Congressional Record: January 28, 2002 (Senate)
Page S176-S183
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. EDWARDS:
S. 1900. A bill to protect against cyberterrorism and cybercrime, and
for other purposes; the Committee on Commerce, Science, and
Transportation.
______
By Mr. EDWARDS:
S. 1901. A bill to authorize the National Science Foundation and the
National Security Agency to establish programs to increase the number
of qualified faculty teaching advanced courses conducting research in
the field of cybersecurity, and for other purposes; to the Committee on
Health, Education, Labor, and Pensions.
Mr. EDWARDS. Mr. president, since the horrifying events of September
11, our country's number one priority has been to secure our families
against the scourge of terrorism.
First, in our hearts, of course, are the men and women on the
frontlines of the fight: the soldiers fighting for freedom half a world
away; the firefighters and police officers in New York; the postal
workers here in Washington.
Those of us elected to serve in Washington have a special
responsibility to protect our security. To discharge that duty, I have
been working with my colleagues here in the Senate. We have made a
great deal of progress, but there's a lot more work to do.
After a long debate, Congress passed and the President signed
important legislation, based partly on a bill I introduced, to tighten
security in our airports. But we have to do more.
There are several bills that I have helped author that are working
their way through Congress. Two of these bills, to tighten security at
seaports and to protect against bioterrorism, have already passed the
Senate and are awaiting action in the House. Another bill, to tighten
our border security, should reach the Senate floor soon. All three
should be enacted quickly. You can be sure our enemies are not waiting
for us to act.
One of the greatest challenges in the struggle for security is to
prepare for the next attack, not just the last one. We have seen how
vicious thugs can destroy innocent life with airplanes, how they can
terrorize ordinary people with biological weapons. We are responding to
those threats. But what about threats whose awful consequences we
haven't yet felt?
Today I want to talk about one of those threats: the threat of
"cyberterrorism", an attack against the computer networks upon which
our safety and economy now depend. Computers have become a foundation
of our electricity, oil, gas, water, telephones, emergency services,
and banks, not to mention our national defense apparatus.
Computer networks have brought extraordinary improvements in the way
we live and work. We communicate more often, more quickly, more
cheaply. With the push of a button in a classroom or a bedroom, our
children can get more information than most libraries have ever held.
Yet there is a dark side to the internet, a new set of dangers.
Today, if you ask an expert quietly, he or she will tell you that
cyberspace is a very vulnerable place. Terrorists could cause terrible
harm. They might be able to stop all traffic on the internet. Shut down
power for entire cities for extended periods. Disrupt our phones.
Poison our water. Paralyze our emergency services--police,
firefighters, ambulances. The list goes on. We now live in a world
where a terrorist can do as much damage with a keyboard and a modem as
with a gun or a bomb.
Already, one hacker has broken into a computer-controlled waste
management system and caused millions of gallons of raw sewage to spill
into parks, rivers, and private property. You probably haven't heard
about this attack because it occurred in Australia. But imagine if
terrorists launched calculated, coordinated attacks on America.
Our enemies are already targeting our networks. After September 11, a
Pakistani group hacked into two government web services, including one
at the Department of Defense, and declared a "cyber jihad" against
the United States. Another series of attacks, known as "Moonlight
Maze," assaulted the Pentagon, Department of Energy, and NASA, and
obtained vast quantities of technical defense research. To date, we can
be thankful that these attacks have not been terribly sophisticated.
But that could change soon. As the Defense Science Board recently
stated, the U.S. will eventually be attached "by a sophisticated
adversary using an effective array of information warfare tools and
[[Page S177]]
techniques. Two choices are available: adapt before the attack or
afterward."
In addition, cybercrime is already a billion-dollar drain on our
economy, a drain growing larger each year. In 1955, one survey reported
that losses from FBI-reported computer crime had already reached $2
billion. Last year, the "ILOVEYOU" virus alone caused $8.7 billion in
damage worldwide, much of it here. Cyberattacks have shut down major
web sites like Yahoo! and eBay, not to mention the FBI. According to a
recent survey, 85 percent of large corporations and government agencies
detected computer security breaches over the prior 12 months. Two
thirds suffered financial losses as a result.
So the danger is clear, and the only question is how we address it. I
think we need to address it in many ways. Today I want to focus on just
two that are especially critical.
The first is to encourage computer users to take proven measures to
protect themselves. In the industry, these proven measures are known as
"best practices"--steps like using customized passwords, not the ones
that come with software, or promptly installing known "patches" to
keep intruders out.
The National Academy of Sciences recently reported that cybersecurity
today is far worse than what known best practices can provide. As a
result, viruses have shut down tens of thousands of machines even after
patches to block them were widely available. Because the password
protections on some systems are so weak, intruders have taken the
"routers" that control Internet traffic hostage. And the government
is as guilty as anyone. According to the report card issued by a member
of the House of Representatives, most government agencies rate between
a "D" and an "F" on cybersecurity. Improving our security by
implementing existing best practices is our first big task.
Our second challenge is to train more researchers, teachers, and
workers to fight cyberthreats. Today the private sector engages in some
short-term R&D on cybersecurity. But broader research and knowledge
needs aren't being met. In addition, our workforce in cybersecurity is
woefully inadequate, especially in academia. Each year, American
universities award Ph.D.'s in computer science to about one thousand
people each year. But less than one-half of one-percent specialize in
cybersecurity, and fewer still go on to train others in the discipline.
As Dr. Bill Chu, Chairman of the Software and Information Systems
Department at the University of North Carolina at Charlotte and one of
the country's leading experts on cybersecurity puts it: "The weakest
link . . . is the lack of qualified information security
professionals. The majority of information technology professionals in
this country have not been trained in the basics of information
security. Information technology faculty in most universities do not
have sufficient background to properly train students."
As a whole, the challenge of cybersecurity is not unlike the
challenge of a terrible disease like cancer. First, we have to
encourage everyone to do what they can to reduce the risk of disease--
don't smoke, eat right, exercise. That is what cybersecurity "best
practices" like changing passwords are all about. Second, we have to
make sure we have got top-notch scientists working to find new
medicines to prevent and fight the disease. And that is why we need
more cyber teachers and researchers.
To tackle these two challenges, I'm proud today to introduce two new
bills that will support an intensive, $400 million cybersecurity effort
over the next five years. The first bill is called the Cyberterrorism
Preparedness Act of 2002.
That bill's first step is to establish a new, nonprofit,
nongovernment, consortium of academic and private sector experts to lay
out a clear set of "best practices" that protect against cyberattack.
The White House Office of Science and Technology Policy, the Institute
for Defense Analyses, and the President's Committee of Advisors on
Science and Technology have all recommended a new, nonprofit
cybersecurity consortium. Such a consortium can work closely with the
private sector, unfettered by bureaucracy, in a way that all the
country can see and learn from.
The goals of the consortium are simple: first, the establishment of
"best practices" that are tailored to different computer systems and
needs; second, the widest possible dissemination of those practices;
and third, long-term, multi-disciplinary research on cybersecurity-
research that isn't occurring now.
The second part of the Cyberterrorism Preparedness Act will implement
"best practices" for government systems. The government has a duty to
lead by example, something we aren't doing right now. And so, within 6
months after this Act passed, the National Institute of Standards and
Technology would immediately begin the process of implementing best
practices for government agencies, beginning with small-scale tests and
concluding with government-wide adoption of the recommended best
practices.
The last part of my bill will assess the issue of best practices for
the private sector. While the bill doesn't impose new mandates beyond
the government, it does require careful consideration of how to
encourage the widest possible use of known best practices. There's a
particular focus on entities that do business with the Federal
Government as grantees or contractors. Government agencies should not
be exposed to security vulnerabilities in the products supplied by
these companies. And Federal dollars should not be flowing to firms
that expose America to cyberterrorism. So the new consortium would be
required to study whether and how government could condition grants and
contracts on the adoption of cybersecurity best practices. The
President is authorized to implement recommendations from that study.
The Cyberterrorism Preparedness Act will address the first goal of
cybersecurity--making sure we're taking the steps we already know to
improve our security. The second bill I am introducing today--the
Cybersecurity Research and Education Act--focuses on our second task:
"training the trainers" and increasing the number of researchers,
teachers, and workers committed to cybersecurity.
First, the bill establishes a Cybersecurity Graduate Fellowship
Program at the National Science Foundation. Individuals selected to
participate in the program will receive a loan that covers the full
tuition and fees as well as a living stipend for 4 years of doctoral
study. Upon graduation, these loans will be forgiven at 20 percent per
year for each year that the individual teaches at a college or
university. After only 5 years of teaching, the entire loan will be
paid off. That way, we can ensure that the money we invest in these
promising young scientists will be used to train others interested in
cybersecurity.
Second, my bill also establishes a competitive sabbatical for
Distinguished Faculty in Cybersecurity. Under the program, a qualified
faculty member will receive a stipend to spend a year working and
researching at the Department of Defense, a university specializing in
cybersecurity, or some other appropriate facility. Universities sending
faculty on sabbatical will receive funding to hire a temporary
replacement instructor. In addition, when the faculty member returns,
the university will get a generous grant to enhance its cybersecurity
infrastructure needs. For example, the university could purchase
advanced computing equipment and hire graduate research assistants.
Participants in this program will have a unique opportunity to engage
in cutting-edge research with some of the best minds in the country.
When they return to their schools, these faculty will be even better
equipped to advance the state of cybersecurity education.
Third, this bill will create a Cybersecurity Awareness, Training, and
Education Program at the National Security Agency. NSA has a strong
history of supporting cybersecurity education, as exemplified through
initiatives such as the Centers of Excellence program and the National
Colloquium for Information Systems Security Education. The program I
propose would build on NSA's expertise and would enable the agency to
make grants to universities specializing in cybersecurity. The grants
could be used for projects like teaching basic computer security to K-
12 teachers, or for the development of a "virtual university."
Students who don't
[[Page S178]]
have access to nearby course offerings would then be able to take
cybersecurity classes online.
All of these programs are critical in our fight against
cyberterrorism. A strong and vibrant academic community is essential
for building the trained workforce of tomorrow. We must be committed to
funding long-term research. And we must vigilantly maintain basic
cybersecurity protections in government, while promoting them in the
private sector.
When it comes to the threat of a sophisticated, coordinated
cyberterrorist attack, the question most likely is not whether such an
attack will come. The question is when. And so we must be prepared to
fight against a "cyberjihad," and we must be prepared to win.
I ask unanimous consent that the text of my two bills be printed in
the Record.
There being no objection, the bills were ordered to be printed in the
Record, as follows:
S. 1900
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Cyberterrorism Preparedness
Act of 2002".
SEC. 2. GRANT FOR PROGRAM FOR PROTECTION OF INFORMATION
INFRASTRUCTURE AGAINST DISRUPTION.
(a) In General.--The National Institute of Standards and
Technology shall, using amounts authorized to be appropriated
by section 5, award a grant to a qualifying nongovernmental
entity for purposes of a program to support the development
of appropriate cybersecurity best practices, support long-
term cybersecurity research and development, and perform
functions relating to such activities. The purpose of the
program shall be to provide protection for the information
infrastructure of the United States against terrorist or
other disruption or attack or other unwarranted intrusion.
(b) Qualifying Nongovernmental Entity.--For purposes of
this section, a qualifying nongovernmental entity is any
entity that--
(1) is a nonprofit, nongovernmental consortium composed of
at least three academic centers of expertise in cybersecurity
and at least three private sector centers of expertise in
cybersecurity;
(2) has a board of directors of at least 12 members who
include senior administrators of academic centers of
expertise in cybersecurity and senior managers of private
sector centers of expertise in cybersecurity and of whom not
more than one third are affiliated with the centers
comprising the consortium;
(3) is operated by individuals from academia, the private
sector, or both who have--
(A) a demonstrated expertise in cybersecurity; and
(B) the capacity to carry out the program required under
subsection (g);
(4) has in place a set of rules to ensure that conflicts of
interest involving officers, employees, and members of the
board of directors of the entity do not undermine the
activities of the entity;
(5) has developed a detailed plan for the program required
under subsection (g); and
(6) meets any other requirements established by the
National Institute of Standards and Technology for purposes
of this Act.
(c) Application.--Any entity seeking a grant under this
section shall submit to the National Institute of Standards
and Technology an application therefor, in such form and
containing such information as the National Institute for
Standards and Technology shall require.
(d) Selection of Grantee.--The entity awarded a grant under
this section shall be selected after full and open
competition among qualifying nongovernmental entities.
(e) Dispersal of Grant Amount.--Amounts available for the
grant under this section pursuant to the authorization of
appropriations in section 5 shall be dispersed on a fiscal
year basis over the five fiscal years beginning with fiscal
year 2003.
(f) Consultation.--In carrying out activities under this
section, including selecting an entity for the award of a
grant, dispersing grant amounts, and overseeing activities of
the entity receiving the grant, the National Institute of
Standards and Technology--
(1) shall consult with an existing interagency entity, or
new interagency entity, consisting of the elements of the
Federal Government having a substantial interest and
expertise in cybersecurity and designated by the President
for purposes of this Act; and
(2) may consult separately with any such element of the
Federal Government.
(g) Program Using Grant Amount.--
(1) In general.--The entity awarded a grant under this
section shall carry out a national program for the purpose of
protecting the information infrastructure of the United
States against disruption. The program shall consist of--
(A) multi-disciplinary research and development to identify
appropriate cybersecurity best practices, to measure the
effectiveness of cybersecurity best practices that are put
into use, and to identify sound means to achieve widespread
use of appropriate cybersecurity best practices that have
proven effective;
(B) multi-disciplinary, long-term, or high-risk research
and development (including associated human resource
development) to improve cybersecurity; and
(C) the activities required under paragraphs (3) and (4).
(2) Conduct of research and development.--
(A) In general.--Except as provided in subparagraph (B),
research and development under subparagraphs (A) and (B) of
paragraph (1) shall be carried out using funds and other
support provided by the grantee to entities selected by the
grantee after full and open competition among entities
determined by the grantee to be qualified to carry out such
research and development.
(B) Conduct by grantee.--The grantee may carry out research
and development referred to in subparagraph (A) in any fiscal
year using not more than 15 percent of the amount dispersed
to the grantee under this Act in such fiscal year by the
National Institute of Standards and Technology.
(3) Recommendations on cybersecurity best practices.--
(A) Recommendations.--Not later than 18 months after the
selection of the grantee under this section, the grantee
shall prepare a report containing recommendations for
appropriate cybersecurity best practices.
(B) Updates.--The grantee shall update the recommendations
made under subparagraph (A) not less often than once every
six months, and may update any portion of such
recommendations more frequently if the grantee determines
that circumstances so require.
(C) Considerations.--In making recommendations under
subparagraph (A), and any update of such recommendations
under subparagraph (B), the grantee shall--
(i) review the most current cybersecurity best practices
identified by the National Institute of Standards and
Technology under section 3(a); and
(ii) consult with--
(I) the entities carrying out research and development
under paragraph (1)(A);
(II) entities employing cybersecurity best practices; and
(III) a wide range of academic, private sector, and public
entities.
(D) Dissemination.--The grantee shall submit the report
under subparagraph (A), and any update of the report under
paragraph (B), to the bodies and officials specified in
paragraph (5), and shall widely disseminate the report, and
any such update, among government (including State and local
government), private, and academic entities.
(4) Activities relating to widespread use of cybersecurity
best practices.--
(A) In general.--Not later than two years after the
selection of the grantee under this section, the grantee
shall submit to the bodies and officials specified in
paragraph (5) a report containing--
(i) an assessment of the advisability of requiring the
contractors and grantees of the Federal Government to use
appropriate cybersecurity best practices; and
(ii) recommendations for sound means to achieve widespread
use of appropriate cybersecurity best practices that have
proven effective.
(B) Report elements.--The report under subparagraph (A)
shall set forth--
(i) whether or not the requirement described in
subparagraph (A)(i) is advisable, including whether the
requirement would impose undue or inappropriate burdens, or
other inefficiencies, on contractors and grantees of the
Federal Government;
(ii) if the requirement is determined advisable--
(I) whether, and to what extent, the requirement should be
subject to exceptions or limitations for particular
contractors or grantees, including the types of contractors
or grantees and the nature of the exceptions or limitations;
and
(II) which cybersecurity best practices should be covered
by the requirement and with what, if any, exceptions or
limitations; and
(iii) any other matters that the grantee considers
appropriate.
(5) Specified bodies and officials.--The bodies and
officials specified in this paragraph are as follows:
(A) The appropriate committees of Congress.
(B) The President.
(C) The Director of the Office of Management and Budget.
(D) The National Institute of Standards and Technology.
(E) The interagency entity designated by the President
under subsection (f)(1).
(h) Grant Administration.--
(1) Use of grant competition and management systems.--The
National Institute of Standards and Technology may permit the
entity awarded the grant under this section to utilize the
grants competition system and grants management system of the
National Institute of Standards and Technology for purposes
of the efficient administration of activities by the entity
under subsection (g).
(2) Rules.--The National Institute of Standards and
Technology shall establish any rules and procedures that the
National Institute of Standards and Technology considers
appropriate to further the purposes of this section. Such
rules may include provisions relating to the ownership of any
intellectual property created by the entity
[[Page S179]]
awarded the grant under this section or funded by the entity
under subsection (g).
(i) Supplement Not Supplant.--The National Institute of
Standards and Technology shall take appropriate actions to
ensure that activities under this section supplement, rather
than supplant, other current governmental and nongovernmental
efforts to protect the information infrastructure of the
United States.
SEC. 3. APPROPRIATE CYBERSECURITY BEST PRACTICES FOR THE
FEDERAL GOVERNMENT.
(a) NIST Recommendations.--
(1) In general.--Not later than 180 days after the date of
the enactment of this Act, the National Institute of
Standards and Technology shall submit to the bodies and
officials specified in subsection (e) a report that--
(A) identifies appropriate cybersecurity best practices
that could reasonably be adopted by the departments and
agencies of the Federal Government over the 24-month period
beginning on the date of the report; and
(B) sets forth proposed demonstration projects for the
adoption of such best practices by various departments and
agencies of the Federal Government beginning 90 days after
the date of the report.
(2) Updates.--The National Institute of Standards and
Technology may submit to the bodies and officials specified
in subsection (e) any updates of the report under paragraph
(1) that the National Institute of Standards and Technology
consider appropriate due to changes in circumstances.
(3) Consultation.--In preparing the report under paragraph
(1), and any updates of the report under paragraph (2), the
National Institute of Standards and Technology shall consult
with departments and agencies of the Federal Government
having an interest in the report and such updates, and with
academic centers of expertise in cybersecurity and private
sector centers of expertise in cybersecurity.
(b) Demonstration Projects for Implementation of
Recommendations.--
(1) In general.--Commencing not later than 90 days after
receipt of the report under subsection (a), the President
shall carry out the demonstration projects set forth in the
report, including any modification of any such demonstration
project that the President considers appropriate.
(2) Updates.--If the National Institute of Standards and
Technology updates under subsection (a)(2) any recommendation
under subsection (a)(1)(A) that is relevant to a
demonstration project under paragraph (1), the President
shall modify the demonstration project to take into account
such update.
(3) Report.--Not later than nine months after commencement
of the demonstration projects under this subsection, the
President shall submit to the appropriate committees of
Congress a report on the demonstration projects. The report
shall set forth the following:
(A) An assessment of the extent to which the adoption of
appropriate cybersecurity best practices by departments and
agencies of the Federal Government under the demonstration
projects has improved cybersecurity at such departments and
agencies.
(B) An assessment whether or not the adoption of
appropriate cybersecurity best practices by departments and
agencies of the Federal Government under the demonstration
projects has affected the capability of such departments and
agencies to carry out their missions.
(C) A description of the cost of the adoption of
appropriate cybersecurity best practices by departments and
agencies of the Federal Government under the demonstration
projects.
(D) A description of a security-enhancing missions-
comparable, cost-effective program, to the extent such
program is feasible, for the adoption of appropriate
cybersecurity best practices government-wide.
(E) Any other matters that the President considers
appropriate.
(c) Adoption of Cybersecurity Best Practices Government-
Wide.--The President shall implement a program for the
adoption of appropriate cybersecurity best practices
government-wide commencing not later than six months after
the date of the report.
(d) Incorporation of Recommendations.--If during the
development or implementation of the program under subsection
(c) the President receives any recommendations under
paragraph (3) or (4) of section 3(g), the President shall
modify the program in order to take into account such
recommendations.
(e) Specified Bodies and Officials.--The bodies and
officials specified in this subsection are as follows:
(1) The appropriate committees of Congress.
(2) The President.
(3) The Director of the Office of Management and Budget.
(4) The interagency entity designated by the President
under section 3(f)(1).
SEC. 4. DEFINITIONS.
In this Act:
(1) Appropriate committees of congress.--The term
"appropriate committees of Congress" means--
(A) the Committee on Commerce, Science, and Transportation
of the Senate; and
(B) the Committee on Science of the House of
Representatives.
(2) Cybersecurity.--The term "cybersecurity" means
information assurance, including information security,
information technology disaster recovery, and information
privacy.
(3) Cybersecurity best practice.--The term "cybersecurity
best practice" means a computer hardware or software
configuration, information system design, operational
procedure, or measure, structure, or method that most
effectively protects computer hardware, software, networks,
or network elements against an attack that would cause harm
through the installation of unauthorized computer software,
saturation of network traffic, alteration of data, disclosure
of confidential information, or other means.
(4) Appropriate cybersecurity best practice.--The term
"appropriate cybersecurity best practice" means a
cybersecurity best practice that--
(A) permits, as needed, customization or expansion for the
computer hardware, software, network, or network element to
which the best practice applies;
(B) takes into account the need for security protection
that balances--
(i) the risk and magnitude of harm threatened by potential
attack; and
(ii) the cost of imposing security protection; and
(C) takes into account the rapidly changing nature of
computer technology.
SEC. 5. AUTHORIZATION OF APPROPRIATIONS.
There is hereby authorized to be appropriated for the
National Institute of Standards and Technology for purposes
of activities under this Act, amounts as follows:
(1) For fiscal year 2003, $70,000,000.
(2) For each of the fiscal years 2004 through 2007, such
sums as may be necessary.
____
S. 1901
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Cybersecurity Research and
Education Act of 2002".
SEC. 2. FINDINGS.
Congress finds that--
(1) critical elements of the Nation's basic economic and
physical infrastructure rely on information technology for
effective functioning;
(2) increased reliance on technology has left our Nation
vulnerable to the threat of cyberterrorism;
(3) long-term research on practices, methods, and
technologies that will help ensure the safety of our
information infrastructure remains woefully inadequate;
(4) there is a critical shortage of faculty at institutions
of higher education who specialize in disciplines related to
cybersecurity;
(5) a vigorous scholarly community in fields related to
cybersecurity is necessary to help conduct research and
disseminate knowledge about the practical application of the
community's findings; and
(6) universities in the United States award the Ph.D.
degree in computer sciences to approximately 1,000
individuals each year, but of those awarded this degree, less
than 0.3 percent specialize in cybersecurity and still fewer
become employed in faculty positions at institutions of
higher education.
SEC. 3. DEFINITIONS.
In this Act:
(1) Cybersecurity.--The term "cybersecurity" means
information assurance, including scientific, technical,
management, or any other relevant disciplines required to
ensure computer and network security, including, but not
limited to, a discipline related to the following functions:
(A) Secure System and network administration and
operations.
(B) Systems security engineering.
(C) Information assurance systems and product acquisition.
(D) Cryptography.
(E) Threat and vulnerability assessment, including risk
management.
(F) Web security.
(G) Operations of computer emergency response teams.
(H) Cybersecurity training, education, and management.
(I) Computer forensics.
(J) Defensive information operations.
(2) Cybersecurity infrastructure.--The term "cybersecurity
infrastructure" includes--
(A) equipment that is integral to research and education
capabilities in cybersecurity, including, but not limited
to--
(i) encryption devices;
(ii) network switches;
(iii) routers;
(iv) firewalls;
(v) wireless networking gear;
(vi) protocol analyzers;
(vii) file servers;
(viii) workstations;
(ix) biometric tools; and
(x) computers; and
(B) technology support staff (including graduate students)
that is integral to research and education capabilities in
cybersecurity.
(3) Director.--The term "Director" means the Director of
the National Science Foundation.
(4) Institution of higher education.--The term
"institution of higher education" has the meaning given the
term in section 101(a)
[[Page S180]]
of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).
(5) Other relevant discipline.--The term "other relevant
discipline" includes, but is not limited to, the following
fields as the fields specifically relate to securing
information infrastructures:
(A) Biometrics.
(B) Software engineering.
(C) Computer science and engineering.
(D) Law.
(E) Business management or administration.
(F) Psychology.
(G) Mathematics.
(H) Sociology.
(6) Qualified institution.--The term "qualified
institution" means an institution of higher education that,
at the time of submission of an application pursuant to any
of the programs authorized by this Act--
(A) has offered, for not less than 3 years prior to the
date the application is submitted under this Act, a minimum
of 2 graduate courses in cybersecurity (not including short-
term special seminars or 1-time classes offered by visitors);
(B) has not less than 3 faculty members who teach
cybersecurity courses--
(i) each of whom has published not less than 1 refereed
cybersecurity research article in a journal or through a
conference during the 2-year period preceding the date of
enactment of this Act;
(ii) at least 1 of whom is tenured; and
(iii) each of whom has demonstrated active engagement in
the cybersecurity scholarly community during the 2-year
period preceding the date of enactment of this Act, such as
serving as an editor of a cybersecurity journal or
participating on a program committee for a cybersecurity
conference or workshop;
(C) has graduated not less than 1 Ph.D. scholar in
cybersecurity during the 2-year period preceding the date of
enactment of this Act; and
(D) has not less than 3 graduate students enrolled who are
pursuing a Ph.D. in cybersecurity.
SEC. 4. CYBERSECURITY GRADUATE FELLOWSHIP PROGRAM.
(a) Purpose.--The purpose of this section is--
(1) to encourage individuals to pursue academic careers in
cybersecurity upon the completion of doctoral degrees; and
(2) to stimulate advanced study and research, at the
doctoral level, in complex, relevant, and important issues in
cybersecurity.
(b) Establishment.--The Director is authorized to establish
a Cybersecurity Fellowship Program (referred to in this
section as the "fellowship program") to annually award 3 to
5-year graduate fellowships to individuals for studies and
research at the doctoral level in cybersecurity.
(c) Cybersecurity Fellowship Program Advisory Board.--
(1) Establishment.--There is established a Cybersecurity
Fellowship Program Advisory Board (referred to in this
section as the "Board").
(2) Membership.--The Director shall appoint members of the
Board who shall include--
(A) not fewer than 3 full-time faculty members--
(i) each of whom teaches at an institution of higher
education; and
(ii) each of whom has a specialty in cybersecurity; and
(B) not fewer than 2 research scientists employed by a
Federal agency with duties that include cybersecurity
activities.
(3) Terms.--Members of the Board shall be appointed for
renewable 2-year terms.
(d) Application.--Each individual desiring to receive a
graduate fellowship under this section shall submit an
application to the Director at such time, in such manner, and
containing such information as the Director, in consultation
with the Board, shall require.
(e) Award.--The Director is authorized to award graduate
fellowships under the fellowship program that shall--
(1) be made available to individuals, through a competitive
selection process, for study at a qualified institution and
in accordance with the procedures established in subsection
(h);
(2) be in an amount that is sufficient to cover annual
tuition and fees for doctoral study at a qualified
institution for the duration of the graduate fellowship, and
shall include, in addition, an annual living stipend of
$20,000; and
(3) be for a duration of 3 to 5-years, the specific
duration of each graduate fellowship to be determined by the
Director in consultation with the Board on a case-by-case
basis.
(f) Repayment.--Each graduate fellowship shall--
(1) subject to paragraph (f)(2), be subject to full
repayment upon completion of the doctoral degree according to
a repayment schedule established and administered by the
Director;
(2) be forgiven at the rate of 20 percent of the total
amount of graduate fellowship assistance received under this
section for each academic year that a recipient is employed
as a full-time faculty member at an institution of higher
education for a period not to exceed 5 years; and
(3) be monitored by the Director to ensure compliance with
this section.
(g) Eligibility.--To be eligible to receive a graduate
fellowship under this section, an individual shall--
(1) be a citizen of the United States;
(2) be matriculated or eligible to be matriculated for
doctoral studies at a qualified institution; and
(3) demonstrate a commitment to a career in higher
education.
(h) Selection.--
(1) In general.--The Director, in consultation with the
Board, shall select recipients for graduate fellowships.
(2) Duties.--The Director, in consultation with the Board,
shall--
(A) establish criteria for a competitive selection process
for recipients of graduate fellowships;
(B) establish and promulgate an application process for the
fellowship program;
(C) receive applications for graduate fellowships;
(D) annually review applications and select recipients of
graduate fellowships; and
(E) establish and administer a repayment schedule for
recipients of graduate fellowships.
(3) Consideration.--In making selections for graduate
fellowships, the Director, to the extent possible and in
consultation with the Board, shall consider applicants whose
interests are of an interdisciplinary nature, encompassing
the social scientific as well as technical dimensions of
cybersecurity.
(i) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section $5,000,000 for
each of fiscal years 2003 through 2005, and such sums as may
be necessary for each succeeding fiscal year.
SEC. 5. SABBATICAL FOR DISTINGUISHED FACULTY IN
CYBERSECURITY.
(a) Establishment.--The Director is authorized to award
grants to institutions of higher education to enable faculty
members who are teaching cybersecurity subjects to spend a
sabbatical from teaching working at--
(1) the National Security Agency;
(2) the Department of Defense;
(3) the National Institute of Standards and Technology;
(4) a research laboratory supported by the Department of
Energy; or
(5) a qualified institution.
(b) Application.--Each institution of higher education
desiring to receive a grant under this section shall submit
an application to the Director at such time, in such manner,
and containing such information as the Director shall
require.
(c) Grant Awards.--
(1) In general.--The Director shall award a grant under
this section only if the National Science Foundation and the
agency or institution where the faculty member will spend the
sabbatical approve the sabbatical placement.
(2) Number and duration.--For each fiscal year, the
Director shall award grants for not more than 25 sabbatical
positions that will each be for a 1-year period.
(3) Amount of award.--
(A) In general.--Each institution of higher education that
is awarded a grant under this section shall receive $250,000
for each faculty member who will spend a sabbatical pursuant
to the grant.
(B) Use of award.--The Director shall award a grant under
this section in 2 disbursements in the following manner:
(i) First disbursement.--The first disbursement shall be
made upon selection of a grant recipient and shall consist of
the following:
(I) $20,000 to provide a stipend for living expenses to
each faculty member awarded a sabbatical under this section.
(II) An amount sufficient for the grant recipient to hire a
qualified replacement for the faculty member awarded a
sabbatical under this section for the term of the sabbatical,
if such a replacement is possible.
(ii) Second disbursement.--The second disbursement shall be
made at the conclusion of the sabbatical, only if the faculty
member completes the sabbatical in its entirety, and shall be
used for the grant recipient's cybersecurity infrastructure
needs, including--
(I) acquiring equipment or technology;
(II) hiring graduate students; or
(III) supporting any other activity that will enhance the
grant recipient's course offerings and research in
cybersecurity.
(d) Eligibility.--To be eligible to receive a grant under
this section, an institution of higher education shall submit
an application under subsection (b) that--
(1) identifies the faculty member to whom the institution
of higher education will provide a sabbatical and ensures
that the faculty member is a citizen of the United States;
(2) ensures that the faculty member to whom the institution
of higher education will provide a sabbatical is tenured at
that institution of higher education and meets general
standards of excellence in research or teaching; and
(3) explains how the faculty member to whom the institution
of higher education will provide a sabbatical will--
(A) integrate into the faculty member's course offerings
knowledge related to cybersecurity that is gained during the
sabbatical; and
(B) in conjunction with the institution of higher
education, use the second disbursement of funds available
under subsection (c)(3)(B)(ii).
(e) Authorization of Appropriations.--There is authorized
to be appropriated to carry out this section $8,000,000 for
each of fiscal years 2003 through 2005.
[[Page S181]]
SEC. 6. ENHANCING CYBERSECURITY INFRASTRUCTURE.
(a) Establishment.--The Director is authorized to award
grants to qualified institutions to fund activities that
provide, enhance, and facilitate acquisition of cybersecurity
infrastructure at qualified institutions.
(b) Use of Grant Award.--Each qualified institution that
receives a grant under this section shall use the grant funds
for needs specifically related to--
(1) cybersecurity education and research; and
(2) development efforts related to cybersecurity.
(c) Matching Funds.--Each qualified institution that
receives a grant under this section shall contribute to the
activities assisted under this section non-Federal matching
funds equal to not less than 25 percent of the amount of the
grant.
(d) Authorization of Appropriations.--There is authorized
to be appropriated to carry out this section $10,000,000 for
each of fiscal years 2003 through 2005.
SEC. 7. CYBERSECURITY AWARENESS, TRAINING, AND EDUCATION
PROGRAM.
(a) Purpose.--The purpose of this section is to increase
the quality of education and training in cybersecurity,
thereby increasing the number of qualified students entering
the field of cybersecurity to adequately address the Nation's
increasing dependence on information technology and to defend
the Nation's increasingly vulnerable information
infrastructure.
(b) Establishment.--The Director of the National Security
Agency is authorized to award grants, on a competitive basis,
to qualified institutions to establish Cybersecurity
Awareness, Training, and Education Programs (referred to in
this section as "information programs").
(c) Application.--
(1) In general.--Each qualified institution desiring to
receive a grant under this section shall submit an
application to the Director of the National Security Agency
at such time, in such manner, and accompanied by such
information as the Director of the National Security Agency
shall require.
(2) Plans.--Each application submitted pursuant to
paragraph (1) shall include a plan for establishing and
maintaining an information program under this section,
including a description of--
(A) the design, structure, and scope of the proposed
information program, including unique qualities that may
distinguish the proposed information program from possible
approaches of other qualified institutions;
(B) research being conducted in the disciplines encompassed
by the plan;
(C) any integration of the information program with other
federally funded programs related to cybersecurity education,
such as the National Science Foundation Scholarship for
Service Program, the Department of Defense Multidisciplinary
Research Program of the University Research Initiative, and
the Department of Defense Information Assurance Scholarship
Program;
(D) necessary costs for information infrastructure to
support the information program;
(E) how the qualified institution will protect the
integrity and security of the information infrastructure and
any student testing mechanisms; and
(F) other relevant information.
(3) Collaboration.--A qualified institution desiring to
receive a grant under this section may propose collaboration
with other qualified institutions.
(d) Grant Awards.--Each qualified institution that receives
a grant under this section shall use the grant funds to--
(1) establish or enhance a Center for Studies in
Cybersecurity Awareness, Training, and Education that shall--
(A) establish a professionally produced, web-based
collection of cybersecurity programs of instruction that have
been approved for general public dissemination by the authors
and owners of the programs;
(B) maintain a web-based directory of cybersecurity
education and training related conferences and symposia;
(C) sponsor the development of specific instructional
materials in cybersecurity and other relevant disciplines,
including--
(i) intrusion detection;
(ii) overview of information assurance;
(iii) ethical use of computing systems;
(iv) network security;
(v) cryptography;
(vi) risk management;
(vii) malicious logic; and
(viii) system security engineering;
(D) sponsor cybersecurity education symposia;
(E) collaborate with the National Colloquium for
Information Assurance Education;
(F) create a `Virtual Academy' for sharing courseware and
laboratory exercises in cybersecurity; and
(G) review and participate in integrating various
cybersecurity education and training standards into unified
curricula; and
(2) establish or enhance a Center for the Development of
Faculty in Cybersecurity that shall--
(A) establish criteria for recognition and certification of
cybersecurity trainers and educators;
(B) establish faculty training outreach to teachers in
kindergarten through grade 12 and to faculty of part B
institutions (as defined in section 322 of the Higher
Education Act of 1965 (20 U.S.C. 1061));
(C) build, test, and evaluate laboratory exercises that
represent use of model practices in cybersecurity for use in
training and education programs; and
(D) establish an integrated program to include the programs
described in this paragraph and paragraph (1).
(e) Authorization of Appropriations.--There are authorized
to be appropriated to carry out this section--
(1) $1,500,000 for fiscal year 2003;
(2) $2,000,000 for fiscal year 2004;
(3) $3,000,000 for fiscal year 2005; and
(4) $4,500,000 for fiscal year 2006.
SEC. 8. CYBERSECURITY WORKFORCE AND FACILITIES STUDY.
(a) Study.--The Comptroller General shall conduct a study
and collect data on the following:
(1) The cybersecurity workforce, including--
(A) the size and nature of the cybersecurity workforce by
occupation category (including academic faculty at
institutions of higher education), level of education and
training, personnel demographics, and industry
characteristics; and
(B) the role of foreign workers in the cybersecurity
workforce.
(2) Academic cybersecurity research facilities, including--
(A) total academic research space available or utilized for
research relating to cybersecurity;
(B) academic research space relating to cybersecurity that
is in need of major repair or renovation;
(C) new or ongoing projects at institutions of higher
education expected to produce new or renovated research space
to be used for research relating to cybersecurity; and
(D) any research space needs related to cybersecurity and
based on projections of growth in educational programs and
research, including costs and initiatives required to meet
such needs and possible consequences of failure to meet such
needs.
(3) Other information that the Comptroller General
determines appropriate.
(b) Report.--Not later than 6 months after the date of
enactment of this Act, and biennially thereafter, the
Comptroller General shall prepare and submit a report on the
study conducted pursuant to subsection (a) to the--
(1) Committee on Health, Education, Labor and Pensions of
the Senate; and
(2) Committee on Education and the Workforce of the House
of Representatives.
______
