[Congressional Record (Bound Edition), Volume 147 (2001), Part 16]
[Extensions of Remarks]
[Pages 22939-22940]
[From the U.S. Government Publishing Office, www.gpo.gov]



 INTRODUCTION OF THE COMPUTER SECURITY ENHANCEMENT AND RESEARCH ACT OF 
                                  2001

                                 ______
                                 

                            HON. BRIAN BAIRD

                             of washington

                    in the house of representatives

                       Friday, November 16, 2001

  Mr. BAIRD. Mr. Speaker, today I am introducing the Computer Security 
Enhancement and Research Act of 2001. This legislation will address 
long-term needs in securing the nation's information infrastructure as 
well as strengthening the security of the non-classified computer 
systems of federal agencies. The bill establishes a research and 
development program on computer and network security at the National 
Institute of Standards and Technology. It also strengthens the 
Institute's existing responsibilities in developing best computer 
security practices and standards and in assisting federal agencies to 
implement effective computer and network security.
  Because of September 11th, attention is focused in an unprecedented 
way on increasing our security against terrorism. Our concerns include 
protecting critical national infrastructures. Today, security has to 
mean more than locking doors or guarding buildings and installing metal 
detectors. In addition to physical security, virtual systems that are 
vital to the Nation's economy must be protected. Telecommunications and 
computer technologies are vulnerable to attack from far away by enemies 
who can remain anonymous, hidden in the vast maze of the Internet. 
Examples of systems that rely on computer networks include the electric 
power grid, rail networks, and financial transaction networks. Just as 
enemies are achieving a sophistication to use the most complex weapons 
against us, our vital computer networks have become more interconnected 
and more accessible via the Internet.
  The vulnerability of the Internet to computer viruses, denial of 
service attacks, and defaced web sites is well known. These widely 
reported events have increased in frequency over time. These attacks 
disrupt business and government activities sometimes resulting in 
significant recovery costs. While no catastrophic cyber attack has 
occurred thus far, Richard Clarke, the President's new cyber-terrorism 
czar, has said that the government must make cybersecurity a priority 
or face the possibility of a ``digital Pearl Harbor''.
  While potentially vulnerable computer systems are largely owned and 
operated by the private sector, the government has an important role in 
supporting the research and development activities that will provide 
the tools for protecting information systems. An essential component 
for ensuring improved information security is a vigorous and creative 
basic research effort focused on the security of networked information 
systems. Unfortunately, witnesses at a recent Science Committee hearing 
indicated that current R&D efforts fall far short of what's required.
  Witnesses at the hearing noted the anemic level of funding for 
research on computer and network security. This lack of funding has 
resulted in the lack of a critical mass of researchers in this field 
and a focus on safe, incremental research projects. The witnesses 
advocated increased and sustained research funding from a federal 
agency assigned the role to support such research on a long-term basis. 
To date, Federal support for computer security research has been 
directed as defense and intelligence needs. While this work on 
encryption and defense systems security protocols is absolutely vital, 
very little has been done on the civilian side of communications 
security.
  The bill I'm introducing explicitly addresses this gap in Federal 
support for computer security. My bill charges the National Institute 
of Standards and Technology (NIST) with implementing a substantial 
program of research

[[Page 22940]]

support based at institutions of higher education designed to improve 
the security of networked information systems. This research program is 
authorized for a 10-year period, growing from $25 million in the 1st 
year to $85 million by the 5th year. Although awards are to 
universities, the research projects may involve collaborations with 
for-profit companies that develop information security products.
  The bill establishes a flexible management approach for the research 
program. It is based upon a management style that has been used 
effectively by the Defense Advanced Research Projects Agency to spur 
advances in high technology fields. Specifically, management of the 
research program will rely on program managers who are both 
knowledgeable about computer security issues and needs and familiar 
with the research community. These program managers will be responsible 
for identifying and nurturing talented researchers and for generating 
innovative research proposals. Although program managers will have 
considerable freedom in managing their individual research portfolios, 
each will be reviewed periodically by NIST senior managers and by 
outside computer security experts. To ensure its relevance and 
continued need, the overall research program will be reviewed in its 
5th year for scientific merit and relevance by the National Academy of 
Sciences.
  An expanded university-based research program will train new graduate 
students and post-doctoral research assistants, as well as attracting 
seasoned researchers to the field. The result will be a larger and more 
vibrant basic research enterprise in computer-related security fields. 
A separate set of awards will be available to support post-doctoral 
research fellowships and senior research fellowships both at 
universities and at NIST. The bill also increases support for on-going, 
in-house computer security research at NIST.
  The Computer Security Enhancement and Research Act of 2001 builds on 
the long experience of NIST in developing computer security standards 
and practices by placing new responsibilities on the agency for 
building up the nation's basic research enterprise in information 
security. By enlarging and strengthening the research enterprise we can 
generate the ideas and approaches needed to provide for future cyber 
security in an insecure world.

                          ____________________