that an
institution has ample time to fully develop and implement high
quality research programs, create technologically sophisticated
facilities, attract or develop qualified faculty to support the
instructional program, and recruit students. The Committee
expects that the Computer and Network Security Research Centers
will receive stable, long-term funding.
The Committee recognizes that the sensitive nature of some
cyber security research results precludes their publication.
The Committee encourages NSF to look beyondreferred journal
citations as proof of a particular individual's abilities and expertise
or as evidence of a Center's accomplishments.
The Committee also encourages NSF to support projects and
Centers with strong connections to the computer and network
security user community, government laboratories, Federal
agencies, and private sector companies that depend upon
reliable information assurance technologies.
The Committee intends the term ``governmental
laboratories'' to be construed in its broadest sense. It
includes laboratories at both the state and Federal level,
including government-owned, contractor-operated facilities.
Computer and Network Security Capacity Building
The Committee firmly believes that the field of computer
and network security cannot advance unless a major effort is
made to prepare and recruit the Nation's best and brightest
students to pursue higher education, and ultimately careers, in
computer and network security. For this reason, the Act
establishes several programs at the National Science Foundation
to provide funds to institutions of higher education to develop
and implement high-quality undergraduate and graduate programs
in computer and network security and to attract students to
them.
The Committee believes it is critical that institutional
capacity at a number and variety of institutions have been
designated by the National Security Agency as Centers of
Academic Excellence in Information Assurance Education, those
institutions alone cannot produce enough students to meet the
projected need for 10,000 information assurance specialists by
the year 2010. The Act authorizes NSF to provide merit-based
Computer and Network Security Capacity Building grants to
institutions of higher education, including two-year colleges,
to establish or improve certificate, undergraduate and master's
degree programs in computer and network security.
The Committee also believes that the computer and network
security instructional programs supported through this program
should be informed by the needs of the research and user
communities and that students gain practical experience in the
applications of security technologies in authentic settings by
participating in government or industry internships.
And since computer and network security professionals with
a variety of educational credentials will be required in the
workforce, the program created under section 5 should fund a
wide assortment of institutions, including 2-year colleges,
comprehensive colleges, and liberal arts institutions, as well
as research universities.
The Committee expects that institutions applying for
Capacity Building grants will provide an analysis of the
potential for student enrollment as well as the potential for
placement in computer and information security as part of their
applications. Institutions are strongly encouraged to develop
comprehensive recruitment, retention and placement strategies
in partnership with K-12 schools, 2-year colleges, and local
government and industry partners.
Underrepresented Groups in Science and Technology
One important goal of the research and education activities
by the bill is to increase the size and quality of the national
research community engaged in research related to computer and
network security. Applications for the NSF research center
awards under section 4(b) must describe how the center will
help increase the number of computer and network security
researchers and other professionals. The NSF programs
authorized under section 5, including the capacity building
grants and the graduate traineeship program, and the NIST
fellowship programs authorized under section 8 are specifically
focused on enlarging the human resource base of the Nation for
researchers and other specialties related to computer security.
The Committee directs NSF in managing its research and
education activities authorized by the bill to ensure that
active and sustained efforts are made to include the
participation by individuals from groups traditionally
underrepresented in science and engineering and by minority
serving institutions. Further the Committee directs NSF to
provide to the Committee within three years of the date of
initiation of the activities authorized by this bill a report
that (1) describes the actions taken by the Foundation to
ensure participation by individuals from underrepresented
groups and by minority serving institutions, (2) provides data
on the numbers of individuals from underrepresented groups
supported by fellowships, traineeships or research
assistantships under activities authorized by the bill, and (3)
describes the participation by minority serving institutions in
activities authorized by the bill.
Scientific and Advanced Technology Act of 1992
The Committee recognizes the contributions of two-year
colleges to meeting the rapidly evolving needs of the technical
workforce. The Advanced Technological Education Program at NSF
has contributed significantly to technician education through
projects, national centers, regional centers, and articulation
partnerships that bridge two-year and four-year colleges and
universities. To date the NSF has funded 15 National Centers of
Excellence that range in focus from biotechnology to
environmental technology and information technology. The
Committee feels that the growing demand for technical experts
in computer and network security justifies the creation of at
least one Center of Excellence focused on computer and network
security. This Center should be selected through a competitive,
merit-reviewed process and shall provide focus and resources
for the national effort to enhance technical training in
computer and information security in a variety of technical
fields at two-year colleges across the U.S. The Committee also
feels that a number of project grants in computer and network
security should be awarded to build the technical workforce and
to develop a national network of technical training programs in
computer and network security.
Graduate Traineeships in Computer and Network Security Research
Computer security research will not be able to move forward
now or in the future unless universities increase the number of
doctoral students trained in computer and network security or
related areas. To accomplish that, graduate students need to
receive tuition and stipend support, in addition to programs
aimed at augmenting their research training.
The Committee believes that, in this case, the most
effective way to provide this financial and programmatic
support to graduate students is through traineeships.
Traineeships, or grants to institutions of higher education for
the purpose of providing support to graduate students, will
enable institutions to develop focused programs that will
complement and enhance the financial support given to students.
Like other NSF graduate fellowships, the fellowships
available under this section will be available only to U.S.
citizens, U.S. nationals, and legally admitted permanent
resident aliens. However, the Committee recognizes that some
foreign graduate students and post-doctoral students receive
indirect support from NSF, as they are supported by funds from
their research advisor's grants. Given the sensitive nature of
computer and network security research, the Committee strongly
encourages NSF to develop policies and procedures aimed to
protect sensitive or classified information.
Graduate Research Fellowships Program Support
The Committee values the Graduate Research Fellowship
program at the National Science Foundation, which has helped
recruit students to graduate programs in mathematics, science
and engineering. While students pursuing graduate degrees in
computer and network security are already eligible for
fellowship awards under this program, the Committee believes
that an explicit statement of this fact will enhance the
student recruitment effort in computer and network security.
Therefore, the Act instructs the Director to add computer and
network security to the list of fields of specialization
supported by the Graduate Research Fellowship program
established under section 10 of the National Science Foundation
Act of 1950.
Fostering Research and Education in Computer and Network Security
The Committee believes that the lack of a single Federal
agency in a leadership role for research in cyber security is a
factor that has hampered advancement of the field. Therefore,
the Act amends the National Science Foundation Act of 1950 to
charge NSF with a leadership role in fostering and supporting
research and education activities to improve the security of
networked information systems.
National Institute of Standards and Technology Research Program
Section 8 of the bill amends the NIST Act to establish an
extramural research program centered on the security of
computer systems. Awards are authorized for institutions of
higher education that form partnerships with for-profit
entities. The Committee expects that the research agenda of the
program will be informed by the needs of industry and
government.
In managing the research program, the Committee intends
that NIST use the model developed by DARPA for managing its
research programs. Consistent with that model, the bill
specifies that the research program must be managed by program
managers who have expertise in computer security research and
also substantial knowledge of the vulnerabilities of existing
computer systems. Ideal candidates will have a thorough
knowledge of the needs of the user community as well as the
capabilities of the research community that generates the basic
knowledge and innovations needed to fulfill these needs.
The bill requires that program managers be given broad
authority for defining the research goals of their programs,
for identifying and motivating talented researchers to propose
research projects to address the program goals, and for
selecting specific research proposals for funding. Because of
the large influence the program managers will have on the
ultimate success of the research program, the Committee expects
the NIST Director to carefully review the qualifications of
potential program managers and to take advantage of the
Intergovernmental Personnel Act and recruitment of new civil
service employees, as well as current NIST employees, to ensure
that highly qualified individuals are placed in these
positions.
Attracting New Researchers
While research funding is critical to ensuring advances in
computer systems security research, a larger pool of talented
researchers is also required to drive innovation at the
necessary rate. While one way to promote the development and
expansion of an able research community is by providing
opportunities for junior researchers to gain post-doctoral
training while initiating their own careers as independent
investigators, another is to sponsor senior researchers
interested in changing their research focus to problems of
computer systems security. Therefore, the Act authorizes NIST
to establish a program that would provide both post-doctoral
research support to U.S. citizens, nationals, or permanent
resident aliens in computer security research, and support for
senior researchers.
Data Required
The Committee directs NIST to include in the report
required under section 22(e) of the NIST Act, as added by this
bill, data on the numbers of individuals from underrepresented
groups supported by fellowships or research assistantships by
activities authorized by the bill, and a description of the
participation by minority serving institutions in activities
authorized by the bill.
VIII. Cost Estimate
Rule XIII, clause 3(d)(2) of the House of Representatives
requires each committee report accompanying each bill or joint
resolution of a public character to contain: (1) an estimate,
made by such committee, of the costs which would be incurred in
carrying out such bill or joint resolution in the fiscal year
in which it is reported, and in each of the five fiscal years
following such fiscal year (or for the authorized duration of
any program authorized by such bill or joint resolution, if
less than five years); (2) a comparison of the estimate of
costs described in subparagraph (1) of this paragraph made by
such committee with an estimate of such costs made by any
Government agency and submitted to such committee; and (3) when
practicable, a comparison of the total estimated funding level
for the relevant program (or programs) with the appropriate
levels under current law. However, House Rule XIII, clause
3(d)(B) provides that this requirement does not apply when a
cost estimate and comparison prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974 has been timely submitted
prior to the filing of the report and included in the report
pursuant to House Rule XIII, clause 3(c)(3). A cost estimate
and comparison prepared by the Director of the Congressional
Budget Office under section 402 of the Congressional Budget Act
of 1974 has been timely submitted to the Committee on Science
prior to the filing of this report and is included in Section
IX of this report pursuant to House Rule XIII, clause 3(c)(3).
Rule XIII, clause 3(c)(2) of the House of Representatives
requires each committee report that accompanies a measure
providing new budget authority (other than continuing
appropriations), new spending authority, or new credit
authority, or charges in revenues or tax expenditures to
contain a cost estimate, as required by section 308(a)(1) of
the Congressional Budget Act of 1974 and, when practicable with
respect to estimate of new budget authority, a comparison of
the total estimated funding level for the relevant program (or
programs) to the appropriate levels under current law. H.R.
3394 does not contain any new budget authority, credit
authority, or changes in revenues or tax expenditures. Assuming
that the sums authorized under the bill are appropriated, H.R.
3394 does authorize additional discretionary spending, as
described in the Congressional Budget Office report on the
bill, which is contained in Section IX of this report.
IX. Congressional Budget Office Cost Estimate
U.S. Congress,
Congressional Budget Office,
Washington, DC, December 17, 2001.
Hon. Sherwood L. Boehlert,
Chairman, Committee on Science,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 3394, the Cyber
Security Research and Development Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Kathleen
Gramp.
Sincerely,
Barry B. Anderson, (for Dan L. Crippen,
Director).
Enclosure.
H.R. 3394--Cyber Security Research and Development Act
Summary: H.R. 3394 would authorize appropriations for
several research initiatives related to computer security at
two agencies--the National Science Foundation (NSF) and the
National Institute of Standards and Technology (NIST). The bill
would establish the terms and conditions for awarding grants,
fellowships, cooperative agreements related to computer
security, and would authorize NIST to conduct similar research
at its laboratories. It would authorize the appropriation of
$878 million over the 2002-2007 period for these activities,
and any amounts necessary to continue the fellowships and
cooperative agreements at NIST through 2012. This total would
include funding for the ongoing activities of the Computer
System Security and Privacy Advisory Board and a study by the
National Academy of Sciences on the vulnerability of the
nation's network infrastructure.
Assuming appropriation of the specified amounts, CBO
estimates that implementing this bill would cost $420 million
over the 2002-2006 period. The bill would not affect direct
spending or receipts; therefore, pay-as-you-go procedures would
not apply.
H.R. 3394 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would impose no costs on state, local, or tribal
governments.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 3394 is shown in the following table.
The costs of this legislation fall within budget functions 250
(general science, space, and technology) and 376 (commerce and
housing credit). For this estimate, CBO assumes that funds will
be appropriated near the beginning of each fiscal year and that
outlays will occur at rates similar to those for other research
programs at NSF and NIST.
----------------------------------------------------------------------------------------------------------------
By fiscal year, in million of dollars--
--------------------------------------------
2002 2003 2004 2005 2006
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Authorization level................................................ 1 105 152 184 206
Estimated outlays.................................................. 1 30 85 134 170
----------------------------------------------------------------------------------------------------------------
Pay-as-you-go considerations: None.
Estimated impact on State, local, and tribal governments:
H.R. 3394 contains no intergovernmental mandates as defined in
UMRA and would impose no costs on state, local, or tribal
governments. The bill would benefit state governments by
authorizing the appropriation of $878 million, much would be
for grant programs to institutions of higher education
(including public universities) to develop programs to improve
the security of computer networks.
Estimated impact on the private sector: This bill contains
no new private-sector mandates as defined in UMRA.
Estimate prepared by: Federal costs: Kathleen Gramp
(National Science Foundation) and Ken Johnson (NIST); impact on
State, local, and tribal governments: Elyse Goldman; impact on
the private sector: Jean Talarico.
Estimate approved by: Peter H. Fontaine, Deputy Assistant
Director for Budget Analysis.
X. Compliance With Public Law 104-4
H.R. 3394 contains no unfunded mandates.
XI. Committee Oversight Findings and Recommendations
Rule XIII, clause 3(c)(1) of the House of Representatives
requires each committee report to include oversight findings
and recommendations required pursuant to clause 2(b)(1) of rule
X. The Committee on Science's oversight findings and
recommendations are reflected in the body of this report.
XII. Constitutional Authority Statement
Rule XII, clause 3(d)(1) of the House of Representatives
requires each report of a committee on a bill or joint
resolution of a public character to include a statement citing
the specific powers granted to the Congress in the Constitution
to enact the law proposed by the bill or joint resolution.
Article I, section 8 of the Constitution of the United States
grants Congress the authority to enact H.R. 3394.
XIII. Federal Advisory Committee Statement
H.R. 3394 does not establish nor authorize the
establishment of any advisory committee.
XIV. Congressional Accountability Act
The Committee finds that H.R. 3394 does not relate to the
terms and conditions of employment or access to public services
or accommodations within the meaning of section 102(b)(3) of
the Congressional Accountability Act (Public Law 104-1).
XV. Statement on Preemption of State, Local, or Tribal Law
This bill is not intended to preempt any state, local, or
tribal law.
XVI. Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
SECTION 3 OF THE NATIONAL SCIENCE FOUNDATION ACT OF 1950
* * * * * * *
FUNCTIONS OF THE FOUNDATION
Sec. 3. (a) The Foundation is authorized and directed--
(1) * * *
* * * * * * *
(6) to provide a central clearinghouse for the
collection, interpretation, and analysis of data on
scientific and engineering and to provide a source of
information for policy formulation by other agencies of
the Federal Government; [and]
(7) to initiate and maintain a program for the
determination of the total amount of money for
scientific and engineering research, including money
allocated for the construction of the facilities
wherein such research is conducted, received by each
educational institution and appropriate nonprofit
organization in the United States, by grant, contract,
or other arrangement from agencies of the Federal
Government, and to report annually thereon to the
President and the Congress[.]; and
(8) to take a leading role in fostering and
supporting research and education activities to improve
the security of networked information systems.
* * * * * * *
----------
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
* * * * * * *
Sec. 20. (a) * * *
* * * * * * *
(d) As part of the research activities conducted in
accordance with subsection (b)(4), the Institute shall--
(1) conduct a research program to address emerging
technologies associated with assembling a networked
computer system from components while ensuring it
maintains desired security properties;
(2) carry out research and support standards
development activities associated with improving the
security of real-time computing and communications
systems for use in process control; and
(3) carry out multidisciplinary, long-term, high-risk
research on ways to improve the security of computer
systems.
[(d)] (e) As used in this section--
(1) the term ``computer system''--
(A) * * *
(B) includes--
(i) computers and computer networks;
* * * * * * *
(f) There are authorized to be appropriated to the Secretary
$1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year
2004 to enable the Computer System Security and Privacy
Advisory Board, established by section 21, to identify emerging
issues, including research needs, related to computer security,
privacy, and cryptography and, as appropriate, to convene
public meetings on those subjects, receive presentations, and
publish reports, digests, and summaries for public distribution
on those subjects.
* * * * * * *
RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS
Sec. 22. (a) Establishment.--The Director shall establish a
program of assistance to institutions of higher education that
enter into partnerships with for-profit entities to support
research to improve the security of computer systems. The
partnerships may also include government laboratories. The
program shall--
(1) include multidisciplinary, long-term, high-risk
research;
(2) include research directed toward addressing needs
identified through the activities of the Computer
System Security and Privacy Advisory Board under
section 20(f); and
(3) promote the development of a robust research
community working at the leading edge of knowledge in
subject areas relevant to the security of computer
systems by providing support for graduate students,
post-doctoral researchers, and senior researchers.
(b) Fellowships.--(1) The Director is authorized to establish
a program to award post-doctoral research fellowships to
individuals who are citizens, nationals, or lawfully admitted
permanent resident aliens of the United States and are seeking
research positions at institutions, including the Institute,
engaged in research activities related to the security of
computer systems, including the research areas described in
section 4(a)(1) of the Cyber Security Research and Development
Act.
(2) The Director is authorized to establish a program to
award senior research fellowships to individuals seeking
research positions at institutions, including the Institute,
engaged in research activities related to the security of
computer systems, including the research areas described in
section 4(a)(1) of the Cyber Security Research and Development
Act. Senior research fellowships shall be made available for
established researchers at institutions of higher education who
seek to change research fields and pursue studies related to
the security of computer systems.
(3)(A) To be eligible for an award under this subsection, an
individual shall submit an application to the Director at such
time,in such manner, and containing such information as the
Director may require.
(B) Under this subsection, the Director is authorized to
provide stipends for post-doctoral research fellowships at the
level of the Institute's Post Doctoral Research Fellowship
Program and senior research fellowships at levels consistent
with support for a faculty member in a sabbatical position.
(c) Awards; Applications.--The Director is authorized to
award grants or cooperative agreements to institutions of
higher education to carry out the program established under
subsection (a). To be eligible for an award under this section,
an institution of higher education shall submit an application
to the Director at such time, in such manner, and containing
such information as the Director may require. The application
shall include, at a minimum, a description of--
(1) the number of graduate students anticipated to
participate in the research project and the level of
support to be provided to each;
(2) the number of post-doctoral research positions
included under the research project and the level of
support to be provided to each;
(3) the number of individuals, if any, intending to
change research fields and pursue studies related to
the security of computer systems to be included under
the research project and the level of support to be
provided to each; and
(4) how the for-profit entities and any other
partners will participate in developing and carrying
out the research and education agenda of the
partnership.
(d) Program Operation.--(1) The program established under
subsection (a) shall be managed by individuals who shall have
both expertise in research related to the security of computer
systems and knowledge of the vulnerabilities of existing
computer systems. The Director shall designate such individuals
as program managers.
(2) Program managers designated under paragraph (1) may be
new or existing employees of the Institute or individuals on
assignment at the Institute under the Intergovernmental
Personnel Act of 1970.
(3) Program managers designated under paragraph (1) shall be
responsible for--
(A) establishing and publicizing the broad research
goals for the program;
(B) soliciting applications for specific research
projects to address the goals developed under
subparagraph (A);
(C) selecting research projects for support under the
program from among applications submitted to the
Institute, following consideration of--
(i) the novelty and scientific and technical
merit of the proposed projects;
(ii) the demonstrated capabilities of the
individual or individuals submitting the
applications to successfully carry out the
proposed research;
(iii) the impact the proposed projects will
have on increasing the number of computer
security researchers;
(iv) the nature of the participation by for-
profit entities and the extent to which the
proposed projects address the concerns of
industry; and
(v) other criteria determined by the
Director, based on information specified for
inclusion in applications under subsection (c);
and
(D) monitoring the progress of research projects
supported under the program.
(e) Review of Program.--(1) The Director shall periodically
review the portfolio of research awards monitored by each
program manager designated in accordance with subsection (d).
In conducting those reviews, the Director shall seek the advice
of the Computer System Security and Privacy Advisory Board,
established under section 21, on the appropriateness of the
research goals and on the quality and utility of research
projects managed by program managers in accordance with
subsection (d).
(2) The Director shall also contract with the National
Research Council for a comprehensive review of the program
established under subsection (a) during the 5th year of the
program. Such review shall include an assessment of the
scientific quality of the research conducted, the relevance of
the research results obtained to the goals of the program
established under subsection (d)(3)(A), and the progress of the
program in promoting the development of a substantial academic
research community working at the leading edge of knowledge in
the field. The Director shall submit to Congress a report on
the results of the review under this paragraph no later than
six years after the initiation of the program.
(f) Definitions.--For purposes of this section--
(1) the term ``computer system'' has the meaning
given that term in section 20(d)(1); and
(2) the term ``institution of higher education'' has
the meaning given that term in section 101 of the
Higher Education Act of 1965 (20 U.S.C. 1001).
* * * * * * *
Sec. [22] 32. Appropriations to carry out the provisions of
this Act may remain available for obligation and expenditure
for such period or periods as may be specified in the Acts
making such appropriations.
XVII. Committee Recommendations
On December 6, 2001, a quorum being present, the Committee
on Science favorably reported the Cyber Security Research and
Development Act, by a voice vote, and recommends its enactment.
XVIII. Statement of General Performance Goals and Objectives
Pursuant to clause (3)(c) of House rule XIII, the goals of
H.R. 3394 are (1) to increase the amount of innovative basic
cyber security research being supported by the Federal
Government; (2) to increase the number of world class
researchers conducting cyber security research in the United
States; (3) build new partnerships between industry, academia,
and Federal agencies and laboratories; and (4) increase the
number and quality of undergraduate and graduate students
preparing for careers in information assurance research,
development, and implementation.
XIX. Exchange of Committee Correspondence
House of Representatives,
Committee on Science,
Washington, DC, January 28, 2002.
Hon. John Boehner,
Chairman, Committee on Education and The Workforce, House of
Representatives, Washington, DC.
Dear Chairman Boehner: Thank you for your letter regarding
the Education and the Workforce Committee's jurisdictional
interest in H.R. 3394, the Cyber Security Research and
Development Act.
I acknowledge your committee's jurisdiction over portions
of H.R. 3394 and appreciate your cooperation in moving the bill
to the House floor expeditiously. I concur that your decision
to forego further action on the bill will not prejudice the
Education and Workforce Committee with respect to its
jurisdictional prerogatives on H.R. 3394 or on similar or
related legislation. Should a conference occur on H.R. 3394 or
similar legislation, the Committee on Science will support your
request to have conferees on this or similar legislation that
falls within your Committee's jurisdiction. I will include a
copy of your letter and this response in the Committee's report
on the bill as well as in the Congressional Record when the
House considers the legislation.
Once again, thank you for your cooperation in this matter.
Sincerely,
Sherwood L. Boehlert,
Chairman.
------
Committee on Education
and the Workforce,
Washington, DC, January 28, 2002.
Hon. Sherwood L. Boehlert,
Chairman, Committee on Science,
Rayburn HOB, Washington, DC.
Dear Chairman Boehlert: Thank you for working with me
regarding H.R. 3394, the ``Cyber Security Research and
Development Act'', which was referred to the Committee on
Science and in addition the Committee on Education and the
Workforce, and ordered favorably reported by your Committee on
December 6, 2001. I understand your desire to have this
legislation considered expeditiously by the House; hence, I do
not intend to hold a hearing or markup on this legislation.
In agreeing to waive consideration by our Committee, I
would expect you to agree that this procedural route should not
be construed to prejudice the Committee on Education and the
Workforce's jurisdictional interest and prerogatives on this or
any similar legislation and will not be considered as precedent
for consideration of matters of jurisdictional interest to my
Committee in the future. I would also expect your support in my
request to the Speaker for the appointment of conferees from my
Committee with respect to matters within the jurisdiction of my
Committee should a conference with the Senate be convened on
this or similar legislation.
I would appreciate your including our exchange of letters
in your Committee's report to accompany H.R. 3394, which I
understand you intend to file this week. Again, I thank you for
working with me in developing this legislation and I look
forward to working with you on these issues in the future.
Sincerely,
John Boehner,
Chairman.
XX. Proceedings of Full Committee Markup
PROCEEDINGS OF THE FULL COMMITTEE MARKUP ON H.R. 3394, CYBER SECURITY
RESEARCH AND DEVELOPMENT ACT, DECEMBER 6, 2001
The committee met, pursuant to call, at 11:10 a.m., in room
2318 of the Rayburn House Office Building, Hon. Sherwood L.
Boehlert (chairman of the committee) presiding.
Chairman Boehlert. Good morning. The Committee on Science
will be in order. Pursuant to notice, the Committee on Science
is meeting today to consider the following measures, H.R. 3394,
the Cyber Security Research and Development Act, and H.R. 3400,
the Networking and Information Technology Research Advancement
Act. I ask unanimous consent for the authority to recess the
Committee at any point and, without objection, so ordered.
This morning we will mark up two important bills to boost
our Nation's efforts in information technology. The first bill,
H.R. 3394, which I introduced with my partner, Mr. Hall,
creates new research programs to improve cyber security. The
second bill, H.R. 3400, introduced by Research Subcommittee
Chairman Nick Smith and Ranking Member Eddie Bernice Johnson,
will augment and improve our existing interagency programs in
networking and information technology.
Both bills have the hallmarks of Science Committee
legislation. They promote targeted solutions to real problems
that were raised by expert witnesses at Committee hearings.
They are designed to solve problems over the long-run, not just
temporarily; and they are bipartisan. Indeed, the majority and
minority staffs of the Committee worked together on these bills
from day one.
Let me say a bit more about H.R. 3394, the Cyber Security
Research and Development Act, and Mr. Smith will discuss H.R.
3400 in detail when we take it up at a later time.
As I have pointed out repeatedly in recent weeks, the cyber
security threat is real and potentially devastating. Experts
from industry, government, and academia have told us that we
simply do not have enough people conducting enough promising
research on how to protect our computers and networks. And no
federal agency is charged with solving that problem.
H.R. 3394 attacks those concerns head on. It creates new
programs at the National Science Foundation and the National
Institute of Standards and Technology to draw new researchers
into the cyber security field, to promote incentives to conduct
more creative research, and to encourage undergraduates,
graduate students, and post-docs to study cyber security.
Right now, it's hard even to come up with a figure for how
much the Federal Government is devoting to cyber security
research, but the number is believed to be in the range of $60
million, a pittance, really, considering the risk. This bill
authorizes almost $800 million over 5 years to build a cadre of
researchers and to set them to work on the problem.
We hope to move this bill to the Floor early next year, and
we are working with the Senate to develop a companion measure.
This Committee must continue to lead the way indeveloping long-
term solutions to the problems that have come to the forefront since
September 11.
The Chair recognizes distinguished Ranking Member, Mr. Hall
of Texas.
[Statement of Mr. Boehlert follows:]
Opening Statement of Hon. Sherwood Boehlert
This morning we will mark up two important bills to boost
our nation's efforts in information technology. The first bill,
H.R. 3394, which I introduced with Mr. Hall, creates new
research programs to improve cybersecurity. The second, H.R.
3400, introduced by Research Subcommittee Chairman Nick Smith
and Ranking Member Eddie Bernice Johnson, will augment and
improve our existing interagency program in networking and
information technology.
Both bills have the hallmarks of Science Committee
legislation--they promote targeted solutions to real problems
that were raised by expert witnesses at Committee hearings;
they are designed to solve problems over the long-run, not just
temporarily; and they are bipartisan. Indeed, the majority and
minority staffs of the Committee worked together on these bills
from day one.
Let me say a bit more about H.R. 3394, the ``Cyber Security
Research and Development Act,'' and Mr. Smith will discuss H.R.
3400 in detail when we take it up a little later.
As I've pointed out repeatedly in recent weeks, the
cybersecurity threat is real and potentially devastating.
Experts from industry, government and academia have told us
that we simply do not have enough people conducting promising
research on how to protect our computers and networks. And no
federal agency is charged with solving that problem.
H.R. 3394 attacks those concerns head on. It creates new
programs at the National Science Foundation and the National
Institute of Standards and Technology to draw new researchers
into the cyber security field, to provide incentives to conduct
more creative research, and to encourage undergraduates,
graduate students and post-docs to study cybersecurity.
Right now, it's hard even to come up with a figure for how
much the federal government is devoting to cybersecurity
research, but the number is believed to be in the range of $60
million--a pittance, really, considering the risk. This bill
authorizes almost $800 million over five years to build a cadre
of researchers and set them to work on the problem.
We hope to move this bill to the floor early next year, and
we are working with the Senate to develop a companion measure.
This Committee must continue to lead the way in developing
long-term solutions to the problems that have come to the fore
since September 11th.
Mr. Hall. Mr. Chairman, thank you. And, of course, this
bill just hopefully paves the way for better computer security.
And when you say that, you have just about said everything you
can say for the bill, and you covered it very well. As the
Committee knows, in the past few years, computer virus attacks
by the computer hackers and electronic identification theft
have become more common, and the events this fall makes us
realize how vulnerable we are.
We have had recent testimony before the Science Committee.
These are too few scientists and too few engineers engaged in
research on information security and too little funding for the
security research, as you have pointed out.
H.R. 3394 simply establishes substantial new research
programs at the National Science Foundation and the National
Institute of Standards and Technology. And these programs will
support graduate students, postdoctoral researchers, senior
researchers, while encouraging stronger ties between
universities and industry.
And the provisions pertaining to the thrust of these bills
were first developed by Representative Baird and are contained
in H.R. 3316, which is the bill he introduced a few weeks ago.
I think that is very important and this Chairman and this
Committee has given a lot of credence to that. I want to thank
Congressman Baird for his important contribution to the
legislation.
Mr. Chairman, if I could, I would like to yield to him for
any comments he wishes to make, limited down to my 15 minutes.
[Statement of Mr. Hall follows:]
Opening Statement of Hon. Ralph M. Hall
The Cyber Security Research and Development Act, H.R. 3394,
which Chairman Boehlert and I recently introduced, fills an
important gap in current information technology research
programs--namely, the need for better computer security.
In the past few years, computer viruses, attacks by
computer hackers, and electronic identification theft have
become more common. The events of this fall have made us
realize just how vulnerable we are to attack and have
underscored the need to enhance the protection of the Nation's
physical and electronic infrastructure.
Recent testimony before the Science Committee highlighted
an obstacle to achieving this goal. Currently there are too few
scientists and engineers engaged in research on information
security and too little funding for security research. and as
federal agencies and private industry have found, there are few
people with specialized computer security skills.
H.R. 3394 establishes substantial new research programs at
the Nation Science Foundation and the National Institute of
Standards and Technology. Programs at both agencies are multi-
year and will increase the community of computer security
researchers.
These programs will support graduate students, post-
doctoral researchers and senior researchers, while encouraging
stronger ties between universities and industry. This industry
linkage will provide a reality check for the research
priorities and will facilitate transfer of research results
into new products and services.
The provisions pertaining to NIST were first developed by
Rep. Baird and are contained in H.R. 3316, a bill he introduced
a few weeks ago. I want to thank Congressman Baird for his
important contribution to this legislation, and yield to him
for any comments he wishes to make on the bill.
Chairman Boehlert. Without objection, go to.
Mr. Baird. Mr. Chairman, and, Ranking Member, thank you
very much. I want to thank you for your leadership on this
important issue. Certainly coming from the great State of
Washington where technology is so important to our economy, we
know these issues well. And I want to emphasize that this is
not just about an economic issue. It is actually about saving
human lives with our air traffic control system, emergency
medical response, water production, et cetera, all governed and
communicated through information technology. Making sure that
technology and the infrastructure is secure is not just an
economic good policy; it is about saving lives.
And I commend you for your leadership. Providing
researchers and trained graduate students who can conduct
research into this area is absolutely critical today and for
the long-term viability of our economy. And I am privileged to
be part of this. And thank you for including my statement.
Chairman Boehlert. Thank you very much, Mr. Baird. Without
objection, all additional member opening statements will be
placed in the record at this point.
[Statement of Mr. Smith of Michigan follows:]
Opening Statement of Hon. Congressman Nick Smith
Thank you, Mr. Chairman, for holding this markup today on
two pieces of legislation that will significantly revamp our
information technology and computer security research efforts.
In keeping with the spirit of this Committee, I think we have
put together two truly bipartisan bills will provide guidance
and funding for important federal research and development
challenges.
I am pleased to be the sponsor of one of these bills along
with my friend and colleague Congresswoman Johnson of Texas.
Our bill, H.R. 3400, the Networking and Information Technology
Research and Advancement Act (NITRA), will update and re-
authorize federally funded basic research in information
technology. The bill authorizes a multi-agency research
initiative that will ensure that America stays at the cutting
edge of new information technologies that stimulate economic
growth, stimulate further scientific advancements, and make all
of our lives better.
Additionally, I am proud to be a cosponsor of H.R. 3394,
the Cybersecurity Research and Development Act, which will
establish a research plan among several agencies to shore up
the security of our computer systems. While much attention has
been focused on other, more tangible forms of terrorism, we
must not overlook the national security threat posed to our
computer systems. In this age where we are increasingly
dependent on computers for daily activities, the need for
computer security cannot be understated. H.R. 3394 devotes
significant resources to respond to these threats.
I urge members to support both of these bills that will
strengthen our research efforts to foster innovation, continued
economic growth, and improve our national security from the
very real threat of cyberterrorism. I am looking forward to
this markup, and I am hopeful that we can pass these bills
through committee and move ahead with floor preparation as
expeditiously as possible.
[Statement of Ms. Eddie Bernice Johnson follows:]
Opening Statement of Hon. Eddie Bernice Johnson
Mr. Speaker, I understand and support the Cyber Security
Research and Development Act's aim to support research and
education activities associated with increasing network and
computer security.
The events over the last few months have given America more
reasons to establish and sustain research programs to stimulate
the development of vigorous research enterprise in network and
computer security. Also, the events have provided us with
another opportunity to reevaluate our society and to appreciate
the wealth of diversity in our nation.
However, this legislation can provide an opportunity, which
the language of the bill does not address. We can use this
legislation to reiterate our commitment to diversity by
providing an opportunity for us to ensure that everyone is
provided the tools to succeed.
For this reason, I would like the opportunity to work with
the Majority, before this bill goes to the House floor for a
vote. My aim is to place language within H.R. 3394 that will
encourage participation from individuals of traditionally
underrepresented groups and minority serving institutions.
So often these individuals and institutions are unable to
participate in the kinds of opportunities that this legislation
will provide. I believe that we must make a valiant effort to
include them as we have done in several pieces of legislation
this committee has passed this session.
I have provided the Majority staff with the changes I am
proposing and look forward to working with you in our endless
efforts to ensure opportunity to all.
[Statement of Mr. Forbes follows:]
Opening Statement of Hon. J. Randy Forbes
Mr. Chairman, I would like to express my strong support
both for the Networking and Information Technology Research
Advancement Act, as well as the Cyber Security Research and
Development Act. As a cosponsor of both pieces of legislation,
I appreciate my colleagues' efforts to coordinate our national
response to the very serious threat of cyber terrorism.
Though it won't bring the death and destruction of
biological or chemical weapons, cyber terrorism holds the power
to disrupt our way of life, harm people's personal interests,
and cause tremendous losses for businesses. Both bills before
us are necessary for updating our national ability to thwart
terrorist plots to disrupt our economy and do harm to our way
of life using our own computer networks. As we heard from
various witnesses who have come before this Committee over the
past several months, have bright and innovative minds in this
nation, but they need direction and coordination to maximize
their efforts to find ways to prevent cyber terrorist attacks
and ameliorate their consequences.
The bills before us today will coordinate the various
research and development efforts that currently exist and
increase the overall federal contribution for them. In
addition, they will revise the rules under which federal
dollars operate to give our science and technology experts the
ability to think outside the box. Our enemies use their evil
cunning as a weapon. We should not be restricted in our
thinking to defeat their efforts.
Mr. Chairman, I appreciate your bringing these bills to our
Committee so quickly. I am hopeful that they will get such
prompt treatment by the Congress as a whole so that we can
begin to implement this coordinated policy. Thank you.
Chairman Boehlert. We will now consider H.R. 3394, the
Cyber Security Research and Development Act. I ask unanimous
consent that the bill be considered as read and open to
amendment at any point. And I ask the members to proceed with
the amendments in the order on the roster. And since we don't
have a roster, I will ask, are there any amendments? Mr.
Matheson.
Mr. Matheson. I have none.
Chairman Boehlert. Okay. Okay. All right. Yes. Who do--do I
see a hand? Ms. Johnson.
Ms. Johnson. Thank you, Mr. Chairman. I want to express my
appreciation, and I have an amendment at the desk and would
like to ask for that consideration. I have been in contact with
the staff. And all it does is simply request the research
dollars to keep in mind the Historically Black Universities
and--Colleges and Universities, as well as the Hispanic Serving
Colleges and Universities, as the money is distributed. And I
would be happy to work with you and the staff with----
Chairman Boehlert. And I will look forward to working with
you. This is a cause near and dear to your heart and to mine
also. So we will work cooperatively and do something for the
Floor.
Ms. Johnson. Thank you very much, Mr. Chairman.
Chairman Boehlert. Anyone else seek recognition? Any
further discussion? If no, the vote occurs on the bill. Okay. I
reported--we haven't got--I am just trying to count for
numbers. You are worth two, Jim. All right. We are just 23, 24.
We are getting there.
Mr. Mathson. Okay.
Chairman Boehlert. Do I hear 25? Are we all set? Yeah. Here
we are. Since there are no further discussion, no further
amendments, the vote occurs on the bill. All in favor, say aye.
Noes? The ayes have it. Without objection, the bill is ordered
reported.
Mr. Hall. Mr. Chairman----
Chairman Boehlert. Yes, sir.
Mr. Hall. Mr. Chairman----
Chairman Boehlert. Mr. Hall.
Mr. Hall. I move that the Committee favorably report H.R.
3394 to the House with the recommendation that the bill do
pass. Furthermore, I move the staff be instructed to prepare
the legislative report and make the necessary and technical and
conforming changes, and that the Chairman take all necessary
steps to bring the bill before the House for consideration. I
yield back my time.
Chairman Boehlert. All right. The Chair notes the presence
of a reporting quorum. The question is on the motionto report
the bill favorably. Those in favor of the motion will signify by saying
aye. Opposed, no. The ayes appear to have it. The bill is favorably
reported. Without objection, the motion to reconsider is laid upon the
table. I move that members have 2 subsequent calendar days in which to
submit supplemental, minority, or additional views on the measure.
Without objection, so ordered.
I move, pursuant to Clause 1 of the Rule 22 of the House--
Rules of the House of Representatives, that the Committee
authorize the Chairman to offer such motions as may be
necessary in the House to go to conference with the Senate on
the bill H.R. 3394, or a similar Senate bill. Without
objection, so ordered.
[H.R. 3394 follows:]
[The information follows:]
H.R. 3394--The Cyber Security Research and Development Act, Introduced
by Mr. Boehlert, Mr. Hall (TX), Mr. Smith (TX), Mr. Baird, Mr. Smith
(MI), and Ms. Eddie Bernice Johnson (TX)
SECTION-BY-SECTION SUMMARY
Sec. 1. Short title
``Cyber Security Research and Development Act''
Sec. 2. Findings
Discuss the interdependent nature of critical infrastructures
brought about by advancements in computing and communications
technology; the increased consequences of failure of communications and
other critical services caused by exponential increases in
interconnectivity; the nation's lack of preparedness for a coordinated
cyber and physical attack; the lack of sufficient long-term research
funding and the shortage of outstanding researchers in the field of
cyber security; and the lack of coordination among government,
academia, and industry for computer security; and the need to
significantly increase the Federal investment in computer and network
security research and development.
Sec. 3. Definitions
Defines the term `Director' as the Director of the National Science
Foundation (NSF) (Note that where the term `Director' is used in
section 8 it refers to the Director of the National Institute for
Standards and Technology (NIST)). Uses the definition for `institution
of higher education' found in the Higher Education Act of 1965.
Sec. 4. National Science Foundation research
(1) Establishes an NSF program to award merit-based grants for
basic research on innovative approaches to enhance computer security.
Research areas for which grants can be used include authentication and
cryptography, computer forensics and intrusion detection, reliability
of computer and network applications, and privacy. Authorizes
appropriations of $35 million for FY 2003, $40 million for FY 2004, $46
million for 2005, $52 million for FY 2006, and $60,000 for FY 2007.
(b) Establishes an NSF program to award multi-year grants to
institutions of higher education (or consortia thereof) to establish
multidisciplinary Centers for Computer and Network Security Research.
Consortia applying for grants may partner with one or more government
laboratories or for-profit institutions. Applications for Center grants
are to be reviewed on the basis of criteria that include: the ability
of the institution (or consortium) to generate innovative approaches to
computer and network security research; the applicant's support for
students pursuing research in computer and network security; and the
extent to which government laboratories or industry partners will
participate in the Center's research activities. Requires the Director
to convene an annual meeting of Centers to foster greater collaboration
and communication. Authorizes appropriations of $12 million for FY
2003, $24 million for FY 2004, $36 million for FY 2005, and $36 million
for FY 2006 and FY 2007.
Sec. 5. National Science Foundation computer and network security
programs
(a) Establishes a competitive, merit-based NSF program to award
grants to institutions of higher education (or consortia thereof) to
create or improve undergraduate and master's degree programs in
computer security. Grants can be used for uses that include curriculum
development, equipment acquisition, faculty enhancement, and the
establishment of a student internship program in government or
industry. Requires applicants to describe the plan for building
increased capacity in computer and network security, to articulate the
roles and responsibilities of each partnering institution or
collaborative group, and to provide evidence of high potential for
success in educating and placing students in relevant jobs or graduate
programs. Instructs the Director to evaluate the impact of the program
on increasing the quality and quantity of computer and network security
professionals. Authorizes $15 million for FY 2003 and $20 million for
each of fiscal years 2004-2007.
(b) Expands NSF's existing program for community colleges
(established by the Scientific and Advanced Technology Act of 1992) to
include grants to improve education in fields related to computer and
network security. Authorizes $1 million for FY 2003 and $1.25 million
for each of fiscal years 2004-2007.
(c) Establishes a competitive, merit-based NSF program to award
grants to institutions of higher education to establish programs for
students pursuing studies in computer and network security research
leading to a doctorate degree. Grant funds are to be used to support
student fellowships of at least $25,000 per year, to pay student
tuition and fees, and to support students in scientific internship
programs. Authorizes appropriations of $10 million for FY 2003, and $20
million for each fiscal year 2004-2007.
(d) Directs NSF to include computer and network security as an
approved field of specialization under its current Graduate Research
Fellowships program.
Sec. 6. Consultation
Requires the NSF Director to consult with other Federal agencies in
carrying out the programs described in Sections 4 and 5.
Sec. 7. Fostering research and education in computer and network
security
Amends the National Science Foundation Act of 1950 to require NSF
to take a leading role in fostering and supporting research and
education in computer and network security.
Sec. 8. National Institute of Standards and Technology Research Program
Amends the National Institute of Standards and Technology Act to
establish a program that provides assistance to institutions of higher
education that partner with for-profit entities to support
multidisciplinary, long-term, high-risk research to improve the
security of computer systems. Partnerships may also include government
laboratories. Authorizes the Director to award research fellowships to
post-doctoral researchers engaged in computer security research and to
senior researchers who wish to transition from other research fields to
computer security research. Instructs the NIST Director to select
Program Managers who are responsible for establishing the research
goals for the program, soliciting applications for specific research
projects to address these goals, and selecting research projects for
funding. Calls for the NIST Director to periodically review the
portfolio of research awards in consultation with NIST's existing
Computer System Security and Privacy Advisory Board. Also instructs the
Director to contract with the National Academy of Sciences to conduct a
formal review of the program and to submit a report of this review to
Congress.
Sec. 9. Computer security review, public meetings, and information
Authorizes funding ($1,060,000 for FY 2003 and $1,090,000 for FY
2004) to enable NIST's Computer System Security and Privacy Advisory
Board to identify emerging issues, including research needs related to
computer security, privacy, and cryptography and, as appropriate, to
convene public meetings on those subjects, receive presentations, and
generate reports for public distribution.
Sec. 10. Intramural security research
Amends the National Institute of Standards and Technology Act
authorize NIST to pursue, as part of the agency's in-house research
program, research related to computer security including the
development of emerging technologies to ensure security of networked
systems assembled from components, improved security of real-time
computing and communications systems used in industrial and critical
infrastructure operations, and improved security of computer systems.
Sec. 11. Authorization of appropriations
Authorizes appropriations for sections 8 and 10 of the bill. For
the research programs in section 8, provides $25 million for FY 2003,
$40 million for FY 2004, $55 million for FY 2005, $70 million for FY
2006, $85 million for FY 2007, and such sums as may be necessary for
fiscal years 2008 through 2012. Authorizes appropriations for section
10 at $6 million for FY 2003, $6.2 million for FY 2004, $6.4 million
for FY 2005, $6.6 million for FY 2006, and $6.8 million for FY 2007.
Sec. 12. National Academy of Sciences study on computer and network
security in critical infrastructures
Authorizes the Director of NIST to enter into an agreement with the
National Research Council (NRC) of the National Academy of Sciences to
conduct a study of the vulnerabilities of the Nation's critical
infrastructure networks and make recommendations for appropriate
improvements. The study requires the NRC to review existing data to
identify gaps in the security of critical infrastructure networks, make
recommendations for research priorities to address these gaps, and
review the security of network-related infrastructure including
industrial process controls. A report of the study results is to be
submitted to Congress. Authorizes $700,000 for the purpose of carrying
out the study.
________
Summary of H.R. 3394--The Cyber Security Research and Development Act--
Introduced by Mr. Boehlert, Mr. Hall (TX), Mr. Smith (TX), Mr. Baird,
Mr. Smith (MI) and Ms. Eddie Bernice Johnson (TX)
The Committee on Science held two full committee hearings devoted
to research and development needs related to cyber security. These
hearings offered a sobering view of the security of our nation's
critical infrastructures and highlighted the lack of world-class
research being conducted to address these cyber security needs. Four
challenges emerged from these hearings that demand an immediate and
sustained response:
Too little cyber security research is being conducted and
the research that is funded is incremental and unlikely to lead to the
development of breakthrough approaches to cyber security.
There is inadequate coordination between government,
academia, and industry and no Federal agency has stepped forward to
take the lead in supporting cyber security research.
Too few researchers are prepared to meet our current and
projected cyber security research needs.
Too few undergraduate and graduate students are pursuing
studies in cyber security related fields.
The Cyber Security Research and Development Act responds to these
challenges. It creates important new research programs at the National
Science Foundation (NSF) and the National Institute of Standards and
Technology (NIST). Building upon NSF's proven capacity to mobilize the
academic research community, the Act authorizes NSF to create new
academic centers and fellowships to stimulate innovative thinking about
cyber security. Building upon NIST's proven ability to work with
industry, the Act authorizes NIST to initiate a new research grant
program that strengthens the interaction between government, academia,
and industry.
Funding for NSF is provided for competitive, peer-reviewed grant
programs, including:
$233 million over five years for a program providing
grants to researchers for the pursuit of particularly innovative
computer and network security basic research.
$144 million over five years to fund multi-year grants to
colleges and universities to establish multidisciplinary Centers for
Computer and Network Security Research, alone or in partnership with
other universities or with businesses and government laboratories.
$95 million over five years for the award of grants to
colleges and universities to improve undergraduate and master's degree
programs including through the creation of internship programs and new
courses.
$6 million over five years to make grants to community
colleges in order to enhance their ability to contribute to the supply
of computer and network security technicians.
$90 million over five years to establish a competitive
grant program that will enable colleges and universities to offer
fellowships, research opportunities in industry, and other educational
opportunities to students pursuing doctoral degrees in computer and
network security.
The Act authorizes NIST to use an administrative model that has
been successfully implemented at the Defense Advanced Research Projects
Agency. The Act authorizes NIST to invest talented project managers
with broad latitude to establish cyber security research objectives and
to solicit and award proposals. This structure shortens the approval
time for research proposals and allows the project manager to move
quickly to in vest in promising new ideas.
The funding for NIST includes:
$275 million over five years for a grant program to
support high-risk, cutting-edge research by academic researchers who
are working with industry.
Establishes research fellowships to increase the number of
researchers engaged in computer and network security research.
$32 million over five years for an in-house research
program in computer and network security.
Finally, the bill requires a National Academy of Sciences study and
report to Congress on the nation's critical infrastructure
vulnerabilities.
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT YEARLY AUTHORIZATION OF APPROPRIATIONS
[In millions of dollars]
----------------------------------------------------------------------------------------------------------------
Program FY2003 FY2004 FY2005 FY2006 FY2007 Total
----------------------------------------------------------------------------------------------------------------
Section 4 National Science Foundation Research:
Computer and Network Security Research Grants... 35 40 46 52 60 233
Computer and Network Security Research Centers.. 12 24 36 36 36 144
Section 5 National Science Foundation Computer and
Network Security Programs:
Computer and Network Security Capacity Building 15 20 20 20 20 95
Grants.........................................
Scientific and Advanced Technology Act of 1992.. 1 1.25 1.25 1.25 1.25 6
Graduate Traineeships in Computer and Network 10 20 20 20 20 90
Security Research..............................
Section 6. Fostering Research and Education in
Computer and Network Security......................
Section 7. National Institute of Standards and 25 40 55 70 85 275
Technology Research Program........................
Section 8. Computer Security Review, Public 1.03 1.06 ........ ........ ........ 2.09
Meetings, and Information..........................
Section 9. Intramural Security Research............. 6 6.2 6.4 6.6 6.8 32
Section 11. National Academy of Sciences Study on 0.7 ........ ........ ........ ........ 0.7
Computer and Network Security in Critical
Infrastructures....................................
-------------------------------------------------
Total......................................... 105.73 152.51 184.65 205.85 229.05 877.79
----------------------------------------------------------------------------------------------------------------
Five Year Total: $877.79 million.
�