[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3394 Introduced in House (IH)]
107th CONGRESS
1st Session
H. R. 3394
To authorize funding for computer and network security research and
development and research fellowship programs, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
December 4, 2001
Mr. Boehlert (for himself, Mr. Hall of Texas, Mr. Smith of Texas, Mr.
Baird, Mr. Smith of Michigan, and Ms. Eddie Bernice Johnson of Texas)
introduced the following bill; which was referred to the Committee on
Science, and in addition to the Committee on Education and the
Workforce, for a period to be subsequently determined by the Speaker,
in each case for consideration of such provisions as fall within the
jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To authorize funding for computer and network security research and
development and research fellowship programs, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Security Research and
Development Act''.
SEC. 2. FINDINGS.
The Congress finds the following:
(1) Revolutionary advancements in computing and
communications technology have interconnected government,
commercial, scientific, and educational infrastructures--
including critical infrastructures for electric power, natural
gas and petroleum production and distribution,
telecommunications, transportation, water supply, banking and
finance, and emergency and government services--in a vast,
interdependent physical and electronic network.
(2) Exponential increases in interconnectivity have
facilitated enhanced communications, economic growth, and the
delivery of services critical to the public welfare, but have
also increased the consequences of temporary or prolonged
failure.
(3) A Department of Defense Joint Task Force concluded
after a 1997 United States information warfare exercise that
the results ``clearly demonstrated our lack of preparation for
a coordinated cyber and physical attack on our critical
military and civilian infrastructure''.
(4) Computer security technology and systems implementation
lack--
(A) sufficient long term research funding;
(B) adequate coordination across Federal and State
government agencies and among government, academia, and
industry;
(C) sufficient numbers of outstanding researchers
in the field; and
(D) market incentives for the design of commercial
and consumer security solutions.
(5) Accordingly, Federal investment in computer and network
security research and development must be significantly
increased to--
(A) improve vulnerability assessment and
technological and systems solutions;
(B) expand and improve the pool of information
security professionals, including researchers, in the
United States workforce; and
(C) better coordinate information sharing and
collaboration among industry, government, and academic
research projects.
SEC. 3. DEFINITIONS.
For purposes of this Act--
(1) the term ``Director'' means the Director of the
National Science Foundation; and
(2) the term ``institution of higher education'' has the
meaning given that term in section 101 of the Higher Education
Act of 1965 (20 U.S.C. 1001).
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.
(a) Computer and Network Security Research Grants.--
(1) In general.--The Director shall award grants for basic
research on innovative approaches to the structure of computer
and network hardware and software that are aimed at enhancing
computer security. Research areas may include--
(A) authentication and cryptography;
(B) computer forensics and intrusion detection;
(C) reliability of computer and network
applications, middleware, operating systems, and
communications infrastructure; and
(D) privacy and confidentiality.
(2) Merit review; competition.--Grants shall be awarded
under this section on a merit-reviewed competitive basis.
(3) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to carry
out this subsection--
(A) $35,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $46,000,000 for fiscal year 2005;
(D) $52,000,000 for fiscal year 2006; and
(E) $60,000,000 for fiscal year 2007.
(b) Computer and Network Security Research Centers.--
(1) In general.--The Director shall award multiyear grants,
subject to the availability of appropriations, to institutions
of higher education (or consortia thereof) to establish
multidisciplinary Centers for Computer and Network Security
Research. Institutions of higher education (or consortia
thereof) receiving such grants may partner with one or more
government laboratories or for-profit institutions.
(2) Merit review; competition.--Grants shall be awarded
under this subsection on a merit-reviewed competitive basis.
(3) Purpose.--The purpose of the Centers shall be to
generate innovative approaches to computer and network security
by conducting cutting-edge, multidisciplinary research in
computer and network security, including the research areas
described in subsection (a)(1).
(4) Applications.--An institution of higher education (or a
consortium of such institutions) seeking funding under this
subsection shall submit an application to the Director at such time, in
such manner, and containing such information as the Director may
require. The application shall include, at a minimum, a description
of--
(A) the research projects that will be undertaken
by the Center and the contributions of each of the
participating entities;
(B) how the Center will promote active
collaboration among scientists and engineers from
different disciplines, such as computer scientists,
engineers, mathematicians, and social science
researchers; and
(C) how the Center will contribute to increasing
the number of computer and network security researchers
and other professionals.
(5) Criteria.--In evaluating the applications submitted
under paragraph (4), the Director shall consider, at a
minimum--
(A) the ability of the applicant to generate
innovative approaches to computer and network security
and effectively carry out the research program;
(B) the experience of the applicant in conducting
research on computer and network security and the
capacity of the applicant to foster new
multidisciplinary collaborations;
(C) the capacity of the applicant to attract and
provide adequate support for undergraduate and graduate
students and postdoctoral fellows to pursue computer
and network security research; and
(D) the extent to which the applicant will partner
with government laboratories or for-profit entities,
and the role the government laboratories or for-profit
entities will play in the research undertaken by the
Center.
(6) Annual meeting.--The Director shall convene an annual
meeting of the Centers in order to foster collaboration and
communication between Center participants.
(7) Authorization of appropriations.--There are authorized
to be appropriated for the National Science Foundation to carry
out this subsection--
(A) $12,000,000 for fiscal year 2003;
(B) $24,000,000 for fiscal year 2004;
(C) $36,000,000 for fiscal year 2005;
(D) $36,000,000 for fiscal year 2006; and
(E) $36,000,000 for fiscal year 2007.
SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY
PROGRAMS.
(a) Computer and Network Security Capacity Building Grants.--
(1) In general.--The Director shall establish a program to
award grants to institutions of higher education (or consortia
thereof) to establish or improve undergraduate and master's
degree programs in computer and network security, to increase
the number of students who pursue undergraduate or master's
degrees in fields related to computer and network security, and
to provide students with experience in government or industry
related to their computer and network security studies.
(2) Merit review.--Grants shall be awarded under this
subsection on a merit-reviewed competitive basis.
(3) Use of funds.--Grants awarded under this subsection
shall be used for activities that enhance the ability of an
institution of higher education (or consortium thereof) to
provide high-quality undergraduate and master's degree programs
in computer and network security and to recruit and retain
increased numbers of students to such programs. Activities may
include--
(A) revising curriculum to better prepare
undergraduate and master's degree students for careers
in computer and network security;
(B) establishing degree and certificate programs in
computer and network security;
(C) creating opportunities for undergraduate
students to participate in computer and network
security research projects;
(D) acquiring equipment necessary for student
instruction in computer and network security, including
the installation of testbed networks for student use;
(E) providing opportunities for faculty to work
with local or Federal Government agencies, private
industry, or other academic institutions to develop new
expertise or to formulate new research directions in
computer and network security;
(F) establishing collaborations with other academic
institutions or departments that seek to establish,
expand, or enhance programs in computer and network
security;
(G) establishing student internships in computer
and network security at government agencies or in
private industry;
(H) establishing or enhancing bridge programs in
computer and network security between community
colleges and universities; and
(I) any other activities the Director determines
will accomplish the goals of this subsection.
(4) Selection process.--
(A) Application.--An institution of higher
education (or a consortium thereof) seeking funding
under this subsection shall submit an application to
the Director at such time, in such manner, and
containing such information as the Director may
require. The application shall include, at a minimum--
(i) a description of the applicant's
computer and network security research and
instructional capacity, and in the case of an
application from a consortium of institutions
of higher education, a description of the role
that each member will play in implementing the
proposal;
(ii) a comprehensive plan by which the
institution or consortium will build
instructional capacity in computer and
information security;
(iii) a description of relevant
collaborations with government agencies or
private industry that inform the instructional
program in computer and network security;
(iv) a survey of the applicant's historic
student enrollment and placement data in fields
related to computer and network security and a
study of potential enrollment and placement for
students enrolled in the proposed computer and
network security program; and
(v) a plan to evaluate the success of the
proposed computer and network security program,
including post-graduation assessment of
graduate school and job placement and retention
rates as well as the relevance of the
instructional program to graduate study and to
the workplace.
(B) Awards.--(i) The Director shall ensure, to the
extent practicable, that grants are awarded under this
subsection in a wide range of geographic areas and
categories of institutions of higher education.
(ii) The Director shall award grants under this
subsection for a period not to exceed 5 years.
(5) Assessment required.--The Director shall evaluate the
program established under this subsection no later than 6 years
after the establishment of the program. At a minimum, the
Director shall evaluate the extent to which the grants achieved
their objectives of increasing the quality and quantity of
students pursuing undergraduate or master's degrees in computer
and network security.
(6) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to carry
out this subsection--
(A) $15,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(b) Scientific and Advanced Technology Act of 1992.--
(1) Grants.--The Director shall provide grants under the
Scientific and Advanced Technology Act of 1992 for the purposes
of section 3(a) and (b) of that Act, except that the activities
supported pursuant to this subsection shall be limited to
improving education in fields related to computer and network
security.
(2) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to carry
out this subsection--
(A) $1,000,000 for fiscal year 2003;
(B) $1,250,000 for fiscal year 2004;
(C) $1,250,000 for fiscal year 2005;
(D) $1,250,000 for fiscal year 2006; and
(E) $1,250,000 for fiscal year 2007.
(c) Graduate Traineeships in Computer and Network Security
Research.--
(1) In general.--The Director shall establish a program to
award grants to institutions of higher education to establish
traineeship programs for graduate students who pursue computer
and network security research leading to a doctorate degree by
providing funding and other assistance, and by providing
graduate students with research experience in government or
industry related to the students' computer and network security
studies.
(2) Merit review.--Grants shall be provided under this
subsection on a merit-reviewed competitive basis.
(3) Use of funds.--An institution of higher education shall
use grant funds for the purposes of--
(A) providing fellowships to students who are
citizens, nationals, or lawfully admitted permanent
resident aliens of the United States and are pursuing
research in computer or network security leading to a
doctorate degree;
(B) paying tuition and fees for students receiving
fellowships under subparagraph (A);
(C) establishing scientific internship programs for
students receiving fellowships under subparagraph (A)
in computer and network security at for-profit
institutions or government laboratories; and
(D) other costs associated with the administration
of the program.
(4) Fellowship amount.--Fellowships provided under
paragraph (3)(A) shall be in the amount of $25,000 per year, or
the level of the National Science Foundation Graduate Research
Fellowships, whichever is greater, for up to 3 years.
(5) Selection process.--An institution of higher education
seeking funding under this subsection shall submit an
application to the Director at such time, in such manner, and
containing such information as the Director may require. The
application shall include, at a minimum, a description of--
(A) the instructional program and research
opportunities in computer and network security
available to graduate students at the applicant's
institution; and
(B) the internship program to be established,
including the opportunities that will be made available
to students for internships at for-profit institutions
and government laboratories.
(6) Review of applications.--In evaluating the applications
submitted under paragraph (5), the Director shall consider--
(A) the ability of the applicant to effectively
carry out the proposed program;
(B) the quality of the applicant's existing
research and education programs;
(C) the likelihood that the program will recruit
increased numbers of students to pursue and earn
doctorate degrees in computer and network security;
(D) the nature and quality of the internship
program established through collaborations with
government laboratories and for-profit institutions;
(E) the integration of internship opportunities
into graduate students' research; and
(F) the relevance of the proposed program to
current and future computer and network security needs.
(7) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to carry
out this subsection--
(A) $10,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(d) Graduate Research Fellowships Program Support.--Computer and
network security shall be included among the fields of specialization
supported by the National Science Foundation's Graduate Research
Fellowships program under section 10 of the National Science Foundation
Act of 1950 (42 U.S.C. 1869).
SEC. 6. CONSULTATION.
In carrying out sections 4 and 5, the Director shall consult with
other Federal agencies.
SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK
SECURITY.
Section 3(a) of the National Science Foundation Act of 1950 (42
U.S.C. 1862(a)) is amended--
(1) by striking ``and'' at the end of paragraph (6);
(2) by striking the period at the end of paragraph (7) and
inserting ``; and''; and
(3) by adding at the end the following new paragraph:
``(8) to take a leading role in fostering and supporting
research and education activities to improve the security of
networked information systems.''.
SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY RESEARCH
PROGRAM.
The National Institute of Standards and Technology Act is amended--
(1) by moving section 22 to the end of the Act and
redesignating it as section 32;
(2) by inserting after section 21 the following new
section:
``research program on security of computer systems
``Sec. 22. (a) Establishment.--The Director shall establish a
program of assistance to institutions of higher education that enter
into partnerships with for-profit entities to support research to
improve the security of computer systems. The partnerships may also
include government laboratories. The program shall--
``(1) include multidisciplinary, long-term, high-risk
research;
``(2) include research directed toward addressing needs
identified through the activities of the Computer System
Security and Privacy Advisory Board under section 20(f); and
``(3) promote the development of a robust research
community working at the leading edge of knowledge in subject
areas relevant to the security of computer systems by providing
support for graduate students, post-doctoral researchers, and
senior researchers.
``(b) Fellowships.--(1) The Director is authorized to establish a
program to award post-doctoral research fellowships to individuals who
are citizens, nationals, or lawfully admitted permanent resident aliens
of the United States and are seeking research positions at
institutions, including the Institute, engaged in research activities
related to the security of computer systems, including the research
areas described in section 4(a)(1) of the Cyber Security Research and
Development Act.
``(2) The Director is authorized to establish a program to award
senior research fellowships to individuals seeking research positions
at institutions, including the Institute, engaged in research
activities related to the security of computer systems, including the
research areas described in section 4(a)(1) of the Cyber Security
Research and Development Act. Senior research fellowships shall be made
available for established researchers at institutions of higher
education who seek to change research fields and pursue studies related
to the security of computer systems.
``(3)(A) To be eligible for an award under this subsection, an
individual shall submit an application to the Director at such time, in
such manner, and containing such information as the Director may
require.
``(B) Under this subsection, the Director is authorized to provide
stipends for post-doctoral research fellowships at the level of the
Institute's Post Doctoral Research Fellowship Program and senior
research fellowships at levels consistent with support for a faculty
member in a sabbatical position.
``(c) Awards; Applications.--The Director is authorized to award
grants or cooperative agreements to institutions of higher education to
carry out the program established under subsection (a). To be eligible
for an award under this section, an institution of higher education
shall submit an application to the Director at such time, in such
manner, and containing such information as the Director may require.
The application shall include, at a minimum, a description of--
``(1) the number of graduate students anticipated to
participate in the research project and the level of support to
be provided to each;
``(2) the number of post-doctoral research positions
included under the research project and the level of support to
be provided to each;
``(3) the number of individuals, if any, intending to
change research fields and pursue studies related to the
security of computer systems to be included under the research
project and the level of support to be provided to each; and
``(4) how the for-profit entities and any other partners
will participate in developing and carrying out the research
and education agenda of the partnership.
``(d) Program Operation.--(1) The program established under
subsection (a) shall be managed by individuals who shall have both
expertise in research related to the security of computer systems and
knowledge of the vulnerabilities of existing computer systems. The
Director shall designate such individuals as program managers.
``(2) Program managers designated under paragraph (1) may be new or
existing employees of the Institute or individuals on assignment at the
Institute under the Intergovernmental Personnel Act of 1970.
``(3) Program managers designated under paragraph (1) shall be
responsible for--
``(A) establishing and publicizing the broad research goals
for the program;
``(B) soliciting applications for specific research
projects to address the goals developed under subparagraph (A);
``(C) selecting research projects for support under the
program from among applications submitted to the Institute,
following consideration of--
``(i) the novelty and scientific and technical
merit of the proposed projects;
``(ii) the demonstrated capabilities of the
individual or individuals submitting the applications
to successfully carry out the proposed research;
``(iii) the impact the proposed projects will have
on increasing the number of computer security
researchers;
``(iv) the nature of the participation by for-
profit entities and the extent to which the proposed
projects address the concerns of industry; and
``(v) other criteria determined by the Director,
based on information specified for inclusion in
applications under subsection (c); and
``(D) monitoring the progress of research projects
supported under the program.
``(e) Review of Program.--(1) The Director shall periodically
review the portfolio of research awards monitored by each program
manager designated in accordance with subsection (d). In conducting
those reviews, the Director shall seek the advice of the Computer
System Security and Privacy Advisory Board, established under section
21, on the appropriateness of the research goals and on the quality and
utility of research projects managed by program managers in accordance
with subsection (d).
``(2) The Director shall also contract with the National Research
Council for a comprehensive review of the program established under
subsection (a) during the 5th year of the program. Such review shall
include an assessment of the scientific quality of the research
conducted, the relevance of the research results obtained to the goals
of the program established under subsection (d)(3)(A), and the progress
of the program in promoting the development of a substantial academic
research community working at the leading edge of knowledge in the
field. The Director shall submit to Congress a report on the results of
the review under this paragraph no later than six years after the
initiation of the program.
``(f) Definitions.--For purposes of this section--
``(1) the term `computer system' has the meaning given that
term in section 20(d)(1); and
``(2) the term `institution of higher education' has the
meaning given that term in section 101 of the Higher Education
Act of 1965 (20 U.S.C. 1001).''; and
(3) in section 20(d)(1)(B)(i) (15 U.S.C. 278g-
3(d)(1)(B)(i)), by inserting ``and computer networks'' after
``computers''.
SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is amended by adding at the end the following
new subsection:
``(f) There are authorized to be appropriated to the Secretary
$1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 2004 to
enable the Computer System Security and Privacy Advisory Board,
established by section 21, to identify emerging issues, including
research needs, related to computer security, privacy, and cryptography
and, as appropriate, to convene public meetings on those subjects,
receive presentations, and publish reports, digests, and summaries for
public distribution on those subjects.''.
SEC. 10. INTRAMURAL SECURITY RESEARCH.
Section 20 of the National Institute of Standards and Technology
Act (15 U.S.C. 278g-3) is further amended--
(1) by redesignating subsection (d) as subsection (e); and
(2) by inserting after subsection (c) the following new
subsection:
``(d) As part of the research activities conducted in accordance
with subsection (b)(4), the Institute shall--
``(1) conduct a research program to address emerging
technologies associated with assembling a networked computer
system from components while ensuring it maintains desired security
properties;
``(2) carry out research and support standards development
activities associated with improving the security of real-time
computing and communications systems for use in process
control; and
``(3) carry out multidisciplinary, long-term, high-risk
research on ways to improve the security of computer
systems.''.
SEC. 11. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Secretary of
Commerce for the National Institute of Standards and Technology--
(1) for activities under section 22 of the National
Institute of Standards and Technology Act, as added by section
8 of this Act--
(A) $25,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $55,000,000 for fiscal year 2005;
(D) $70,000,000 for fiscal year 2006;
(E) $85,000,000 for fiscal year 2007; and
(F) such sums as may be necessary for fiscal years
2008 through 2012; and
(2) for activities under section 20(d) of the National
Institute of Standards and Technology Act, as added by section
10 of this Act--
(A) $6,000,000 for fiscal year 2003;
(B) $6,200,000 for fiscal year 2004;
(C) $6,400,000 for fiscal year 2005;
(D) $6,600,000 for fiscal year 2006; and
(E) $6,800,000 for fiscal year 2007.
SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK
SECURITY IN CRITICAL INFRASTRUCTURES.
(a) Study.--Not later than 3 months after the date of the enactment
of this Act, the Director of the National Institute of Standards and
Technology shall enter into an arrangement with the National Research
Council of the National Academy of Sciences to conduct a study of the
vulnerabilities of the Nation's network infrastructure and make
recommendations for appropriate improvements. The National Research
Council shall--
(1) review existing studies and associated data on the
architectural, hardware, and software vulnerabilities and
interdependencies in United States critical infrastructure
networks;
(2) identify and assess gaps in technical capability for
robust critical infrastructure network security, and make
recommendations for research priorities and resource
requirements; and
(3) review any and all other essential elements of computer
and network security, including security of industrial process
controls, to be determined in the conduct of the study.
(b) Report.--The Director of the National Institute of Standards
and Technology shall transmit a report containing the results of the
study and recommendations required by subsection (a) to the Congress
not later than 21 months after the date of enactment of this Act.
(c) Security.--The Director of the National Institute of Standards
and Technology shall ensure that no information that is classified is
included in any publicly released version of the report required by
this section.
(d) Authorization of Appropriations.--There are authorized to be
appropriated to the Secretary of Commerce for the National Institute of
Standards and Technology for the purposes of carrying out this section,
$700,000.
<all>