[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3394 Referred in Senate (RFS)]

  2d Session
                                H. R. 3394


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            February 7, 2002

    Received; read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 AN ACT


 
  To authorize funding for computer and network security research and 
 development and research fellowship programs, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Cyber Security Research and 
Development Act''.

SEC. 2. FINDINGS.

    The Congress finds the following:
            (1) Revolutionary advancements in computing and 
        communications technology have interconnected government, 
        commercial, scientific, and educational infrastructures--
        including critical infrastructures for electric power, natural 
        gas and petroleum production and distribution, 
        telecommunications, transportation, water supply, banking and 
        finance, and emergency and government services--in a vast, 
        interdependent physical and electronic network.
            (2) Exponential increases in interconnectivity have 
        facilitated enhanced communications, economic growth, and the 
        delivery of services critical to the public welfare, but have 
        also increased the consequences of temporary or prolonged 
        failure.
            (3) A Department of Defense Joint Task Force concluded 
        after a 1997 United States information warfare exercise that 
        the results ``clearly demonstrated our lack of preparation for 
        a coordinated cyber and physical attack on our critical 
        military and civilian infrastructure''.
            (4) Computer security technology and systems implementation 
        lack--
                    (A) sufficient long term research funding;
                    (B) adequate coordination across Federal and State 
                government agencies and among government, academia, and 
                industry;
                    (C) sufficient numbers of outstanding researchers 
                in the field; and
                    (D) market incentives for the design of commercial 
                and consumer security solutions.
            (5) Accordingly, Federal investment in computer and network 
        security research and development must be significantly 
        increased to--
                    (A) improve vulnerability assessment and 
                technological and systems solutions;
                    (B) expand and improve the pool of information 
                security professionals, including researchers, in the 
                United States workforce; and
                    (C) better coordinate information sharing and 
                collaboration among industry, government, and academic 
                research projects.

SEC. 3. DEFINITIONS.

    For purposes of this Act--
            (1) the term ``Director'' means the Director of the 
        National Science Foundation; and
            (2) the term ``institution of higher education'' has the 
        meaning given that term in section 101 of the Higher Education 
        Act of 1965 (20 U.S.C. 1001).

SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.

    (a) Computer and Network Security Research Grants.--
            (1) In general.--The Director shall award grants for basic 
        research on innovative approaches to the structure of computer 
        and network hardware and software that are aimed at enhancing 
        computer security. Research areas may include--
                    (A) authentication and cryptography;
                    (B) computer forensics and intrusion detection;
                    (C) reliability of computer and network 
                applications, middleware, operating systems, and 
                communications infrastructure; and
                    (D) privacy and confidentiality.
            (2) Merit review; competition.--Grants shall be awarded 
        under this section on a merit-reviewed competitive basis.
            (3) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $35,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $46,000,000 for fiscal year 2005;
                    (D) $52,000,000 for fiscal year 2006; and
                    (E) $60,000,000 for fiscal year 2007.
    (b) Computer and Network Security Research Centers.--
            (1) In general.--The Director shall award multiyear grants, 
        subject to the availability of appropriations, to institutions 
        of higher education (or consortia thereof) to establish 
        multidisciplinary Centers for Computer and Network Security 
        Research. Institutions of higher education (or consortia 
        thereof) receiving such grants may partner with one or more 
        government laboratories or for-profit institutions.
            (2) Merit review; competition.--Grants shall be awarded 
        under this subsection on a merit-reviewed competitive basis.
            (3) Purpose.--The purpose of the Centers shall be to 
        generate innovative approaches to computer and network security 
        by conducting cutting-edge, multidisciplinary research in 
        computer and network security, including the research areas 
        described in subsection (a)(1).
            (4) Applications.--An institution of higher education (or a 
        consortium of such institutions) seeking funding under this 
        subsection shall submit an application to the Director at such 
        time, in such manner, and containing such information as the 
        Director may require. The application shall include, at a 
        minimum, a description of--
                    (A) the research projects that will be undertaken 
                by the Center and the contributions of each of the 
                participating entities;
                    (B) how the Center will promote active 
                collaboration among scientists and engineers from 
                different disciplines, such as computer scientists, 
                engineers, mathematicians, and social science 
                researchers; and
                    (C) how the Center will contribute to increasing 
                the number of computer and network security researchers 
                and other professionals.
            (5) Criteria.--In evaluating the applications submitted 
        under paragraph (4), the Director shall consider, at a 
        minimum--
                    (A) the ability of the applicant to generate 
                innovative approaches to computer and network security 
                and effectively carry out the research program;
                    (B) the experience of the applicant in conducting 
                research on computer and network security and the 
                capacity of the applicant to foster new 
                multidisciplinary collaborations;
                    (C) the capacity of the applicant to attract and 
                provide adequate support for undergraduate and graduate 
                students and postdoctoral fellows to pursue computer 
                and network security research; and
                    (D) the extent to which the applicant will partner 
                with government laboratories or for-profit entities, 
                and the role the government laboratories or for-profit 
                entities will play in the research undertaken by the 
                Center.
            (6) Annual meeting.--The Director shall convene an annual 
        meeting of the Centers in order to foster collaboration and 
        communication between Center participants.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated for the National Science Foundation to carry 
        out this subsection--
                    (A) $12,000,000 for fiscal year 2003;
                    (B) $24,000,000 for fiscal year 2004;
                    (C) $36,000,000 for fiscal year 2005;
                    (D) $36,000,000 for fiscal year 2006; and
                    (E) $36,000,000 for fiscal year 2007.

SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY 
              PROGRAMS.

    (a) Computer and Network Security Capacity Building Grants.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education (or consortia 
        thereof) to establish or improve undergraduate and master's 
        degree programs in computer and network security, to increase 
        the number of students who pursue undergraduate or master's 
        degrees in fields related to computer and network security, and 
        to provide students with experience in government or industry 
        related to their computer and network security studies.
            (2) Merit review.--Grants shall be awarded under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--Grants awarded under this subsection 
        shall be used for activities that enhance the ability of an 
        institution of higher education (or consortium thereof) to 
        provide high-quality undergraduate and master's degree programs 
        in computer and network security and to recruit and retain 
        increased numbers of students to such programs. Activities may 
        include--
                    (A) revising curriculum to better prepare 
                undergraduate and master's degree students for careers 
                in computer and network security;
                    (B) establishing degree and certificate programs in 
                computer and network security;
                    (C) creating opportunities for undergraduate 
                students to participate in computer and network 
                security research projects;
                    (D) acquiring equipment necessary for student 
                instruction in computer and network security, including 
                the installation of testbed networks for student use;
                    (E) providing opportunities for faculty to work 
                with local or Federal Government agencies, private 
                industry, or other academic institutions to develop new 
                expertise or to formulate new research directions in 
                computer and network security;
                    (F) establishing collaborations with other academic 
                institutions or departments that seek to establish, 
                expand, or enhance programs in computer and network 
                security;
                    (G) establishing student internships in computer 
                and network security at government agencies or in 
                private industry;
                    (H) establishing or enhancing bridge programs in 
                computer and network security between community 
                colleges and universities; and
                    (I) any other activities the Director determines 
                will accomplish the goals of this subsection.
            (4) Selection process.--
                    (A) Application.--An institution of higher 
                education (or a consortium thereof) seeking funding 
                under this subsection shall submit an application to 
                the Director at such time, in such manner, and 
                containing such information as the Director may 
                require. The application shall include, at a minimum--
                            (i) a description of the applicant's 
                        computer and network security research and 
                        instructional capacity, and in the case of an 
                        application from a consortium of institutions 
                        of higher education, a description of the role 
                        that each member will play in implementing the 
                        proposal;
                            (ii) a comprehensive plan by which the 
                        institution or consortium will build 
                        instructional capacity in computer and 
                        information security;
                            (iii) a description of relevant 
                        collaborations with government agencies or 
                        private industry that inform the instructional 
                        program in computer and network security;
                            (iv) a survey of the applicant's historic 
                        student enrollment and placement data in fields 
                        related to computer and network security and a 
                        study of potential enrollment and placement for 
                        students enrolled in the proposed computer and 
                        network security program; and
                            (v) a plan to evaluate the success of the 
                        proposed computer and network security program, 
                        including post-graduation assessment of 
                        graduate school and job placement and retention 
                        rates as well as the relevance of the 
                        instructional program to graduate study and to 
                        the workplace.
                    (B) Awards.--(i) The Director shall ensure, to the 
                extent practicable, that grants are awarded under this 
                subsection in a wide range of geographic areas and 
                categories of institutions of higher education.
                    (ii) The Director shall award grants under this 
                subsection for a period not to exceed 5 years.
            (5) Assessment required.--The Director shall evaluate the 
        program established under this subsection no later than 6 years 
        after the establishment of the program. At a minimum, the 
        Director shall evaluate the extent to which the grants achieved 
        their objectives of increasing the quality and quantity of 
        students pursuing undergraduate or master's degrees in computer 
        and network security.
            (6) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $15,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.
    (b) Scientific and Advanced Technology Act of 1992.--
            (1) Grants.--The Director shall provide grants under the 
        Scientific and Advanced Technology Act of 1992 for the purposes 
        of section 3(a) and (b) of that Act, except that the activities 
        supported pursuant to this subsection shall be limited to 
        improving education in fields related to computer and network 
        security.
            (2) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        out this subsection--
                    (A) $1,000,000 for fiscal year 2003;
                    (B) $1,250,000 for fiscal year 2004;
                    (C) $1,250,000 for fiscal year 2005;
                    (D) $1,250,000 for fiscal year 2006; and
                    (E) $1,250,000 for fiscal year 2007.
    (c) Graduate Traineeships in Computer and Network Security 
Research.--
            (1) In general.--The Director shall establish a program to 
        award grants to institutions of higher education to establish 
        traineeship programs for graduate students who pursue computer 
        and network security research leading to a doctorate degree by 
        providing funding and other assistance, and by providing 
        graduate students with research experience in government or 
        industry related to the students' computer and network security 
        studies.
            (2) Merit review.--Grants shall be provided under this 
        subsection on a merit-reviewed competitive basis.
            (3) Use of funds.--An institution of higher education shall 
        use grant funds for the purposes of--
                    (A) providing fellowships to students who are 
                citizens, nationals, or lawfully admitted permanent 
                resident aliens of the United States and are pursuing 
                research in computer or network security leading to a 
                doctorate degree;
                    (B) paying tuition and fees for students receiving 
                fellowships under subparagraph (A);
                    (C) establishing scientific internship programs for 
                students receiving fellowships under subparagraph (A) 
                in computer and network security at for-profit 
                institutions or government laboratories; and
                    (D) other costs associated with the administration 
                of the program.
            (4) Fellowship amount.--Fellowships provided under 
        paragraph (3)(A) shall be in the amount of $25,000 per year, or 
        the level of the National Science Foundation Graduate Research 
        Fellowships, whichever is greater, for up to 3 years.
            (5) Selection process.--An institution of higher education 
        seeking funding under this subsection shall submit an 
        application to the Director at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    (A) the instructional program and research 
                opportunities in computer and network security 
                available to graduate students at the applicant's 
                institution; and
                    (B) the internship program to be established, 
                including the opportunities that will be made available 
                to students for internships at for-profit institutions 
                and government laboratories.
            (6) Review of applications.--In evaluating the applications 
        submitted under paragraph (5), the Director shall consider--
                    (A) the ability of the applicant to effectively 
                carry out the proposed program;
                    (B) the quality of the applicant's existing 
                research and education programs;
                    (C) the likelihood that the program will recruit 
                increased numbers of students to pursue and earn 
                doctorate degrees in computer and network security;
                    (D) the nature and quality of the internship 
                program established through collaborations with 
                government laboratories and for-profit institutions;
                    (E) the integration of internship opportunities 
                into graduate students' research; and
                    (F) the relevance of the proposed program to 
                current and future computer and network security needs.
            (7) Authorization of appropriations.--There are authorized 
        to be appropriated to the National Science Foundation to carry 
        our this subsection--
                    (A) $10,000,000 for fiscal year 2003;
                    (B) $20,000,000 for fiscal year 2004;
                    (C) $20,000,000 for fiscal year 2005;
                    (D) $20,000,000 for fiscal year 2006; and
                    (E) $20,000,000 for fiscal year 2007.
    (d) Graduate Research Fellowships Program Support.--Computer and 
network security shall be included among the fields of specialization 
supported by the National Science Foundation's Graduate Research 
Fellowships program under section 10 of the National Science Foundation 
Act of 1950 (42 U.S.C. 1869).

SEC. 6. CONSULTATION.

    In carrying out sections 4 and 5, the Director shall consult with 
other Federal agencies.

SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK 
              SECURITY.

    Section 3(a) of the National Science Foundation Act of 1950 (42 
U.S.C. 1862(a)) is amended--
            (1) by striking ``and'' at the end of paragraph (6);
            (2) by striking the period at the end of paragraph (7) and 
        inserting ``; and''; and
            (3) by adding at the end the following new paragraph:
            ``(8) to take a leading role in fostering and supporting 
        research and education activities to improve the security of 
        networked information systems.''.

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY RESEARCH 
              PROGRAM.

    The National Institute of Standards and Technology Act is amended--
            (1) by moving section 22 to the end of the Act and 
        redesignating it as section 32;
            (2) by inserting after section 21 the following new 
        section:

           ``research program on security of computer systems

    ``Sec. 22. (a) Establishment.--The Director shall establish a 
program of assistance to institutions of higher education that enter 
into partnerships with for-profit entities to support research to 
improve the security of computer systems. The partnerships may also 
include government laboratories. The program shall--
            ``(1) include multidisciplinary, long-term, high-risk 
        research;
            ``(2) include research directed toward addressing needs 
        identified through the activities of the Computer System 
        Security and Privacy Advisory Board under section 20(f); and
            ``(3) promote the development of a robust research 
        community working at the leading edge of knowledge in subject 
        areas relevant to the security of computer systems by providing 
        support for graduate students, post-doctoral researchers, and 
        senior researchers.
    ``(b) Fellowships.--(1) The Director is authorized to establish a 
program to award post-doctoral research fellowships to individuals who 
are citizens, nationals, or lawfully admitted permanent resident aliens 
of the United States and are seeking research positions at 
institutions, including the Institute, engaged in research activities 
related to the security of computer systems, including the research 
areas described in section 4(a)(1) of the Cyber Security Research and 
Development Act.
    ``(2) The Director is authorized to establish a program to award 
senior research fellowships to individuals seeking research positions 
at institutions, including the Institute, engaged in research 
activities related to the security of computer systems, including the 
research areas described in section 4(a)(1) of the Cyber Security 
Research and Development Act. Senior research fellowships shall be made 
available for established researchers at institutions of higher 
education who seek to change research fields and pursue studies related 
to the security of computer systems.
    ``(3)(A) To be eligible for an award under this subsection, an 
individual shall submit an application to the Director at such time, in 
such manner, and containing such information as the Director may 
require.
    ``(B) Under this subsection, the Director is authorized to provide 
stipends for post-doctoral research fellowships at the level of the 
Institute's Post Doctoral Research Fellowship Program and senior 
research fellowships at levels consistent with support for a faculty 
member in a sabbatical position.
    ``(c) Awards; Applications.--The Director is authorized to award 
grants or cooperative agreements to institutions of higher education to 
carry out the program established under subsection (a). To be eligible 
for an award under this section, an institution of higher education 
shall submit an application to the Director at such time, in such 
manner, and containing such information as the Director may require. 
The application shall include, at a minimum, a description of--
            ``(1) the number of graduate students anticipated to 
        participate in the research project and the level of support to 
        be provided to each;
            ``(2) the number of post-doctoral research positions 
        included under the research project and the level of support to 
        be provided to each;
            ``(3) the number of individuals, if any, intending to 
        change research fields and pursue studies related to the 
        security of computer systems to be included under the research 
        project and the level of support to be provided to each; and
            ``(4) how the for-profit entities and any other partners 
        will participate in developing and carrying out the research 
        and education agenda of the partnership.
    ``(d) Program Operation.--(1) The program established under 
subsection (a) shall be managed by individuals who shall have both 
expertise in research related to the security of computer systems and 
knowledge of the vulnerabilities of existing computer systems. The 
Director shall designate such individuals as program managers.
    ``(2) Program managers designated under paragraph (1) may be new or 
existing employees of the Institute or individuals on assignment at the 
Institute under the Intergovernmental Personnel Act of 1970.
    ``(3) Program managers designated under paragraph (1) shall be 
responsible for--
            ``(A) establishing and publicizing the broad research goals 
        for the program;
            ``(B) soliciting applications for specific research 
        projects to address the goals developed under subparagraph (A);
            ``(C) selecting research projects for support under the 
        program from among applications submitted to the Institute, 
        following consideration of--
                    ``(i) the novelty and scientific and technical 
                merit of the proposed projects;
                    ``(ii) the demonstrated capabilities of the 
                individual or individuals submitting the applications 
                to successfully carry out the proposed research;
                    ``(iii) the impact the proposed projects will have 
                on increasing the number of computer security 
                researchers;
                    ``(iv) the nature of the participation by for-
                profit entities and the extent to which the proposed 
                projects address the concerns of industry; and
                    ``(v) other criteria determined by the Director, 
                based on information specified for inclusion in 
                applications under subsection (c); and
            ``(D) monitoring the progress of research projects 
        supported under the program.
    ``(e) Review of Program.--(1) The Director shall periodically 
review the portfolio of research awards monitored by each program 
manager designated in accordance with subsection (d). In conducting 
those reviews, the Director shall seek the advice of the Computer 
System Security and Privacy Advisory Board, established under section 
21, on the appropriateness of the research goals and on the quality and 
utility of research projects managed by program managers in accordance 
with subsection (d).
    ``(2) The Director shall also contract with the National Research 
Council for a comprehensive review of the program established under 
subsection (a) during the 5th year of the program. Such review shall 
include an assessment of the scientific quality of the research 
conducted, the relevance of the research results obtained to the goals 
of the program established under subsection (d)(3)(A), and the progress 
of the program in promoting the development of a substantial academic 
research community working at the leading edge of knowledge in the 
field. The Director shall submit to Congress a report on the results of 
the review under this paragraph no later than six years after the 
initiation of the program.
    ``(f) Definitions.--For purposes of this section--
            ``(1) the term `computer system' has the meaning given that 
        term in section 20(d)(1); and
            ``(2) the term `institution of higher education' has the 
        meaning given that term in section 101 of the Higher Education 
        Act of 1965 (20 U.S.C. 1001).''; and
            (3) in section 20(d)(1)(B)(i) (15 U.S.C. 278g-
        3(d)(1)(B)(i)), by inserting ``and computer networks'' after 
        ``computers''.

SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is amended by adding at the end the following 
new subsection:
    ``(f) There are authorized to be appropriated to the Secretary 
$1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 2004 to 
enable the Computer System Security and Privacy Advisory Board, 
established by section 21, to identify emerging issues, including 
research needs, related to computer security, privacy, and cryptography 
and, as appropriate, to convene public meetings on those subjects, 
receive presentations, and publish reports, digests, and summaries for 
public distribution on those subjects.''.

SEC. 10. INTRAMUTAL SECURITY RESEARCH.

    Section 20 of the National Institute of Standards and Technology 
Act (15 U.S.C. 278g-3) is further amended--
            (1) by redesignating subsection (d) as subsection (e); and
            (2) by inserting after subsection (c) the following new 
        subsection:
    ``(d) As part of the research activities conducted in accordance 
with subsection (b)(4), the Institute shall--
            ``(1) conduct a research program to address emerging 
        technologies associated with assembling a networked computer 
        system from components while ensuring it maintains desired 
        security properties;
            ``(2) carry out research and support standards development 
        activities associated with improving the security of real-time 
        computing and communications systems for use in process 
        control; and
            ``(3) carry out multidisciplinary, long-term, high-risk 
        research on ways to improve the security of computer 
        systems.''.

SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

    There are authorized to be appropriated to the Secretary of 
Commerce for the National Institute of Standards and Technology--
            (1) for activities under section 22 of the National 
        Institute of Standards and Technology Act, as added by section 
        8 of this Act--
                    (A) $25,000,000 for fiscal year 2003;
                    (B) $40,000,000 for fiscal year 2004;
                    (C) $55,000,000 for fiscal year 2005;
                    (D) $70,000,000 for fiscal year 2006;
                    (E) $85,000,000 for fiscal year 2007; and
                    (F) such sums as may be necessary for fiscal years 
                2008 through 2012; and
            (2) for activities under section 20(d) of the National 
        Institute of Standards and Technology Act, as added by section 
        10 of this Act--
                    (A) $6,000,000 for fiscal year 2003;
                    (B) $6,200,000 for fiscal year 2004;
                    (C) $6,400,000 for fiscal year 2005;
                    (D) $6,600,000 for fiscal year 2006; and
                    (E) $6,800,000 for fiscal year 2007.

SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK 
              SECURITY IN CRITICAL INFRASTRUCTURES.

    (a) Study.--Not later than 3 months after the date of the enactment 
of this Act, the Director of the National Institute of Standards and 
Technology shall enter into an arrangement with the National Research 
Council of the National Academy of Sciences to conduct a study of the 
vulnerabilities of the Nation's network infrastructure and make 
recommendations for appropriate improvements. The National Research 
Council shall--
            (1) review existing studies and associated data on the 
        architectural, hardware, and software vulnerabilities and 
        interdependencies in United States critical infrastructure 
        networks;
            (2) identify and assess gaps in technical capability for 
        robust critical infrastructure network security, and make 
        recommendations for research priorities and resource 
        requirements; and
            (3) review any and all other essential elements of computer 
        and network security, including security of industrial process 
        controls, to be determined in the conduct of the study.
    (b) Report.--The Director of the National Institute of Standards 
and Technology shall transmit a report containing the results of the 
study and recommendations required by subsection (a) to the Congress 
not later than 21 months after the date of enactment of this Act.
    (c) Security.--The Director of the National Institute of Standards 
and Technology shall ensure that no information that is classified is 
included in any publicly released version of the report required by 
this section.
    (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Secretary of Commerce for the National Institute of 
Standards and Tech-

nology for the purposes of carrying out this section, $700,000.

            Passed the House of Representatives February 7, 2002.

            Attest:

                                                 JEFF TRANDAHL,

                                                                 Clerk.