[Congressional Record Volume 148, Number 43 (Wednesday, April 17, 2002)]
[Senate]
[Pages S2832-S2836]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. WYDEN:
  S. 2182. A bill to authorize funding for computer and network 
security research and development and research fellowship programs, and 
for other purposes; to the Committee on Commerce, Science, and 
Transportation.
 Mr. WYDEN. Mr. President, Americans today live in an 
increasingly networked world. The system of interlinked computer 
networks known as the Internet, which not so long ago was a platform 
used only by a relatively narrow group of academic researchers, is 
today a core medium of communications and commerce for many millions of 
Americans. According to the Commerce Department, more than half of all 
Americans were using the Internet by last September, and the numbers 
are only growing.
  The spread of the Internet presents great new opportunities for the 
American society and economy. But there is a downside to an 
interconnected,

[[Page S2833]]

networked world: security risks. The Internet connects people not just 
to friends, potential customers, and sources of information, but also 
to would-be hackers, viruses, and cybercriminals.
  Last July, after I became Chairman of the Commerce Committee's 
Subcommittee on Science, Technology, and Space, I chose cybersecurity 
as the topic for my first hearing. The message from that hearing was 
that cybersecurity risks are mounting. The complexity of computer 
networks and the breadth of functions handled online are growing faster 
than the country's computer security capabilities. New technologies, 
for example, ``always on'' Internet connections and wireless networking 
technologies, often make the problem worse, not better.
  The events of September 11 make this matter even more urgent. The 
fact is, America needs to be prepared for the possibility that future 
terrorists will try to strike not our buildings, streets, or airplanes, 
but our critical computer networks.
  Government can't provide a silver bullet solution to this problem. 
Ultimately, progress with respect to cybersecurity is going to require 
the energy and ingenuity of the entire technology sector.
  But one thing government can and should do is support basic 
cybersecurity research, so that the country's pool of cybersecurity 
knowledge and expertise keeps pace with the new and constantly evolving 
risks. This is an area where government involvement is sorely needed.
  That is why I am pleased to introduce today the Cyber Security 
Research and Development Act. Thanks to the leadership of Congressman 
Sherry Boehlert, this legislation has already passed the House by an 
overwhelming bipartisan vote. I hope the Senate will be able to follow 
suit soon.
  This legislation, which has the widespread support of the Nation's 
technology sector, would significantly increase the amount of 
cybersecurity research in this country by creating important new 
research programs at the National Science Foundation, NSF, and National 
Institute of Standards and Technology, NIST. The NSF program would 
provide funding for innovative research, multidisciplinary academic 
centers devoted to cybersecurity, and new courses and fellowships to 
educate the cybersecurity experts of the future. The NIST program 
likewise would support cutting-edge cybersecurity research, with a 
special emphasis on promoting cooperative efforts between government, 
industry, and academia.
  I believe the stakes are high. In addition to the damage that 
cyberattacks could cause directly, the mere threat of security breaches 
can cripple the ongoing development of e-commerce. If the Internet is 
to reach its full potential, security must be improved.
  I therefore urge my colleagues to join me in making cybersecurity 
research and development a top priority, and to work with me in moving 
this bill forward.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2182

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cyber Security Research and 
     Development Act''.

     SEC. 2. FINDINGS.

       The Congress finds the following:
       (1) Revolutionary advancements in computing and 
     communications technology have interconnected government, 
     commercial, scientific, and educational infrastructures--
     including critical infrastructures for electric power, 
     natural gas and petroleum production and distribution, 
     telecommunications, transportation, water supply, banking and 
     finance, and emergency and government services--in a vast, 
     interdependent physical and electronic network.
       (2) Exponential increases in inter-connectivity have 
     facilitated enhanced communications, economic growth, and the 
     delivery of services critical to the public welfare, but have 
     also increased the consequences of temporary or prolonged 
     failure.
       (3) A Department of Defense Joint Task Force concluded 
     after a 1997 United States information warfare exercise that 
     the results ``clearly demonstrated our lack of preparation 
     for a coordinated cyber and physical attack on our critical 
     military and civilian infrastructure''.
       (4) Computer security technology and systems implementation 
     lack--
       (A) sufficient long term research funding;
       (B) adequate coordination across Federal and State 
     government agencies and among government, academia, and 
     industry; and
       (C) sufficient numbers of outstanding researchers in the 
     field.
       (5) Accordingly, Federal investment in computer and network 
     security research and development must be significantly 
     increased to--
       (A) improve vulnerability assessment and technological and 
     systems solutions;
       (B) expand and improve the pool of information security 
     professionals, including researchers, in the United States 
     workforce; and
       (C) better coordinate information sharing and collaboration 
     among industry, government, and academic research projects.

     SEC. 3. DEFINITIONS.

       For purposes of this Act--
       (1) the term ``Director'' means the Director of the 
     National Science Foundation; and
       (2) the term ``institution of higher education'' has the 
     meaning given that term in section 101 of the Higher 
     Education Act of 1965 (20 U.S.C. 1001).

     SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.

       (a) Computer and Network Security Research Grants.--
       (1) In general.--The Director shall award grants for basic 
     research on innovative approaches to the structure of 
     computer and network hardware and software that are aimed at 
     enhancing computer security. Research areas may include--
       (A) authentication and cryptography;
       (B) computer forensics and intrusion detection;
       (C) reliability of computer and network applications, 
     middleware, operating systems, and communications 
     infrastructure;
       (D) privacy and confidentiality;
       (E) firewall technology;
       (F) emerging threats, including malicious such as viruses 
     and worms;
       (G) vulnerability assessments;
       (H) operations and control systems management; and
       (I) management of interoperable digital certificates or 
     digital watermarking.
       (2) Merit review; competition.--Grants shall be awarded 
     under this section on a merit-reviewed competitive basis.
       (3) Authorization of appropriations.--There are authorized 
     to be appropriated to the National Science Foundation to 
     carry out this subsection--
       (A) $35,000,000 for fiscal year 2003;
       (B) $40,000,000 for fiscal year 2004;
       (C) $46,000,000 for fiscal year 2005;
       (D) $52,000,000 for fiscal year 2006; and
       (E) $60,000,000 for fiscal year 2007.
       (b) Computer and Network Security Research Centers.--
       (1) In general.--The Director shall award multiyear grants, 
     subject to the availability of appropriations, to 
     institutions of higher education (or consortia thereof) to 
     establish multidisciplinary Centers for Computer and Network 
     Security Research. Institutions of higher education (or 
     consortia thereof) receiving such grants may partner with one 
     or more government laboratories or for-profit institutions.
       (2) Merit review; competition.--Grants shall be awarded 
     under this subsection on a merit-reviewed competitive basis.
       (3) Purpose.--The purpose of the Centers shall be to 
     generate innovative approaches to computer and network 
     security by conducting cutting-edge, multidisciplinary 
     research in computer and network security, including the 
     research areas described in subsection (a)(1).
       (4) Applications.--An institution of higher education (or a 
     consortium of such institutions) seeking funding under this 
     subsection shall submit an application to the Director at 
     such time, in such manner, and containing such information as 
     the Director may require. The application shall include, at a 
     minimum, a description of--
       (A) the research projects that will be undertaken by the 
     Center and the contributions of each of the participating 
     entities;
       (B) how the Center will promote active collaboration among 
     scientists and engineers from different disciplines, such as 
     computer scientists, engineers, mathematicians, and social 
     science researchers;
       (C) how the Center will contribute to increasing the number 
     of computer and network security researchers and other 
     professionals; and
       (D) how the center will disseminate research results 
     quickly and widely to improve cybersecurity in information 
     technology networks, products, and services.
       (5) Criteria.--In evaluating the applications submitted 
     under paragraph (4), the Director shall consider, at a 
     minimum--
       (A) the ability of the applicant to generate innovative 
     approaches to computer and network security and effectively 
     carry out the research program;
       (B) the experience of the applicant in conducting research 
     on computer and network security and the capacity of the 
     applicant to foster new multidisciplinary collaborations;
       (C) the capacity of the applicant to attract and provide 
     adequate support for undergraduate and graduate students and 
     postdoctoral fellows to pursue computer and network security 
     research; and
       (D) the extent to which the applicant will partner with 
     government laboratories or for-profit entities, and the role 
     the government laboratories or for-profit entities will play 
     in the research undertaken by the Center.

[[Page S2834]]

       (6) Annual meeting.--The Director shall convene an annual 
     meeting of the Centers in order to foster collaboration and 
     communication between Center participants.
       (7) Authorization of appropriations.--There are authorized 
     to be appropriated for the National Science Foundation to 
     carry out this subsection--
       (A) $12,000,000 for fiscal year 2003;
       (B) $24,000,000 for fiscal year 2004;
       (C) $36,000,000 for fiscal year 2005;
       (D) $36,000,000 for fiscal year 2006; and
       (E) $36,000,000 for fiscal year 2007.

     SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK 
                   SECURITY PROGRAMS.

       (a) Computer and Network Security Capacity Building 
     Grants.--
       (1) In general.--The Director shall establish a program to 
     award grants to institutions of higher education (or 
     consortia thereof) to establish or improve undergraduate and 
     master's degree programs in computer and network security, to 
     increase the number of students who pursue undergraduate or 
     master's degrees in fields related to computer and network 
     security, and to provide students with experience in 
     government or industry related to their computer and network 
     security studies.
       (2) Merit review.--Grants shall be awarded under this 
     subsection on a merit-reviewed competitive basis.
       (3) Use of funds.--Grants awarded under this subsection 
     shall be used for activities that enhance the ability of an 
     institution of higher education (or consortium thereof) to 
     provide high-quality undergraduate and master's degree 
     programs in computer and network security and to recruit and 
     retain increased numbers of students to such programs. 
     Activities may include--
       (A) revising curriculum to better prepare undergraduate and 
     master's degree students for careers in computer and network 
     security;
       (B) establishing degree and certificate programs in 
     computer and network security;
       (C) creating opportunities for undergraduate students to 
     participate in computer and network security research 
     projects;
       (D) acquiring equipment necessary for student instruction 
     in computer and network security, including the installation 
     of testbed networks for student use;
       (E) providing opportunities for faculty to work with local 
     or Federal Government agencies, private industry, or other 
     academic institutions to develop new expertise or to 
     formulate new research directions in computer and network 
     security;
       (F) establishing collaborations with other academic 
     institutions or departments that seek to establish, expand, 
     or enhance programs in computer and network security;
       (G) establishing student internships in computer and 
     network security at government agencies or in private 
     industry;
       (H) establishing or enhancing bridge programs in computer 
     and network security between community colleges and 
     universities; and
       (I) any other activities the Director determines will 
     accomplish the goals of this subsection.
       (4) Selection process.--
       (A) Application.--An institution of higher education (or a 
     consortium thereof) seeking funding under this subsection 
     shall submit an application to the Director at such time, in 
     such manner, and containing such information as the Director 
     may require. The application shall include, at a minimum--
       (i) a description of the applicant's computer and network 
     security research and instructional capacity, and in the case 
     of an application from a consortium of institutions of higher 
     education, a description of the role that each member will 
     play in implementing the proposal;
       (ii) a comprehensive plan by which the institution or 
     consortium will build instructional capacity in computer and 
     information security;
       (iii) a description of relevant collaborations with 
     government agencies or private industry that inform the 
     instructional program in computer and network security;
       (iv) a survey of the applicant's historic student 
     enrollment and placement data in fields related to computer 
     and network security and a study of potential enrollment and 
     placement for students enrolled in the proposed computer and 
     network security program; and
       (v) a plan to evaluate the success of the proposed computer 
     and network security program, including post-graduation 
     assessment of graduate school and job placement and retention 
     rates as well as the relevance of the instructional program 
     to graduate study and to the workplace.
       (B) Awards.--(i) The Director shall ensure, to the extent 
     practicable, that grants are awarded under this subsection in 
     a wide range of geographic areas and categories of 
     institutions of higher education.
       (ii) The Director shall award grants under this subsection 
     for a period not to exceed 5 years.
       (5) Assessment required.--The Director shall evaluate the 
     program established under this subsection no later than 6 
     years after the establishment of the program. At a minimum, 
     the Director shall evaluate the extent to which the grants 
     achieved their objectives of increasing the quality and 
     quantity of students pursuing undergraduate or master's 
     degrees in computer and network security.
       (6) Authorization of appropriations.--There are authorized 
     to be appropriated to the National Science Foundation to 
     carry out this subsection--
       (A) $15,000,000 for fiscal year 2003;
       (B) $20,000,000 for fiscal year 2004;
       (C) $20,000,000 for fiscal year 2005;
       (D) $20,000,000 for fiscal year 2006; and
       (E) $20,000,000 for fiscal year 2007.
       (b) Scientific and Advanced Technology Act of 1992.--
       (1) Grants.--The Director shall provide grants under the 
     Scientific and Advanced Technology Act of 1992 for the 
     purposes of section 3(a) and (b) of that Act, except that the 
     activities supported pursuant to this subsection shall be 
     limited to improving education in fields related to computer 
     and network security.
       (2) Authorization of appropriations.--There are authorized 
     to be appropriated to the National Science Foundation to 
     carry out this subsection--
       (A) $1,000,000 for fiscal year 2003;
       (B) $1,250,000 for fiscal year 2004;
       (C) $1,250,000 for fiscal year 2005;
       (D) $1,250,000 for fiscal year 2006; and
       (E) $1,250,000 for fiscal year 2007.
       (c) Graduate Traineeships in Computer and Network Security 
     Research.--
       (1) In general.--The Director shall establish a program to 
     award grants to institutions of higher education to establish 
     traineeship programs for graduate students who pursue 
     computer and network security research leading to a doctorate 
     degree by providing funding and other assistance, and by 
     providing graduate students with research experience in 
     government or industry related to the students' computer and 
     network security studies.
       (2) Merit review.--Grants shall be provided under this 
     subsection on a merit-reviewed competitive basis.
       (3) Use of funds.--An institution of higher education shall 
     use grant funds for the purposes of--
       (A) providing fellowships to students who are citizens, 
     nationals, or lawfully admitted permanent resident aliens of 
     the United States and are pursuing research in computer or 
     network security leading to a doctorate degree;
       (B) paying tuition and fees for students receiving 
     fellowships under subparagraph (A);
       (C) establishing scientific internship programs for 
     students receiving fellowships under subparagraph (A) in 
     computer and network security at for-profit institutions or 
     government laboratories; and
       (D) other costs associated with the administration of the 
     program.
       (4) Fellowship amount.--Fellowships provided under 
     paragraph (3)(A) shall be in the amount of $25,000 per year, 
     or the level of the National Science Foundation Graduate 
     Research Fellowships, whichever is greater, for up to 3 
     years.
       (5) Selection process.--An institution of higher education 
     seeking funding under this subsection shall submit an 
     application to the Director at such time, in such manner, and 
     containing such information as the Director may require. The 
     application shall include, at a minimum, a description of--
       (A) the instructional program and research opportunities in 
     computer and network security available to graduate students 
     at the applicant's institution; and
       (B) the internship program to be established, including the 
     opportunities that will be made available to students for 
     internships at for-profit institutions and government 
     laboratories.
       (6) Review of applications.--In evaluating the applications 
     submitted under paragraph (5), the Director shall consider--
       (A) the ability of the applicant to effectively carry out 
     the proposed program;
       (B) the quality of the applicant's existing research and 
     education programs;
       (C) the likelihood that the program will recruit increased 
     numbers of students to pursue and earn doctorate degrees in 
     computer and network security;
       (D) the nature and quality of the internship program 
     established through collaborations with government 
     laboratories and for-profit institutions;
       (E) the integration of internship opportunities into 
     graduate students' research; and
       (F) the relevance of the proposed program to current and 
     future computer and network security needs.
       (7) Authorization of appropriations.--There are authorized 
     to be appropriated to the National Science Foundation to 
     carry our this subsection--
       (A) $10,000,000 for fiscal year 2003;
       (B) $20,000,000 for fiscal year 2004;
       (C) $20,000,000 for fiscal year 2005;
       (D) $20,000,000 for fiscal year 2006; and
       (E) $20,000,000 for fiscal year 2007.
       (d) Graduate Research Fellowships Program Support.--
     Computer and network security shall be included among the 
     fields of specialization supported by the National Science 
     Foundation's Graduate Research Fellowships program under 
     section 10 of the National Science Foundation Act of 1950 (42 
     U.S.C. 1869).

     SEC. 6. CONSULTATION.

       In carrying out sections 4 and 5, the Director shall 
     consult with other Federal agencies.

     SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND 
                   NETWORK SECURITY.

       Section 3(a) of the National Science Foundation Act of 1950 
     (42 U.S.C. 1862(a)) is amended--
       (1) by striking ``and'' at the end of paragraph (6);
       (2) by striking the period at the end of paragraph (7) and 
     inserting ``; and''; and

[[Page S2835]]

       (3) by adding at the end the following new paragraph:
       ``(8) to take a leading role in fostering and supporting 
     research and education activities to improve the security of 
     networked information systems.''.

     SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 
                   RESEARCH PROGRAM.

       The National Institute of Standards and Technology Act is 
     amended--
       (1) by moving section 22 to the end of the Act and 
     redesignating it as section 32;
       (2) by inserting after section 21 the following new 
     section:


           ``research program on security of computer systems

       ``Sec. 22. (a) Establishment.--The Director shall establish 
     a program of assistance to institutions of higher education 
     that enter into partnerships with for-profit entities to 
     support research to improve the security of computer systems. 
     The partnerships may also include government laboratories. 
     The program shall--
       ``(1) include multidisciplinary, long-term, high-risk 
     research;
       ``(2) include research directed toward addressing needs 
     identified through the activities of the Computer System 
     Security and Privacy Advisory Board under section 20(f); and
       ``(3) promote the development of a robust research 
     community working at the leading edge of knowledge in subject 
     areas relevant to the security of computer systems by 
     providing support for graduate students, post-doctoral 
     researchers, and senior researchers.
       ``(b) Fellowships.--(1) The Director is authorized to 
     establish a program to award post-doctoral research 
     fellowships to individuals who are citizens, nationals, or 
     lawfully admitted permanent resident aliens of the United 
     States and are seeking research positions at institutions, 
     including the Institute, engaged in research activities 
     related to the security of computer systems, including the 
     research areas described in section 4(a)(1) of the Cyber 
     Security Research and Development Act.
       ``(2) The Director is authorized to establish a program to 
     award senior research fellowships to individuals seeking 
     research positions at institutions, including the Institute, 
     engaged in research activities related to the security of 
     computer systems, including the research areas described in 
     section 4(a)(1) of the Cyber Security Research and 
     Development Act. Senior research fellowships shall be made 
     available for established researchers at institutions of 
     higher education who seek to change research fields and 
     pursue studies related to the security of computer systems.
       ``(3)(A) To be eligible for an award under this subsection, 
     an individual shall submit an application to the Director at 
     such time, in such manner, and containing such information as 
     the Director may require.
       ``(B) Under this subsection, the Director is authorized to 
     provide stipends for post-doctoral research fellowships at 
     the level of the Institute's Post Doctoral Research 
     Fellowship Program and senior research fellowships at levels 
     consistent with support for a faculty member in a sabbatical 
     position.
       ``(c) Awards; Applications.--The Director is authorized to 
     award grants or cooperative agreements to institutions of 
     higher education to carry out the program established under 
     subsection (a). To be eligible for an award under this 
     section, an institution of higher education shall submit an 
     application to the Director at such time, in such manner, and 
     containing such information as the Director may require. The 
     application shall include, at a minimum, a description of--
       ``(1) the number of graduate students anticipated to 
     participate in the research project and the level of support 
     to be provided to each;
       ``(2) the number of post-doctoral research positions 
     included under the research project and the level of support 
     to be provided to each;
       ``(3) the number of individuals, if any, intending to 
     change research fields and pursue studies related to the 
     security of computer systems to be included under the 
     research project and the level of support to be provided to 
     each; and
       ``(4) how the for-profit entities and any other partners 
     will participate in developing and carrying out the research 
     and education agenda of the partnership.
       ``(d) Program Operation.--(1) The program established under 
     subsection (a) shall be managed by individuals who shall have 
     both expertise in research related to the security of 
     computer systems and knowledge of the vulnerabilities of 
     existing computer systems. The Director shall designate such 
     individuals as program managers.
       ``(2) Program managers designated under paragraph (1) may 
     be new or existing employees of the Institute or individuals 
     on assignment at the Institute under the Intergovernmental 
     Personnel Act of 1970.
       ``(3) Program managers designated under paragraph (1) shall 
     be responsible for--
       ``(A) establishing and publicizing the broad research goals 
     for the program;
       ``(B) soliciting applications for specific research 
     projects to address the goals developed under subparagraph 
     (A);
       ``(C) selecting research projects for support under the 
     program from among applications submitted to the Institute, 
     following consideration of--
       ``(i) the novelty and scientific and technical merit of the 
     proposed projects;
       ``(ii) the demonstrated capabilities of the individual or 
     individuals submitting the applications to successfully carry 
     out the proposed research;
       ``(iii) the impact the proposed projects will have on 
     increasing the number of computer security researchers;
       ``(iv) the nature of the participation by for-profit 
     entities and the extent to which the proposed projects 
     address the concerns of industry; and
       ``(v) other criteria determined by the Director, based on 
     information specified for inclusion in applications under 
     subsection (c); and
       ``(D) monitoring the progress of research projects 
     supported under the program.
       ``(e) Review of Program.--(1) The Director shall 
     periodically review the portfolio of research awards 
     monitored by each program manager designated in accordance 
     with subsection (d). In conducting those reviews, the 
     Director shall seek the advice of the Computer System 
     Security and Privacy Advisory Board, established under 
     section 21, on the appropriateness of the research goals and 
     on the quality and utility of research projects managed by 
     program managers in accordance with subsection (d).
       ``(2) The Director shall also contract with the National 
     Research Council for a comprehensive review of the program 
     established under subsection (a) during the 5th year of the 
     program. Such review shall include an assessment of the 
     scientific quality of the research conducted, the relevance 
     of the research results obtained to the goals of the program 
     established under subsection (d)(3)(A), and the progress of 
     the program in promoting the development of a substantial 
     academic research community working at the leading edge of 
     knowledge in the field. The Director shall submit to Congress 
     a report on the results of the review under this paragraph no 
     later than six years after the initiation of the program.
       ``(f) Definitions.--For purposes of this section--
       ``(1) the term `computer system' has the meaning given that 
     term in section 20(d)(1); and
       ``(2) the term `institution of higher education' has the 
     meaning given that term in section 101 of the Higher 
     Education Act of 1965 (20 U.S.C. 1001).''; and
       (3) in section 20(d)(1)(B)(i) (15 U.S.C. 278g-
     3(d)(1)(B)(i)), by inserting ``and computer networks'' after 
     ``computers''.

     SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND 
                   INFORMATION.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is amended by adding at the 
     end the following new subsection:
       ``(f) There are authorized to be appropriated to the 
     Secretary $1,060,000 for fiscal year 2003 and $1,090,000 for 
     fiscal year 2004 to enable the Computer System Security and 
     Privacy Advisory Board, established by section 21, to 
     identify emerging issues, including research needs, related 
     to computer security, privacy, and cryptography and, as 
     appropriate, to convene public meetings on those subjects, 
     receive presentations, and publish reports, digests, and 
     summaries for public distribution on those subjects.''.

     SEC. 10. INTRAMUTAL SECURITY RESEARCH.

       Section 20 of the National Institute of Standards and 
     Technology Act (15 U.S.C. 278g-3) is further amended--
       (1) by redesignating subsection (d) as subsection (e); and
       (2) by inserting after subsection (c) the following new 
     subsection:
       ``(d) As part of the research activities conducted in 
     accordance with subsection (b)(4), the Institute shall--
       ``(1) conduct a research program to address emerging 
     technologies associated with assembling a networked computer 
     system from components while ensuring it maintains desired 
     security properties;
       ``(2) carry out research associated with improving the 
     security of real-time computing and communications systems 
     for use in process control; and
       ``(3) carry out multidisciplinary, long-term, high-risk 
     research on ways to improve the security of computer 
     systems.''.

     SEC. 11. AUTHORIZATION OF APPROPRIATIONS.

       There are authorized to be appropriated to the Secretary of 
     Commerce for the National Institute of Standards and 
     Technology--
       (1) for activities under section 22 of the National 
     Institute of Standards and Technology Act, as added by 
     section 8 of this Act--
       (A) $25,000,000 for fiscal year 2003;
       (B) $40,000,000 for fiscal year 2004;
       (C) $55,000,000 for fiscal year 2005;
       (D) $70,000,000 for fiscal year 2006;
       (E) $85,000,000 for fiscal year 2007; and
       (F) such sums as may be necessary for fiscal years 2008 
     through 2012; and
       (2) for activities under section 20(d) of the National 
     Institute of Standards and Technology Act, as added by 
     section 10 of this Act--
       (A) $6,000,000 for fiscal year 2003;
       (B) $6,200,000 for fiscal year 2004;
       (C) $6,400,000 for fiscal year 2005;
       (D) $6,600,000 for fiscal year 2006; and
       (E) $6,800,000 for fiscal year 2007.

     SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND 
                   NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.

       (a) Study.--Not later than 3 months after the date of the 
     enactment of this Act, the Director of the National Institute 
     of Standards and Technology shall enter into an arrangement 
     with the National Research Council of the National Academy of 
     Sciences to conduct a study of the vulnerabilities of the

[[Page S2836]]

     Nation's network infrastructure and make recommendations for 
     appropriate improvements. The National Research Council 
     shall--
       (1) review existing studies and associated data on the 
     architectural, hardware, and software vulnerabilities and 
     interdependencies in United States critical infrastructure 
     networks;
       (2) identify and assess gaps in technical capability for 
     robust critical infrastructure network security, and make 
     recommendations for research priorities and resource 
     requirements; and
       (3) review any and all other essential elements of computer 
     and network security, including security of industrial 
     process controls, to be determined in the conduct of the 
     study.
       (b) Report.--The Director of the National Institute of 
     Standards and Technology shall transmit a report containing 
     the results of the study and recommendations required by 
     subsection (a) to the Congress not later than 21 months after 
     the date of enactment of this Act.
       (c) Security.--The Director of the National Institute of 
     Standards and Technology shall ensure that no information 
     that is classified is included in any publicly released 
     version of the report required by this section.
       (d) Authorization of Appropriations.--There are authorized 
     to be appropriated to the Secretary of Commerce for the 
     National Institute of Standards and Technology for the 
     purposes of carrying out this section, $700,000.
                                 ______