Congressional Record: January 28, 2002 (Senate) Page S176-S183 STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS By Mr. EDWARDS: S. 1900. A bill to protect against cyberterrorism and cybercrime, and for other purposes; the Committee on Commerce, Science, and Transportation. ______ By Mr. EDWARDS: S. 1901. A bill to authorize the National Science Foundation and the National Security Agency to establish programs to increase the number of qualified faculty teaching advanced courses conducting research in the field of cybersecurity, and for other purposes; to the Committee on Health, Education, Labor, and Pensions. Mr. EDWARDS. Mr. president, since the horrifying events of September 11, our country's number one priority has been to secure our families against the scourge of terrorism. First, in our hearts, of course, are the men and women on the frontlines of the fight: the soldiers fighting for freedom half a world away; the firefighters and police officers in New York; the postal workers here in Washington. Those of us elected to serve in Washington have a special responsibility to protect our security. To discharge that duty, I have been working with my colleagues here in the Senate. We have made a great deal of progress, but there's a lot more work to do. After a long debate, Congress passed and the President signed important legislation, based partly on a bill I introduced, to tighten security in our airports. But we have to do more. There are several bills that I have helped author that are working their way through Congress. Two of these bills, to tighten security at seaports and to protect against bioterrorism, have already passed the Senate and are awaiting action in the House. Another bill, to tighten our border security, should reach the Senate floor soon. All three should be enacted quickly. You can be sure our enemies are not waiting for us to act. One of the greatest challenges in the struggle for security is to prepare for the next attack, not just the last one. We have seen how vicious thugs can destroy innocent life with airplanes, how they can terrorize ordinary people with biological weapons. We are responding to those threats. But what about threats whose awful consequences we haven't yet felt? Today I want to talk about one of those threats: the threat of "cyberterrorism", an attack against the computer networks upon which our safety and economy now depend. Computers have become a foundation of our electricity, oil, gas, water, telephones, emergency services, and banks, not to mention our national defense apparatus. Computer networks have brought extraordinary improvements in the way we live and work. We communicate more often, more quickly, more cheaply. With the push of a button in a classroom or a bedroom, our children can get more information than most libraries have ever held. Yet there is a dark side to the internet, a new set of dangers. Today, if you ask an expert quietly, he or she will tell you that cyberspace is a very vulnerable place. Terrorists could cause terrible harm. They might be able to stop all traffic on the internet. Shut down power for entire cities for extended periods. Disrupt our phones. Poison our water. Paralyze our emergency services--police, firefighters, ambulances. The list goes on. We now live in a world where a terrorist can do as much damage with a keyboard and a modem as with a gun or a bomb. Already, one hacker has broken into a computer-controlled waste management system and caused millions of gallons of raw sewage to spill into parks, rivers, and private property. You probably haven't heard about this attack because it occurred in Australia. But imagine if terrorists launched calculated, coordinated attacks on America. Our enemies are already targeting our networks. After September 11, a Pakistani group hacked into two government web services, including one at the Department of Defense, and declared a "cyber jihad" against the United States. Another series of attacks, known as "Moonlight Maze," assaulted the Pentagon, Department of Energy, and NASA, and obtained vast quantities of technical defense research. To date, we can be thankful that these attacks have not been terribly sophisticated. But that could change soon. As the Defense Science Board recently stated, the U.S. will eventually be attached "by a sophisticated adversary using an effective array of information warfare tools and [[Page S177]] techniques. Two choices are available: adapt before the attack or afterward." In addition, cybercrime is already a billion-dollar drain on our economy, a drain growing larger each year. In 1955, one survey reported that losses from FBI-reported computer crime had already reached $2 billion. Last year, the "ILOVEYOU" virus alone caused $8.7 billion in damage worldwide, much of it here. Cyberattacks have shut down major web sites like Yahoo! and eBay, not to mention the FBI. According to a recent survey, 85 percent of large corporations and government agencies detected computer security breaches over the prior 12 months. Two thirds suffered financial losses as a result. So the danger is clear, and the only question is how we address it. I think we need to address it in many ways. Today I want to focus on just two that are especially critical. The first is to encourage computer users to take proven measures to protect themselves. In the industry, these proven measures are known as "best practices"--steps like using customized passwords, not the ones that come with software, or promptly installing known "patches" to keep intruders out. The National Academy of Sciences recently reported that cybersecurity today is far worse than what known best practices can provide. As a result, viruses have shut down tens of thousands of machines even after patches to block them were widely available. Because the password protections on some systems are so weak, intruders have taken the "routers" that control Internet traffic hostage. And the government is as guilty as anyone. According to the report card issued by a member of the House of Representatives, most government agencies rate between a "D" and an "F" on cybersecurity. Improving our security by implementing existing best practices is our first big task. Our second challenge is to train more researchers, teachers, and workers to fight cyberthreats. Today the private sector engages in some short-term R&D on cybersecurity. But broader research and knowledge needs aren't being met. In addition, our workforce in cybersecurity is woefully inadequate, especially in academia. Each year, American universities award Ph.D.'s in computer science to about one thousand people each year. But less than one-half of one-percent specialize in cybersecurity, and fewer still go on to train others in the discipline. As Dr. Bill Chu, Chairman of the Software and Information Systems Department at the University of North Carolina at Charlotte and one of the country's leading experts on cybersecurity puts it: "The weakest link . . . is the lack of qualified information security professionals. The majority of information technology professionals in this country have not been trained in the basics of information security. Information technology faculty in most universities do not have sufficient background to properly train students." As a whole, the challenge of cybersecurity is not unlike the challenge of a terrible disease like cancer. First, we have to encourage everyone to do what they can to reduce the risk of disease-- don't smoke, eat right, exercise. That is what cybersecurity "best practices" like changing passwords are all about. Second, we have to make sure we have got top-notch scientists working to find new medicines to prevent and fight the disease. And that is why we need more cyber teachers and researchers. To tackle these two challenges, I'm proud today to introduce two new bills that will support an intensive, $400 million cybersecurity effort over the next five years. The first bill is called the Cyberterrorism Preparedness Act of 2002. That bill's first step is to establish a new, nonprofit, nongovernment, consortium of academic and private sector experts to lay out a clear set of "best practices" that protect against cyberattack. The White House Office of Science and Technology Policy, the Institute for Defense Analyses, and the President's Committee of Advisors on Science and Technology have all recommended a new, nonprofit cybersecurity consortium. Such a consortium can work closely with the private sector, unfettered by bureaucracy, in a way that all the country can see and learn from. The goals of the consortium are simple: first, the establishment of "best practices" that are tailored to different computer systems and needs; second, the widest possible dissemination of those practices; and third, long-term, multi-disciplinary research on cybersecurity- research that isn't occurring now. The second part of the Cyberterrorism Preparedness Act will implement "best practices" for government systems. The government has a duty to lead by example, something we aren't doing right now. And so, within 6 months after this Act passed, the National Institute of Standards and Technology would immediately begin the process of implementing best practices for government agencies, beginning with small-scale tests and concluding with government-wide adoption of the recommended best practices. The last part of my bill will assess the issue of best practices for the private sector. While the bill doesn't impose new mandates beyond the government, it does require careful consideration of how to encourage the widest possible use of known best practices. There's a particular focus on entities that do business with the Federal Government as grantees or contractors. Government agencies should not be exposed to security vulnerabilities in the products supplied by these companies. And Federal dollars should not be flowing to firms that expose America to cyberterrorism. So the new consortium would be required to study whether and how government could condition grants and contracts on the adoption of cybersecurity best practices. The President is authorized to implement recommendations from that study. The Cyberterrorism Preparedness Act will address the first goal of cybersecurity--making sure we're taking the steps we already know to improve our security. The second bill I am introducing today--the Cybersecurity Research and Education Act--focuses on our second task: "training the trainers" and increasing the number of researchers, teachers, and workers committed to cybersecurity. First, the bill establishes a Cybersecurity Graduate Fellowship Program at the National Science Foundation. Individuals selected to participate in the program will receive a loan that covers the full tuition and fees as well as a living stipend for 4 years of doctoral study. Upon graduation, these loans will be forgiven at 20 percent per year for each year that the individual teaches at a college or university. After only 5 years of teaching, the entire loan will be paid off. That way, we can ensure that the money we invest in these promising young scientists will be used to train others interested in cybersecurity. Second, my bill also establishes a competitive sabbatical for Distinguished Faculty in Cybersecurity. Under the program, a qualified faculty member will receive a stipend to spend a year working and researching at the Department of Defense, a university specializing in cybersecurity, or some other appropriate facility. Universities sending faculty on sabbatical will receive funding to hire a temporary replacement instructor. In addition, when the faculty member returns, the university will get a generous grant to enhance its cybersecurity infrastructure needs. For example, the university could purchase advanced computing equipment and hire graduate research assistants. Participants in this program will have a unique opportunity to engage in cutting-edge research with some of the best minds in the country. When they return to their schools, these faculty will be even better equipped to advance the state of cybersecurity education. Third, this bill will create a Cybersecurity Awareness, Training, and Education Program at the National Security Agency. NSA has a strong history of supporting cybersecurity education, as exemplified through initiatives such as the Centers of Excellence program and the National Colloquium for Information Systems Security Education. The program I propose would build on NSA's expertise and would enable the agency to make grants to universities specializing in cybersecurity. The grants could be used for projects like teaching basic computer security to K- 12 teachers, or for the development of a "virtual university." Students who don't [[Page S178]] have access to nearby course offerings would then be able to take cybersecurity classes online. All of these programs are critical in our fight against cyberterrorism. A strong and vibrant academic community is essential for building the trained workforce of tomorrow. We must be committed to funding long-term research. And we must vigilantly maintain basic cybersecurity protections in government, while promoting them in the private sector. When it comes to the threat of a sophisticated, coordinated cyberterrorist attack, the question most likely is not whether such an attack will come. The question is when. And so we must be prepared to fight against a "cyberjihad," and we must be prepared to win. I ask unanimous consent that the text of my two bills be printed in the Record. There being no objection, the bills were ordered to be printed in the Record, as follows: S. 1900 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Cyberterrorism Preparedness Act of 2002". SEC. 2. GRANT FOR PROGRAM FOR PROTECTION OF INFORMATION INFRASTRUCTURE AGAINST DISRUPTION. (a) In General.--The National Institute of Standards and Technology shall, using amounts authorized to be appropriated by section 5, award a grant to a qualifying nongovernmental entity for purposes of a program to support the development of appropriate cybersecurity best practices, support long- term cybersecurity research and development, and perform functions relating to such activities. The purpose of the program shall be to provide protection for the information infrastructure of the United States against terrorist or other disruption or attack or other unwarranted intrusion. (b) Qualifying Nongovernmental Entity.--For purposes of this section, a qualifying nongovernmental entity is any entity that-- (1) is a nonprofit, nongovernmental consortium composed of at least three academic centers of expertise in cybersecurity and at least three private sector centers of expertise in cybersecurity; (2) has a board of directors of at least 12 members who include senior administrators of academic centers of expertise in cybersecurity and senior managers of private sector centers of expertise in cybersecurity and of whom not more than one third are affiliated with the centers comprising the consortium; (3) is operated by individuals from academia, the private sector, or both who have-- (A) a demonstrated expertise in cybersecurity; and (B) the capacity to carry out the program required under subsection (g); (4) has in place a set of rules to ensure that conflicts of interest involving officers, employees, and members of the board of directors of the entity do not undermine the activities of the entity; (5) has developed a detailed plan for the program required under subsection (g); and (6) meets any other requirements established by the National Institute of Standards and Technology for purposes of this Act. (c) Application.--Any entity seeking a grant under this section shall submit to the National Institute of Standards and Technology an application therefor, in such form and containing such information as the National Institute for Standards and Technology shall require. (d) Selection of Grantee.--The entity awarded a grant under this section shall be selected after full and open competition among qualifying nongovernmental entities. (e) Dispersal of Grant Amount.--Amounts available for the grant under this section pursuant to the authorization of appropriations in section 5 shall be dispersed on a fiscal year basis over the five fiscal years beginning with fiscal year 2003. (f) Consultation.--In carrying out activities under this section, including selecting an entity for the award of a grant, dispersing grant amounts, and overseeing activities of the entity receiving the grant, the National Institute of Standards and Technology-- (1) shall consult with an existing interagency entity, or new interagency entity, consisting of the elements of the Federal Government having a substantial interest and expertise in cybersecurity and designated by the President for purposes of this Act; and (2) may consult separately with any such element of the Federal Government. (g) Program Using Grant Amount.-- (1) In general.--The entity awarded a grant under this section shall carry out a national program for the purpose of protecting the information infrastructure of the United States against disruption. The program shall consist of-- (A) multi-disciplinary research and development to identify appropriate cybersecurity best practices, to measure the effectiveness of cybersecurity best practices that are put into use, and to identify sound means to achieve widespread use of appropriate cybersecurity best practices that have proven effective; (B) multi-disciplinary, long-term, or high-risk research and development (including associated human resource development) to improve cybersecurity; and (C) the activities required under paragraphs (3) and (4). (2) Conduct of research and development.-- (A) In general.--Except as provided in subparagraph (B), research and development under subparagraphs (A) and (B) of paragraph (1) shall be carried out using funds and other support provided by the grantee to entities selected by the grantee after full and open competition among entities determined by the grantee to be qualified to carry out such research and development. (B) Conduct by grantee.--The grantee may carry out research and development referred to in subparagraph (A) in any fiscal year using not more than 15 percent of the amount dispersed to the grantee under this Act in such fiscal year by the National Institute of Standards and Technology. (3) Recommendations on cybersecurity best practices.-- (A) Recommendations.--Not later than 18 months after the selection of the grantee under this section, the grantee shall prepare a report containing recommendations for appropriate cybersecurity best practices. (B) Updates.--The grantee shall update the recommendations made under subparagraph (A) not less often than once every six months, and may update any portion of such recommendations more frequently if the grantee determines that circumstances so require. (C) Considerations.--In making recommendations under subparagraph (A), and any update of such recommendations under subparagraph (B), the grantee shall-- (i) review the most current cybersecurity best practices identified by the National Institute of Standards and Technology under section 3(a); and (ii) consult with-- (I) the entities carrying out research and development under paragraph (1)(A); (II) entities employing cybersecurity best practices; and (III) a wide range of academic, private sector, and public entities. (D) Dissemination.--The grantee shall submit the report under subparagraph (A), and any update of the report under paragraph (B), to the bodies and officials specified in paragraph (5), and shall widely disseminate the report, and any such update, among government (including State and local government), private, and academic entities. (4) Activities relating to widespread use of cybersecurity best practices.-- (A) In general.--Not later than two years after the selection of the grantee under this section, the grantee shall submit to the bodies and officials specified in paragraph (5) a report containing-- (i) an assessment of the advisability of requiring the contractors and grantees of the Federal Government to use appropriate cybersecurity best practices; and (ii) recommendations for sound means to achieve widespread use of appropriate cybersecurity best practices that have proven effective. (B) Report elements.--The report under subparagraph (A) shall set forth-- (i) whether or not the requirement described in subparagraph (A)(i) is advisable, including whether the requirement would impose undue or inappropriate burdens, or other inefficiencies, on contractors and grantees of the Federal Government; (ii) if the requirement is determined advisable-- (I) whether, and to what extent, the requirement should be subject to exceptions or limitations for particular contractors or grantees, including the types of contractors or grantees and the nature of the exceptions or limitations; and (II) which cybersecurity best practices should be covered by the requirement and with what, if any, exceptions or limitations; and (iii) any other matters that the grantee considers appropriate. (5) Specified bodies and officials.--The bodies and officials specified in this paragraph are as follows: (A) The appropriate committees of Congress. (B) The President. (C) The Director of the Office of Management and Budget. (D) The National Institute of Standards and Technology. (E) The interagency entity designated by the President under subsection (f)(1). (h) Grant Administration.-- (1) Use of grant competition and management systems.--The National Institute of Standards and Technology may permit the entity awarded the grant under this section to utilize the grants competition system and grants management system of the National Institute of Standards and Technology for purposes of the efficient administration of activities by the entity under subsection (g). (2) Rules.--The National Institute of Standards and Technology shall establish any rules and procedures that the National Institute of Standards and Technology considers appropriate to further the purposes of this section. Such rules may include provisions relating to the ownership of any intellectual property created by the entity [[Page S179]] awarded the grant under this section or funded by the entity under subsection (g). (i) Supplement Not Supplant.--The National Institute of Standards and Technology shall take appropriate actions to ensure that activities under this section supplement, rather than supplant, other current governmental and nongovernmental efforts to protect the information infrastructure of the United States. SEC. 3. APPROPRIATE CYBERSECURITY BEST PRACTICES FOR THE FEDERAL GOVERNMENT. (a) NIST Recommendations.-- (1) In general.--Not later than 180 days after the date of the enactment of this Act, the National Institute of Standards and Technology shall submit to the bodies and officials specified in subsection (e) a report that-- (A) identifies appropriate cybersecurity best practices that could reasonably be adopted by the departments and agencies of the Federal Government over the 24-month period beginning on the date of the report; and (B) sets forth proposed demonstration projects for the adoption of such best practices by various departments and agencies of the Federal Government beginning 90 days after the date of the report. (2) Updates.--The National Institute of Standards and Technology may submit to the bodies and officials specified in subsection (e) any updates of the report under paragraph (1) that the National Institute of Standards and Technology consider appropriate due to changes in circumstances. (3) Consultation.--In preparing the report under paragraph (1), and any updates of the report under paragraph (2), the National Institute of Standards and Technology shall consult with departments and agencies of the Federal Government having an interest in the report and such updates, and with academic centers of expertise in cybersecurity and private sector centers of expertise in cybersecurity. (b) Demonstration Projects for Implementation of Recommendations.-- (1) In general.--Commencing not later than 90 days after receipt of the report under subsection (a), the President shall carry out the demonstration projects set forth in the report, including any modification of any such demonstration project that the President considers appropriate. (2) Updates.--If the National Institute of Standards and Technology updates under subsection (a)(2) any recommendation under subsection (a)(1)(A) that is relevant to a demonstration project under paragraph (1), the President shall modify the demonstration project to take into account such update. (3) Report.--Not later than nine months after commencement of the demonstration projects under this subsection, the President shall submit to the appropriate committees of Congress a report on the demonstration projects. The report shall set forth the following: (A) An assessment of the extent to which the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects has improved cybersecurity at such departments and agencies. (B) An assessment whether or not the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects has affected the capability of such departments and agencies to carry out their missions. (C) A description of the cost of the adoption of appropriate cybersecurity best practices by departments and agencies of the Federal Government under the demonstration projects. (D) A description of a security-enhancing missions- comparable, cost-effective program, to the extent such program is feasible, for the adoption of appropriate cybersecurity best practices government-wide. (E) Any other matters that the President considers appropriate. (c) Adoption of Cybersecurity Best Practices Government- Wide.--The President shall implement a program for the adoption of appropriate cybersecurity best practices government-wide commencing not later than six months after the date of the report. (d) Incorporation of Recommendations.--If during the development or implementation of the program under subsection (c) the President receives any recommendations under paragraph (3) or (4) of section 3(g), the President shall modify the program in order to take into account such recommendations. (e) Specified Bodies and Officials.--The bodies and officials specified in this subsection are as follows: (1) The appropriate committees of Congress. (2) The President. (3) The Director of the Office of Management and Budget. (4) The interagency entity designated by the President under section 3(f)(1). SEC. 4. DEFINITIONS. In this Act: (1) Appropriate committees of congress.--The term "appropriate committees of Congress" means-- (A) the Committee on Commerce, Science, and Transportation of the Senate; and (B) the Committee on Science of the House of Representatives. (2) Cybersecurity.--The term "cybersecurity" means information assurance, including information security, information technology disaster recovery, and information privacy. (3) Cybersecurity best practice.--The term "cybersecurity best practice" means a computer hardware or software configuration, information system design, operational procedure, or measure, structure, or method that most effectively protects computer hardware, software, networks, or network elements against an attack that would cause harm through the installation of unauthorized computer software, saturation of network traffic, alteration of data, disclosure of confidential information, or other means. (4) Appropriate cybersecurity best practice.--The term "appropriate cybersecurity best practice" means a cybersecurity best practice that-- (A) permits, as needed, customization or expansion for the computer hardware, software, network, or network element to which the best practice applies; (B) takes into account the need for security protection that balances-- (i) the risk and magnitude of harm threatened by potential attack; and (ii) the cost of imposing security protection; and (C) takes into account the rapidly changing nature of computer technology. SEC. 5. AUTHORIZATION OF APPROPRIATIONS. There is hereby authorized to be appropriated for the National Institute of Standards and Technology for purposes of activities under this Act, amounts as follows: (1) For fiscal year 2003, $70,000,000. (2) For each of the fiscal years 2004 through 2007, such sums as may be necessary. ____ S. 1901 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Cybersecurity Research and Education Act of 2002". SEC. 2. FINDINGS. Congress finds that-- (1) critical elements of the Nation's basic economic and physical infrastructure rely on information technology for effective functioning; (2) increased reliance on technology has left our Nation vulnerable to the threat of cyberterrorism; (3) long-term research on practices, methods, and technologies that will help ensure the safety of our information infrastructure remains woefully inadequate; (4) there is a critical shortage of faculty at institutions of higher education who specialize in disciplines related to cybersecurity; (5) a vigorous scholarly community in fields related to cybersecurity is necessary to help conduct research and disseminate knowledge about the practical application of the community's findings; and (6) universities in the United States award the Ph.D. degree in computer sciences to approximately 1,000 individuals each year, but of those awarded this degree, less than 0.3 percent specialize in cybersecurity and still fewer become employed in faculty positions at institutions of higher education. SEC. 3. DEFINITIONS. In this Act: (1) Cybersecurity.--The term "cybersecurity" means information assurance, including scientific, technical, management, or any other relevant disciplines required to ensure computer and network security, including, but not limited to, a discipline related to the following functions: (A) Secure System and network administration and operations. (B) Systems security engineering. (C) Information assurance systems and product acquisition. (D) Cryptography. (E) Threat and vulnerability assessment, including risk management. (F) Web security. (G) Operations of computer emergency response teams. (H) Cybersecurity training, education, and management. (I) Computer forensics. (J) Defensive information operations. (2) Cybersecurity infrastructure.--The term "cybersecurity infrastructure" includes-- (A) equipment that is integral to research and education capabilities in cybersecurity, including, but not limited to-- (i) encryption devices; (ii) network switches; (iii) routers; (iv) firewalls; (v) wireless networking gear; (vi) protocol analyzers; (vii) file servers; (viii) workstations; (ix) biometric tools; and (x) computers; and (B) technology support staff (including graduate students) that is integral to research and education capabilities in cybersecurity. (3) Director.--The term "Director" means the Director of the National Science Foundation. (4) Institution of higher education.--The term "institution of higher education" has the meaning given the term in section 101(a) [[Page S180]] of the Higher Education Act of 1965 (20 U.S.C. 1001(a)). (5) Other relevant discipline.--The term "other relevant discipline" includes, but is not limited to, the following fields as the fields specifically relate to securing information infrastructures: (A) Biometrics. (B) Software engineering. (C) Computer science and engineering. (D) Law. (E) Business management or administration. (F) Psychology. (G) Mathematics. (H) Sociology. (6) Qualified institution.--The term "qualified institution" means an institution of higher education that, at the time of submission of an application pursuant to any of the programs authorized by this Act-- (A) has offered, for not less than 3 years prior to the date the application is submitted under this Act, a minimum of 2 graduate courses in cybersecurity (not including short- term special seminars or 1-time classes offered by visitors); (B) has not less than 3 faculty members who teach cybersecurity courses-- (i) each of whom has published not less than 1 refereed cybersecurity research article in a journal or through a conference during the 2-year period preceding the date of enactment of this Act; (ii) at least 1 of whom is tenured; and (iii) each of whom has demonstrated active engagement in the cybersecurity scholarly community during the 2-year period preceding the date of enactment of this Act, such as serving as an editor of a cybersecurity journal or participating on a program committee for a cybersecurity conference or workshop; (C) has graduated not less than 1 Ph.D. scholar in cybersecurity during the 2-year period preceding the date of enactment of this Act; and (D) has not less than 3 graduate students enrolled who are pursuing a Ph.D. in cybersecurity. SEC. 4. CYBERSECURITY GRADUATE FELLOWSHIP PROGRAM. (a) Purpose.--The purpose of this section is-- (1) to encourage individuals to pursue academic careers in cybersecurity upon the completion of doctoral degrees; and (2) to stimulate advanced study and research, at the doctoral level, in complex, relevant, and important issues in cybersecurity. (b) Establishment.--The Director is authorized to establish a Cybersecurity Fellowship Program (referred to in this section as the "fellowship program") to annually award 3 to 5-year graduate fellowships to individuals for studies and research at the doctoral level in cybersecurity. (c) Cybersecurity Fellowship Program Advisory Board.-- (1) Establishment.--There is established a Cybersecurity Fellowship Program Advisory Board (referred to in this section as the "Board"). (2) Membership.--The Director shall appoint members of the Board who shall include-- (A) not fewer than 3 full-time faculty members-- (i) each of whom teaches at an institution of higher education; and (ii) each of whom has a specialty in cybersecurity; and (B) not fewer than 2 research scientists employed by a Federal agency with duties that include cybersecurity activities. (3) Terms.--Members of the Board shall be appointed for renewable 2-year terms. (d) Application.--Each individual desiring to receive a graduate fellowship under this section shall submit an application to the Director at such time, in such manner, and containing such information as the Director, in consultation with the Board, shall require. (e) Award.--The Director is authorized to award graduate fellowships under the fellowship program that shall-- (1) be made available to individuals, through a competitive selection process, for study at a qualified institution and in accordance with the procedures established in subsection (h); (2) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at a qualified institution for the duration of the graduate fellowship, and shall include, in addition, an annual living stipend of $20,000; and (3) be for a duration of 3 to 5-years, the specific duration of each graduate fellowship to be determined by the Director in consultation with the Board on a case-by-case basis. (f) Repayment.--Each graduate fellowship shall-- (1) subject to paragraph (f)(2), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the Director; (2) be forgiven at the rate of 20 percent of the total amount of graduate fellowship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and (3) be monitored by the Director to ensure compliance with this section. (g) Eligibility.--To be eligible to receive a graduate fellowship under this section, an individual shall-- (1) be a citizen of the United States; (2) be matriculated or eligible to be matriculated for doctoral studies at a qualified institution; and (3) demonstrate a commitment to a career in higher education. (h) Selection.-- (1) In general.--The Director, in consultation with the Board, shall select recipients for graduate fellowships. (2) Duties.--The Director, in consultation with the Board, shall-- (A) establish criteria for a competitive selection process for recipients of graduate fellowships; (B) establish and promulgate an application process for the fellowship program; (C) receive applications for graduate fellowships; (D) annually review applications and select recipients of graduate fellowships; and (E) establish and administer a repayment schedule for recipients of graduate fellowships. (3) Consideration.--In making selections for graduate fellowships, the Director, to the extent possible and in consultation with the Board, shall consider applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as technical dimensions of cybersecurity. (i) Authorization of Appropriations.--There are authorized to be appropriated to carry out this section $5,000,000 for each of fiscal years 2003 through 2005, and such sums as may be necessary for each succeeding fiscal year. SEC. 5. SABBATICAL FOR DISTINGUISHED FACULTY IN CYBERSECURITY. (a) Establishment.--The Director is authorized to award grants to institutions of higher education to enable faculty members who are teaching cybersecurity subjects to spend a sabbatical from teaching working at-- (1) the National Security Agency; (2) the Department of Defense; (3) the National Institute of Standards and Technology; (4) a research laboratory supported by the Department of Energy; or (5) a qualified institution. (b) Application.--Each institution of higher education desiring to receive a grant under this section shall submit an application to the Director at such time, in such manner, and containing such information as the Director shall require. (c) Grant Awards.-- (1) In general.--The Director shall award a grant under this section only if the National Science Foundation and the agency or institution where the faculty member will spend the sabbatical approve the sabbatical placement. (2) Number and duration.--For each fiscal year, the Director shall award grants for not more than 25 sabbatical positions that will each be for a 1-year period. (3) Amount of award.-- (A) In general.--Each institution of higher education that is awarded a grant under this section shall receive $250,000 for each faculty member who will spend a sabbatical pursuant to the grant. (B) Use of award.--The Director shall award a grant under this section in 2 disbursements in the following manner: (i) First disbursement.--The first disbursement shall be made upon selection of a grant recipient and shall consist of the following: (I) $20,000 to provide a stipend for living expenses to each faculty member awarded a sabbatical under this section. (II) An amount sufficient for the grant recipient to hire a qualified replacement for the faculty member awarded a sabbatical under this section for the term of the sabbatical, if such a replacement is possible. (ii) Second disbursement.--The second disbursement shall be made at the conclusion of the sabbatical, only if the faculty member completes the sabbatical in its entirety, and shall be used for the grant recipient's cybersecurity infrastructure needs, including-- (I) acquiring equipment or technology; (II) hiring graduate students; or (III) supporting any other activity that will enhance the grant recipient's course offerings and research in cybersecurity. (d) Eligibility.--To be eligible to receive a grant under this section, an institution of higher education shall submit an application under subsection (b) that-- (1) identifies the faculty member to whom the institution of higher education will provide a sabbatical and ensures that the faculty member is a citizen of the United States; (2) ensures that the faculty member to whom the institution of higher education will provide a sabbatical is tenured at that institution of higher education and meets general standards of excellence in research or teaching; and (3) explains how the faculty member to whom the institution of higher education will provide a sabbatical will-- (A) integrate into the faculty member's course offerings knowledge related to cybersecurity that is gained during the sabbatical; and (B) in conjunction with the institution of higher education, use the second disbursement of funds available under subsection (c)(3)(B)(ii). (e) Authorization of Appropriations.--There is authorized to be appropriated to carry out this section $8,000,000 for each of fiscal years 2003 through 2005. [[Page S181]] SEC. 6. ENHANCING CYBERSECURITY INFRASTRUCTURE. (a) Establishment.--The Director is authorized to award grants to qualified institutions to fund activities that provide, enhance, and facilitate acquisition of cybersecurity infrastructure at qualified institutions. (b) Use of Grant Award.--Each qualified institution that receives a grant under this section shall use the grant funds for needs specifically related to-- (1) cybersecurity education and research; and (2) development efforts related to cybersecurity. (c) Matching Funds.--Each qualified institution that receives a grant under this section shall contribute to the activities assisted under this section non-Federal matching funds equal to not less than 25 percent of the amount of the grant. (d) Authorization of Appropriations.--There is authorized to be appropriated to carry out this section $10,000,000 for each of fiscal years 2003 through 2005. SEC. 7. CYBERSECURITY AWARENESS, TRAINING, AND EDUCATION PROGRAM. (a) Purpose.--The purpose of this section is to increase the quality of education and training in cybersecurity, thereby increasing the number of qualified students entering the field of cybersecurity to adequately address the Nation's increasing dependence on information technology and to defend the Nation's increasingly vulnerable information infrastructure. (b) Establishment.--The Director of the National Security Agency is authorized to award grants, on a competitive basis, to qualified institutions to establish Cybersecurity Awareness, Training, and Education Programs (referred to in this section as "information programs"). (c) Application.-- (1) In general.--Each qualified institution desiring to receive a grant under this section shall submit an application to the Director of the National Security Agency at such time, in such manner, and accompanied by such information as the Director of the National Security Agency shall require. (2) Plans.--Each application submitted pursuant to paragraph (1) shall include a plan for establishing and maintaining an information program under this section, including a description of-- (A) the design, structure, and scope of the proposed information program, including unique qualities that may distinguish the proposed information program from possible approaches of other qualified institutions; (B) research being conducted in the disciplines encompassed by the plan; (C) any integration of the information program with other federally funded programs related to cybersecurity education, such as the National Science Foundation Scholarship for Service Program, the Department of Defense Multidisciplinary Research Program of the University Research Initiative, and the Department of Defense Information Assurance Scholarship Program; (D) necessary costs for information infrastructure to support the information program; (E) how the qualified institution will protect the integrity and security of the information infrastructure and any student testing mechanisms; and (F) other relevant information. (3) Collaboration.--A qualified institution desiring to receive a grant under this section may propose collaboration with other qualified institutions. (d) Grant Awards.--Each qualified institution that receives a grant under this section shall use the grant funds to-- (1) establish or enhance a Center for Studies in Cybersecurity Awareness, Training, and Education that shall-- (A) establish a professionally produced, web-based collection of cybersecurity programs of instruction that have been approved for general public dissemination by the authors and owners of the programs; (B) maintain a web-based directory of cybersecurity education and training related conferences and symposia; (C) sponsor the development of specific instructional materials in cybersecurity and other relevant disciplines, including-- (i) intrusion detection; (ii) overview of information assurance; (iii) ethical use of computing systems; (iv) network security; (v) cryptography; (vi) risk management; (vii) malicious logic; and (viii) system security engineering; (D) sponsor cybersecurity education symposia; (E) collaborate with the National Colloquium for Information Assurance Education; (F) create a `Virtual Academy' for sharing courseware and laboratory exercises in cybersecurity; and (G) review and participate in integrating various cybersecurity education and training standards into unified curricula; and (2) establish or enhance a Center for the Development of Faculty in Cybersecurity that shall-- (A) establish criteria for recognition and certification of cybersecurity trainers and educators; (B) establish faculty training outreach to teachers in kindergarten through grade 12 and to faculty of part B institutions (as defined in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061)); (C) build, test, and evaluate laboratory exercises that represent use of model practices in cybersecurity for use in training and education programs; and (D) establish an integrated program to include the programs described in this paragraph and paragraph (1). (e) Authorization of Appropriations.--There are authorized to be appropriated to carry out this section-- (1) $1,500,000 for fiscal year 2003; (2) $2,000,000 for fiscal year 2004; (3) $3,000,000 for fiscal year 2005; and (4) $4,500,000 for fiscal year 2006. SEC. 8. CYBERSECURITY WORKFORCE AND FACILITIES STUDY. (a) Study.--The Comptroller General shall conduct a study and collect data on the following: (1) The cybersecurity workforce, including-- (A) the size and nature of the cybersecurity workforce by occupation category (including academic faculty at institutions of higher education), level of education and training, personnel demographics, and industry characteristics; and (B) the role of foreign workers in the cybersecurity workforce. (2) Academic cybersecurity research facilities, including-- (A) total academic research space available or utilized for research relating to cybersecurity; (B) academic research space relating to cybersecurity that is in need of major repair or renovation; (C) new or ongoing projects at institutions of higher education expected to produce new or renovated research space to be used for research relating to cybersecurity; and (D) any research space needs related to cybersecurity and based on projections of growth in educational programs and research, including costs and initiatives required to meet such needs and possible consequences of failure to meet such needs. (3) Other information that the Comptroller General determines appropriate. (b) Report.--Not later than 6 months after the date of enactment of this Act, and biennially thereafter, the Comptroller General shall prepare and submit a report on the study conducted pursuant to subsection (a) to the-- (1) Committee on Health, Education, Labor and Pensions of the Senate; and (2) Committee on Education and the Workforce of the House of Representatives. ______