[House Report 107-355]
[From the U.S. Government Publishing Office]




107th Congress                                            Rept. 107-355
                        HOUSE OF REPRESENTATIVES
 2d Session                                                      Part I

======================================================================



 
              CYBER SECURITY RESEARCH AND DEVELOPMENT ACT

                                _______
                                

February 4, 2002.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. Boehlert, from the Committee on Science, submitted the following

                              R E P O R T

                        [To accompany H.R. 3394]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Science, to whom was referred the bill (H.R. 
3394) to authorize funding for computer and network security 
research and development and research fellowship programs, and 
for other purposes, having considered the same, report 
favorably thereon without amendment and recommend that the bill 
do pass.

                                CONTENTS

                                                                   Page
   I. Purpose of the Bill.............................................2
  II. Background and Need for the Legislation.........................2
 III. Summary of Hearings.............................................5
  IV. Committee Action................................................6
   V. Summary of Major Provisions of the Bill.........................6
  VI. Section-By-Section Analysis (By Section)........................8
 VII. Committee Views................................................11
VIII. Cost Estimate..................................................17
  IX. Congressional Budget Office Cost Estimate......................17
   X. Compliance with Public Law 104-4 (Unfunded Mandates)...........19
  XI. Committee Oversight Findings and Recommendations...............19
 XII. Constitutional Authority Statement.............................19
XIII. Federal Advisory Committee Statement...........................19
 XIV. Congressional Accountability Act...............................19
  XV. Statement on Preemption of State, Local or Tribal Law..........19
 XVI. Changes in Existing Law Made by the Bill, as Reported..........19
XVII. Committee Recommendations......................................23
XVIII.Statement on General Performance Goals and Objectives..........23

 XIX. Exchange of Committee Correspondence...........................23
  XX. Proceedings of Full Committee Markup...........................25

                         I. Purpose of the Bill

    The purpose of the bill is to authorize funding for 
computer and network security education, research and 
development.

                II. Background and Need For Legislation

    The terrorist attacks of September 11, 2001 brought into 
stark relief the Nation's physical and economic vulnerability 
to an attack within our borders. The relative case with which 
terrorists were able to implement their plans serves as a 
pointed reminder of the need to identify critical ``soft 
sports'' in the nation's defenses. Among the Nation's 
vulnerabilities are our computer and communications networks, 
on which the country's finance, transportation, energy and 
water distribution systems, and health and emergency services 
depend. These vulnerabilities have called into question whether 
the Nation's technological research programs, educational 
system, and interconnected operations are prepared to meet the 
challenge of cyber warfare in the 21st century. The Los Angeles 
Times in a recent editorial emphasized the importance of 
meeting this challenge: ``A cyberterrorist attack would not 
carry the same shock and carnage of September 11. But in this 
information age . . . [a cyberterrorist attack] could be more 
widespread and just as economically destructive.''
    We will not be able to address these vulnerabilities 
without conducting more research on cybersecurity. H.R. 3394 is 
designed to address four inadequacies with current research 
efforts:
          (1) The Federal Government has chronically 
        underinvested in cybersecurity, an area in which the 
        private sector has little incentive to invest.
          (2) This is true, in part, because no Federal agency 
        has the responsibility of ensuring that the Nation has 
        a robust cybersecurity research enterprise;
          (3) As a result, what little research has been done 
        on cybersecurity has been incremental, leaving the 
        basic approaches to cybersecurity unchanged for 
        decades; and
          (4) As a field with relatively little money, few 
        researchers and minimal attention, cybersecurity fails 
        to attract the interest of students, perpetuating the 
        problems in the field.

       Vulnerabilities of the National Information Infrastructure

    The Internet has been a tremendous success--connecting more 
than 100 million computers and growing--far outstripping its 
designers' wildest expectations. Yet the Internet was not 
originally designed to control power systems, connect massive 
databases of medical records or connect millions of home 
appliances or automobiles, yet today it serves these functions. 
It was not designed to run critical safety systems but it now 
does that as well. We now heavily rely on an open network of 
networks, so complex that no one person, group or entity can 
describe it, model its behavior or predict its reaction to 
adverse events.
    The porous fabric of the U.S.'s network infrastructure 
leaves the Nation open to the constant possibility of cyber 
attack. Attacks can take several forms, including: defacement 
of web sites and other electronically stored information in the 
United States and other countries to spread disinformation and 
propaganda; distributed denial of service attacks that 
overwhelm a server with access requests; use of unprotected 
``zombie'' computers (located anywhere) as conduits for wide-
scale distribution of destructive worms and viruses throughout 
the computer network; and unauthorized intrusions and sabotage 
of systems and networks belonging to the U.S. and allied 
countries, potentially resulting in critical infrastructure 
outages and corruption of vital data.
    The wide-scale attack by the so-called ``Nimda'' worm is 
one example of these techniques; the virus modified web 
documents and certain executable files found on the systems it 
infected, and then created numerous copies of itself under 
various file names. This followed the ``Code Red,'' ``Code Red 
II'' and ``SirCam'' attacks which affected millions of 
personal, commercial and government computers, shut down web 
sites, slowed Internet service, and disrupted business and 
government operations, causing billions of dollars of damage.
    These attacks no longer represent isolated or infrequent 
events. Carnegie Mellon University's CERT' 
Coordination Center, which serves as a reporting center for 
Internet security problems, received 2,437 vulnerability 
reports in calendar year 2001, almost 6 times the number in 
1999. Similarly, the number of specific incidents reported to 
CERT grew enormously--from 9,859 in 1999 to 52,658 in 2001. yet 
CERT estimates that this may represent only about 20 percent of 
the incidents that actually have occurred.

              Interdependence of Critical Infrastructures

    To better understand our vulnerabilities to cyber terrorism 
and the potential consequences of cyber attacks, the Internet 
must no longer be studied solely as a separate system but also 
as a network of interdependent critical infrastructures. It 
also has links to many ostensibly private networks, such as 
those used by the financial services industry. While some 
research is being done to better understand the threats to the 
Internet itself, little has been done to assess and project the 
dramatic or subtle impact that these threats may have on other 
critical infrastructures. These problems are not hypothetical. 
While not the result of a cyber attack, the 1998 failure of the 
Galaxy 4 communications satellite disrupted the use of 90 
percent of the Nation's pagers and disrupted credit card 
purchases and ATM transactions. The failure also disrupted the 
communications of health care providers and emergency workers.

         Information Warfare Simulations--``Eligible Receiver''

    In 1997, the Pentagon conducted an information warfare 
exercise that illustrated some of the implications of 
infrastructure interdependence. Known as Eligible Receiver, the 
exercise simulated a rogue state attempting to attack 
vulnerable U.S. information systems. A ``Red Team'' comprising 
35 National Security Agency computer specialists used off-the-
self technology and software to simulate attacks against power 
and communications networks in Oahu, Los Angeles, Colorado 
Springs, St. Louis, Chicago, Detroit, Washington, D.C., 
Fayetteville, and Tampa. According to the Congressional 
Research Service, it is generally believed that government 
(including unclassified military computer networks) and 
commercial sites were easily attacked and penetrated. Air Force 
Major General John H. Campbell, commander of the DoD Joint Task 
Force--Computer Network Defense, wrote that the exercise 
``clearly demonstrated our lack ofpreparation for a coordinated 
cyber and physical attack on our critical military and civilian 
infrastructure.'' Officials familiar with the exercise later said that 
Eligible Receiver showed in ``real terms how vulnerable the 
transportation grid, the electricity grid, and others are to an attack 
by people using conventional equipment.'' The National Security Agency 
subsequently recommended that all Federal Internet accessible computer 
networks that process or provide access to classified, confidential, or 
sensitive data should have mandatory access controls.

    Underlying Causes of the Nation's Vulnerability to Cyber Attack

    Weaknesses in research and development in the cyber 
security arena contribute significantly to the vulnerability of 
the Nation's information infrastructure. While a number of 
information technology companies support R&D on network 
security, security inadequacies cannot be addressed solely 
through short-term industry-based applied research, which is 
underfunded in any event. Industry relies on the fundamental 
research supported by the Federal Government and on the 
training of future researchers--computer scientists, 
mathematicians, and many others--that these federally funded 
research programs support.
    Unfortunately, with the possible exception of encryption 
related research, cyber security research has been chronically 
underfunded, and basis research into fundamental cyber security 
challenges is not robust enough to meet the Nation's needs. 
Simply put, when it comes to computer security, too few people 
are paying too little attention and coming up with too few 
ideas.
    Cyber security has been a neglected field. Although numbers 
are difficult to come by, federally funded cyber security 
research may amount to less than $60 million per year. Experts 
believe that fewer than 100 U.S. researchers have the 
experience and expertise to conduct cutting edge research in 
cyber security. This is true even though a computer science 
department at a single research university may have 60 or more 
faculty members.
    This chronic under-investment does not merely pose problems 
for the academic and research community. Federal agencies are 
finding it increasingly difficult to recruit and hire 
professional staff to manage and secure their own computer 
networks. The National Science Foundation (NSF), in 
consultation with the National Security Council, the National 
Security Agency, the Critical Infrastructure Assurance Office, 
and the Office of Personnel Management established in July 2000 
a scholarship-for-service program designed to train students 
who would then help ensure the security of the Federal 
information infrastructure. This program was funded at the 
level of $1.2 million for FY 2001 and was expected to provide 
scholarship funds for approximately 180 undergraduate and 
graduate students. The National Aeronautics and Space 
Administration has requested similar scholarship-for-service 
authority to recruit students with expertise in computer 
science and other technical fields. Other agencies are likely 
to follow. NSF has also recently established another program 
designed to enhance research in information assurance and build 
a well-trained cyber security workforce. NSF's Trusted 
Computing program, established in FY 2001, will award between 
$4 million and $6 million in FY 2002 to support research on 
computer and network security.
    In addition, The National Institute of Standards and 
Technology (NIST) within the Department of Commerce provides 
grants for research to develop commercial solutions to IT 
security problems central to critical infrastructure 
protection. NIST recently announced the award of grants under 
its Critical Infrastructure Protection Grants Program aimed at 
improving the security of the computer and telecommunications 
systems that support essential services.
    While private industry has rapidly advanced many aspects of 
information technology, it has had little incentive to focus on 
the development of cyber security. The market demands faster, 
cheaper, more powerful products, not more secure ones. In the 
wake of the September 11th attacks, security has a slightly 
higher profile in the private sector, but real advances in 
information assurance will still rely on efforts by the Federal 
Government.
    Two studies conducted by the firm Metricnet suggest that 80 
percent of companies spent less than 5 percent of their 
information technology budget on information security prior to 
September 11th. In November that was still true of two-thirds 
of the companies.
    Yet the Federal Government has not been filling the 
research gap left by the private sector. The Federal Government 
has chronically under-invested in this area. As a result, too 
little cyber security research is being conducted and too few 
researchers are prepared to meet our current and projected 
cyber security research needs. In addition, the research that 
is funded is incremental and unlikely to lead to the 
development of breakthrough approaches to cyber security.
    This lack of Federal focus has also limited the number of 
undergraduate and graduate students pursuing studies in cyber 
security. Despite these problems and the inadequate 
coordination between government, academia, and industry, no 
Federal agency has stepped forward to take the lead in 
supporting cyber security research. The Cyber Security Research 
and Development Act responds to these challenges by authorizing 
a focused, long-term Federal investment in cyber security 
research, designed to increase the cadre of researchers in this 
field over the long-term and to yield innovative new approaches 
to cyber security.

                        III. Summary of Hearings

    On Tuesday, July 31, 2001, the House Science Committee's 
Subcommittee on Research held a hearing to examine the impact 
Federal investment has had on promoting innovation in 
information technology and fostering a variety of sophisticated 
applications that infuse information technology into areas such 
as education, scientific research, and the delivery of public 
services. Witnesses described the increasing reliance 
oninformation technology by all sectors of the research community and 
the general public, and specifically discussed applications of 
information technology to pharmaceutical research, biotechnology, 
education, emergency management, air and ground traffic coordination, 
and predictive weather and climate modeling. Witnesses discussed the 
need for new information tools and technologies to be available to all 
sectors of the community and emphasized the increasing need for system 
reliability and security given the increasing dependence on information 
technology for even the most basic human services. Witnesses agreed, 
however, that there has been a lack of focus and effort in the areas of 
computer and network security, privacy, and information assurance, and 
that the ability to protect key infrastructures lags behind their 
development and implementation.
    On Wednesday, October 10, 2001, the House Committee on 
Science held a hearing to examine the vulnerability of our 
Nation's computer infrastructure and related research needs. 
Witnesses described the vulnerability of our Nation's critical 
infrastructure to cyber attacks, the lack of market incentives 
for the development and inclusion of robust information 
assurance software in commercial applications, and the 
consequences of chronic underfunding of cyber security research 
by the Federal Government. Witnesses called for: the 
designation of a lead Federal research agency that would take 
primary responsibility for supporting cyber security research 
and development; the development of innovative new approaches 
to cyber security and cyber security research; and for 
significant increases in the number of researchers capable of 
doing world-class cyber security research.
    On Wednesday, October 17, 2001, the House Committee on 
Science held a second hearing to examine the vulnerability of 
our Nation's computer infrastructure. In this hearing the 
Honorable James S. Gilmore, III, Governor of the Commonwealth 
of Virginia and Chairman of the Advisory Panel to Assess 
Domestic Response Capabilities for Terrorism Involving Weapons 
of Mass destruction, stated that, ``Critical information and 
communication infrastructures are targets for terrorists 
because of the broad economic and operational consequences a 
shutdown can inflict.'' Governor Gilmore called for ``a 
comprehensive plan for research, development, test and 
evaluation of processes to enhance cyber security in the same 
manner as we must do for other potential terrorist attacks.''

                          IV. Committee Action

    On December 4, 2001, Science Committee Chairman Sherwood 
Boehlert and Ranking Minority Member Ralph Hall introduced H.R. 
3394, the Cyber Security Research and Development Act, a bill 
to authorize appropriations for computer and network security 
education, research and development for Fiscal years 2003 
through 2007. The bill incorporates major provisions of H.R. 
3316, the Computer Security Enhancement and Research Act, 
introduced by Rep. Brian Baird.
    The House Committee on Science met on December 6, 2001, to 
consider the bill. With a quorum present, Mr. Hall moved that 
the Committee favorably report the bill to the House with the 
recommendation that it pass, and that the staff be instructed 
to make technical and conforming changes to the bill and 
prepare the legislative report, and that the Chairman take all 
necessary steps to bring the bill before the House for 
consideration. The motion was agreed to by a voice vote.

               V. Summary of Major Provisions of the Bill

     Authorizes the NSF to award grants to institutions 
of higher education for basic research on innovative approaches 
to enhancing computer and network security through hardware and 
software solutions. Includes research in a variety of areas 
including authentication and cryptography, computer forensics 
and intrusion detection, reliability of computer and network 
applications, middleware, operating systems and communications 
infrastructure, and privacy and confidentiality. This program 
is authorized at $35 million for FY 2003, $40 million for FY 
2004, $46 million for FY 2005, $52 million for FY 2006, and $60 
million for FY 2007.
     Authorizes NSF to award grants to institutions of 
higher education to establish multidisciplinary Centers for 
Computer and Network Security Research. Applicants may partner 
with government laboratories and/or for-profit institutions. 
These centers are designed to advance the research agenda and 
to train additional qualified computer and network security 
researchers and professionals. Instructs NSF to convene an 
annual meeting of Center investigators to facilitate 
information exchange. This program is authorized at $12 million 
for FY 2003, $24 million for FY 2004, $36 million for each of 
fiscal years 2005 through 2007.
     Authorizes NSF to establish a program to award 
grants to institutions of higher education to establish or 
improve undergraduate and master's degree programs in computer 
and network security, to increase the number of students who 
pursue undergraduate or master's degrees in fields related to 
computer and network security, and to provide students with 
experience in government or industry related to their computer 
and network security studies. Funds may be used for curriculum 
development, faculty development, equipment acquisition, 
student recruitment and/or the establishment of bridge programs 
with two-year colleges and industry internship programs for 
students. This program is authorized at $15 million for FY 2003 
and $20 million for each year from FY 2004 through FY 2007.
     Authorizes NSF to expand the activities of the 
Advanced Technological Education Program, established under the 
Scientific and Advanced Technology Act of 1992, to support 
improved education and technical training in fields related to 
computer and network security. This program is authorized at $1 
million for FY 2003, and $1.25 million for each of fiscal years 
2003 through FY 2007.
     Authorizes NSF to establish a program to support 
graduate traineeships in computer and network security at 
institutions of higher education. Grant awards can be used to 
provide student fellowship support, to pay tuition and fees for 
students who are fellowship recipients, to establish internship 
programs for students in computer and network security at for-
profit institutions or government laboratories, and 
toadminister the program. This program is authorized at $10 million for 
FY 2003, and $20 million for each of fiscal years 2005 through FY 2007.
     Authorizes NSF to list computer and network 
security as a field of specialization under the NSF Graduate 
Research Fellowships program established by the National 
Science Foundation Act of 1950.
     Amends the National Science Foundation Act of 1950 
to charge NSF with taking a lead role in fostering and 
supporting research and education activities to improve the 
security of networked information systems.
     Authorizes NIST to establish a program of 
assistance for institutions of higher education that enter into 
partnerships with for-profit entities (which may also include 
government laboratories), to support long-term, high-risk 
research to improve the security of computer systems. Instructs 
NIST to include research directed toward addressing needs 
identified through the activities of the Computer System 
Security and Privacy Advisory Board. This program is authorized 
at $25 million for FY 2003, $40 million for FY 2004, $55 
million for FY 2005, $70 million for FY 2006, and $85 million 
for FY 2007.
     Authorizes NIST to establish a program to award 
post-doctoral research fellowships to citizens, nationals, or 
lawfully admitted permanent resident aliens of the U.S. who are 
seeking research positions at an institution, including the 
Institute, engaged in cyber security research. Also authorizes 
NIST to establish a similar program to provide research 
fellowships to senior researchers who wish to change research 
fields and pursue studies related to the security of computer 
systems. Authorizes $6 million for FY 2003, $6.2 million for FY 
2004, $6.4 million for FY 2005, $6.6 for FY 2006, and $6.8 for 
FY 2007.
     Authorizes NIST to recruit existing NIST employees 
or identify additional individuals who will serve as program 
managers to administer the activities established under this 
Act.
     Instructs NIST to periodically review the 
portfolio of research awards funded under this Act, in 
consultation with the Computer System Security and Privacy 
Advisory Board, to ensure that appropriateness of the research 
goals and the quality and utility of the research projects 
funded under this Act.
     Directs NIST to enter an arrangement with the 
National Research Council for a comprehensive review of the 
research program established by this Act. This review shall 
occur during the fifth year of the program, the results of 
which shall be reported to Congress no later than six years 
after the initiation of the program.
     Authorizes the Computer System Security and 
Privacy Advisory Board to identify emerging issues, including 
research needs, related to computer security, privacy, and 
cryptography and to convene public meetings and distribute 
reports on those subjects. Authorizes $1.06 million for FY 2003 
and $1.09 million for FY 2004 for these purposes.
     Amends the National Institute of Standards and 
Technology Act to explicitly allow intramural research on the 
security of networked computer systems, including those systems 
integral to process control and essential infrastructure.
     Directs NIST to enter into an arrangement with the 
National Research Council of the National Academy of Sciences 
to conduct a study of the vulnerabilities of the Nation's 
network infrastructure and make recommendations for appropriate 
improvements, and to transmit a report of the findings to 
Congress within 21 months of the enactment of this Act. 
Prohibits the Director from including classified or sensitive 
information regarding vulnerabilities in any publicly released 
version of this report. Authorizes appropriations of $700,000 
for this study and report.

              VI. Section-by-Section Analysis (by Section)


                          SEC. 1. SHORT TITLE

    ``Cyber Security Research and Development Act''.

                            SEC. 2. FINDINGS

    Discuss the interdependent nature of critical 
infrastructures brought about by advancements in computing and 
communications technology; the increased consequences of 
failure of communications and other critical services caused by 
exponential increases in interconnectivity; the Nation's lack 
of preparedness for a coordinated cyber and physical attack; 
the lack of sufficient long-term research funding and the 
shortage of outstanding researchers in the field of cyber 
security; and the lack of coordination among government, 
academia, and industry for computer security; and the need to 
significantly increase the Federal investment in computer and 
network security research and development.

                          SEC. 3. DEFINITIONS

    Defines the term ``Director'' as the Director of the 
National Science Foundation (Note that where the term 
`Director' is used in section 8 it refers to the Director of 
the National Institute for Standards and Technology). Uses the 
definition for `institution of higher education' found in the 
Higher Education Act of 1965.

              SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH

    (a) Establishes an NSF program to award merit-based grants 
for basic research on innovative approaches to enhance computer 
security. Research areas for which grants can be used include 
authentication and cryptography, computer forensics and 
intrusion detection, reliability of computer and network 
applications, and privacy. Authorizesappropriations of $35 
million for FY 2003, $40 million for FY 2004, $46 million for 2005, $52 
million for FY 2006, and $60 million for FY 2007.
    (b) Establishes an NSF program to award multi-year grants 
to institutions of higher education (or consortia thereof) to 
establish multidisciplinary Centers for Computer and Network 
Security Research. Consortia applying for grants may include 
one or more government laboratories or for-profit institutions. 
Applications for Center grants are to be reviewed on the basis 
of criteria that include: the ability of the institution (or 
consortium) to generate innovative approaches to computer and 
network security research; the applicant's support for students 
pursuing research in computer and network security; and the 
extent to which government laboratories or industry partners 
will participate in the Center's research activities. Requires 
the Director to convene an annual meeting of Centers to foster 
greater collaboration and communication. Authorizes 
appropriations of $12 million for FY 2003, $24 million for FY 
2004, and $36 million for each of fiscal years 2005 through 
2007.

   SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY 
                                PROGRAMS

    (a) Establishes a competitive, merit-based NSF program to 
award grants to institutions of higher education (or consortia 
thereof) to create or improve undergraduate and master's degree 
programs in computer security. Allowable uses of grants include 
curriculum development, equipment acquisition, faculty 
enhancement, and student internship programs in government or 
industry. Requires applicants to describe the plan for building 
increased capacity in computer and network security, to specify 
the roles and responsibilities of each partnering institution 
or collaborative group, and to provide evidence of high 
potential for success in educating and placing students in 
relevant jobs or graduate programs. Instructs the Director to 
evaluate the impact of the program on increasing the quality 
and quantity of computer and network security professionals. 
Authorizes $15 million for FY 2003 and $20 million for each of 
fiscal years 2004 through 2007.
    (b) Expands NSF's existing program for community colleges 
(established by the Scientific and Advanced Technology Act of 
1992) to include grants to improve education in fields related 
to computer and network security. Authorizes $1 million for FY 
2003 and $1.25 million for each of fiscal years 2004 through 
2007.
    (c) Establishes a competitive, merit-based NSF program to 
award grants to institutions of higher education to establish 
programs for students pursuing studies in computer and network 
security research leading to a doctorate degree. Grant funds 
are to be used to support student fellowships of at least 
$25,000 per year, to pay student tuition and fees, and to 
support students in scientific internship programs. Authorizes 
appropriations of $10 million for FY 2003, and $20 million for 
of each fiscal years 2004 through 2007.
    (d) Directs NSF to include computer and network security as 
an approved field of specialization under its current Graduate 
Research Fellowships program.

                          SEC. 6. CONSULTATION

    Requires the NSF Director to consult with other Federal 
agencies in carrying out the programs described in Sections 4 
and 5.

   SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK 
                                SECURITY

    Amends the National Science Foundation Act of 1950 to 
require NSF to take a lead role in fostering and supporting 
research and education in computer and network security.

SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY RESEARCH PROGRAM

    Amends the National Institute of Standards and Technology 
Act to establish a program of assistance to institutions of 
higher education that partner with for-profit entities to 
support multidisciplinary, long-term, high-risk research to 
improve the security of computer systems. Partnerships may also 
include government laboratories. Authorizes the Director to 
award research fellowships to post-doctoral researchers engaged 
in computer security research and to senior researchers who 
wish to move from other research fields to computer security 
research. Instructs the NIST Director to select Program 
Managers who are responsible for establishing the research 
goals for the program, soliciting applications for specific 
research projects to address these goals, and selecting 
research projects for funding. Calls for the NIST Director to 
periodically review the portfolio of research awards in 
consultation with NIST's existing Computer System Security and 
Privacy Advisory Board. Also instructs the Director to enter 
into an arrangement with the National Research Council to 
conduct a formal review of the program and to submit a report 
of this review to Congress.

   SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION

    Authorizes $1,060,000 for FY 2003 and $1,090,000 for FY 
2004 to enable NIST's Computer System Security and Privacy 
Advisory Board to identify emerging issues, including research 
needs related to computer security, privacy, and cryptography 
and, as appropriate, to convene public meetings on those 
subjects, receive presentations, and generate reports for 
public distribution.

                 SEC. 10. INTRAMURAL SECURITY RESEARCH

    Amends the National Institute of Standards and Technology 
Act to authorize NIST to pursue, as part of the agency's in-
house research program, research related to computer security, 
including the development of emerging technologies to ensure 
security of networked systems assembled from components, 
improved security of real-timecomputing and communications 
systems used in industrial and critical infrastructure operations, and 
improved security of computer systems.

                SEC. 11 AUTHORIZATION OF APPROPRIATIONS

    Authorizes appropriations for sections 8 and 10 of the 
bill. For the research programs in section 8, provides $25 
million for FY 2003, $40 million for FY 2004, $55 million for 
FY 2005, $70 million for FY 2006, $85 million for FY 2007, and 
such sums as may be necessary for fiscal years 2008 through 
2012. Authorizes appropriations for section 10 at $6 million 
for FY 2003, $6.2 million for FY 2004, $6.4 million for FY 
2005, $6.6 million for FY 2006, and $6.8 million for FY 2007.

  SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK 
                  SECURITY IN CRITICAL INFRASTRUCTURES

    Directs the Director of NIST to enter into an agreement 
with the National Research Council to conduct a study of the 
vulnerabilities of the Nation's critical infrastructure 
networks and make recommendations for appropriate improvements. 
The study requires the NRC to review existing data to identify 
gaps in the security of critical infrastructure networks, make 
recommendations for research priorities to address these gaps, 
and review the security of network-related infrastructure 
including industrial process controls. A report of the study 
results is to be submitted to Congress. Authorizes $700,000 for 
the purpose of carrying out the study.

                          VII. Committee Views

    The Committee on Science believes that the Nation's cyber 
security research and development enterprise clearly needs 
strengthening. Not only is too little research in this 
important area being conducted, but the research that this 
being performed is too incremental to lead to breakthroughs. In 
addition, too few students are being trained in this field, 
perpetuating its current failings. The Cyber Security Research 
and Development Act raises the level of Federal funding for 
cyber security research significantly, investing in two of the 
Federal Government's key scientific research agencies: NSF and 
NIST.
    Building on NSF's proven capacity to mobilize the academic 
research community, the Act authorizes NSF to fund new academic 
centers and instructs NSF to fund research that is particularly 
innovative. Awardees selected under this program are to be 
selected through NSF's standard merit-review procedure. The 
merit-review system has been a key to NSF's success. The 
Committee recognizes, however, that review by outside panels 
has limitations, especially in underfunded fields, as the 
shortage of funds can lead review panels to reject research 
that is especially risky and lies outside the boundaries of the 
current paradigms.
    In part for that reason, the Act also authorizes a grant 
program at NIST that is aimed at supporting the kind of high-
risk research that might be overlooked by a system based on 
outside review. The Act authorizes NIST to use an 
administrative model that has been successfully implemented at 
the Defense Advanced Research Projects Agency (DARPA). In that 
model, talented project managers are invested with broad 
latitude to establish research objectives and to solicit and 
fund promising research proposals. This structure shortens the 
approval time for research proposals and allows the project 
manager to move quickly to invest in promising new ideas. In 
addition, the proposals submitted to NIST are expected to be 
focused on specific questions of more immediate interest to 
industry than are those submitted to NSF.
    Recongizing that the lack of Federal leadership in the area 
of cyber security research has impeded progress, the Committee 
believes it is important that an agency assume a leadership 
role in the funding of computer and network security research. 
Thus the Act amends the NSF Organic Act--NSF's basic operating 
statute--to explicitly give NSF a leading role in cyber 
security research and education.

                  National Science Foundation Research

    The Committee recognizes NSF's important role in computer 
and information science, including the agency's important 
contributions to the development of the Internet. The Committee 
also realizes that the NSF has already acknowledged the need 
for greater research in information assurance and has 
established the Trusted Computing program to fund small-scale 
academic research projects related to information assurance. 
However, the Committee believes that the expected level of 
funding for that program--between $4 million and $6 million--is 
insufficient to address the Nation's needs.
    This Act provides significant additional funding--
approximately $570 million for FY 2003 through FY 2007--for 
cyber security research. The Committee emphasizes that the list 
of research areas in section 4 is illustrative and not 
exhaustive.
    While individual investigator research is needed to lay a 
firm foundation in information assurance, the Committee 
recognizes that large multidiciplinary efforts will be required 
to address the complex problems in this field. The Act provides 
funding to establish Computer and Network Security Research 
Centers to promote large-scale, multidisciplinary 
collaborations that exploit the collective knowledge of 
computer scientists, programmers, mathematicians, 
cryptographers, systems engineers, software engineers, social 
scientists, and network architects, among others.
    The Committee also recognizes the need for sustained 
funding over a substantial period of time to ensure that an 
institution has ample time to fully develop and implement high 
quality research programs, create technologically sophisticated 
facilities, attract or develop qualified faculty to support the 
instructional program, and recruit students. The Committee 
expects that the Computer and Network Security Research Centers 
will receive stable, long-term funding.
    The Committee recognizes that the sensitive nature of some 
cyber security research results precludes their publication. 
The Committee encourages NSF to look beyondreferred journal 
citations as proof of a particular individual's abilities and expertise 
or as evidence of a Center's accomplishments.
    The Committee also encourages NSF to support projects and 
Centers with strong connections to the computer and network 
security user community, government laboratories, Federal 
agencies, and private sector companies that depend upon 
reliable information assurance technologies.
    The Committee intends the term ``governmental 
laboratories'' to be construed in its broadest sense. It 
includes laboratories at both the state and Federal level, 
including government-owned, contractor-operated facilities.

            Computer and Network Security Capacity Building

    The Committee firmly believes that the field of computer 
and network security cannot advance unless a major effort is 
made to prepare and recruit the Nation's best and brightest 
students to pursue higher education, and ultimately careers, in 
computer and network security. For this reason, the Act 
establishes several programs at the National Science Foundation 
to provide funds to institutions of higher education to develop 
and implement high-quality undergraduate and graduate programs 
in computer and network security and to attract students to 
them.
    The Committee believes it is critical that institutional 
capacity at a number and variety of institutions have been 
designated by the National Security Agency as Centers of 
Academic Excellence in Information Assurance Education, those 
institutions alone cannot produce enough students to meet the 
projected need for 10,000 information assurance specialists by 
the year 2010. The Act authorizes NSF to provide merit-based 
Computer and Network Security Capacity Building grants to 
institutions of higher education, including two-year colleges, 
to establish or improve certificate, undergraduate and master's 
degree programs in computer and network security.
    The Committee also believes that the computer and network 
security instructional programs supported through this program 
should be informed by the needs of the research and user 
communities and that students gain practical experience in the 
applications of security technologies in authentic settings by 
participating in government or industry internships.
    And since computer and network security professionals with 
a variety of educational credentials will be required in the 
workforce, the program created under section 5 should fund a 
wide assortment of institutions, including 2-year colleges, 
comprehensive colleges, and liberal arts institutions, as well 
as research universities.
    The Committee expects that institutions applying for 
Capacity Building grants will provide an analysis of the 
potential for student enrollment as well as the potential for 
placement in computer and information security as part of their 
applications. Institutions are strongly encouraged to develop 
comprehensive recruitment, retention and placement strategies 
in partnership with K-12 schools, 2-year colleges, and local 
government and industry partners.

           Underrepresented Groups in Science and Technology

    One important goal of the research and education activities 
by the bill is to increase the size and quality of the national 
research community engaged in research related to computer and 
network security. Applications for the NSF research center 
awards under section 4(b) must describe how the center will 
help increase the number of computer and network security 
researchers and other professionals. The NSF programs 
authorized under section 5, including the capacity building 
grants and the graduate traineeship program, and the NIST 
fellowship programs authorized under section 8 are specifically 
focused on enlarging the human resource base of the Nation for 
researchers and other specialties related to computer security.
    The Committee directs NSF in managing its research and 
education activities authorized by the bill to ensure that 
active and sustained efforts are made to include the 
participation by individuals from groups traditionally 
underrepresented in science and engineering and by minority 
serving institutions. Further the Committee directs NSF to 
provide to the Committee within three years of the date of 
initiation of the activities authorized by this bill a report 
that (1) describes the actions taken by the Foundation to 
ensure participation by individuals from underrepresented 
groups and by minority serving institutions, (2) provides data 
on the numbers of individuals from underrepresented groups 
supported by fellowships, traineeships or research 
assistantships under activities authorized by the bill, and (3) 
describes the participation by minority serving institutions in 
activities authorized by the bill.

             Scientific and Advanced Technology Act of 1992

    The Committee recognizes the contributions of two-year 
colleges to meeting the rapidly evolving needs of the technical 
workforce. The Advanced Technological Education Program at NSF 
has contributed significantly to technician education through 
projects, national centers, regional centers, and articulation 
partnerships that bridge two-year and four-year colleges and 
universities. To date the NSF has funded 15 National Centers of 
Excellence that range in focus from biotechnology to 
environmental technology and information technology. The 
Committee feels that the growing demand for technical experts 
in computer and network security justifies the creation of at 
least one Center of Excellence focused on computer and network 
security. This Center should be selected through a competitive, 
merit-reviewed process and shall provide focus and resources 
for the national effort to enhance technical training in 
computer and information security in a variety of technical 
fields at two-year colleges across the U.S. The Committee also 
feels that a number of project grants in computer and network 
security should be awarded to build the technical workforce and 
to develop a national network of technical training programs in 
computer and network security.

    Graduate Traineeships in Computer and Network Security Research

    Computer security research will not be able to move forward 
now or in the future unless universities increase the number of 
doctoral students trained in computer and network security or 
related areas. To accomplish that, graduate students need to 
receive tuition and stipend support, in addition to programs 
aimed at augmenting their research training.
    The Committee believes that, in this case, the most 
effective way to provide this financial and programmatic 
support to graduate students is through traineeships. 
Traineeships, or grants to institutions of higher education for 
the purpose of providing support to graduate students, will 
enable institutions to develop focused programs that will 
complement and enhance the financial support given to students.
    Like other NSF graduate fellowships, the fellowships 
available under this section will be available only to U.S. 
citizens, U.S. nationals, and legally admitted permanent 
resident aliens. However, the Committee recognizes that some 
foreign graduate students and post-doctoral students receive 
indirect support from NSF, as they are supported by funds from 
their research advisor's grants. Given the sensitive nature of 
computer and network security research, the Committee strongly 
encourages NSF to develop policies and procedures aimed to 
protect sensitive or classified information.

             Graduate Research Fellowships Program Support

    The Committee values the Graduate Research Fellowship 
program at the National Science Foundation, which has helped 
recruit students to graduate programs in mathematics, science 
and engineering. While students pursuing graduate degrees in 
computer and network security are already eligible for 
fellowship awards under this program, the Committee believes 
that an explicit statement of this fact will enhance the 
student recruitment effort in computer and network security. 
Therefore, the Act instructs the Director to add computer and 
network security to the list of fields of specialization 
supported by the Graduate Research Fellowship program 
established under section 10 of the National Science Foundation 
Act of 1950.

   Fostering Research and Education in Computer and Network Security

    The Committee believes that the lack of a single Federal 
agency in a leadership role for research in cyber security is a 
factor that has hampered advancement of the field. Therefore, 
the Act amends the National Science Foundation Act of 1950 to 
charge NSF with a leadership role in fostering and supporting 
research and education activities to improve the security of 
networked information systems.

    National Institute of Standards and Technology Research Program

    Section 8 of the bill amends the NIST Act to establish an 
extramural research program centered on the security of 
computer systems. Awards are authorized for institutions of 
higher education that form partnerships with for-profit 
entities. The Committee expects that the research agenda of the 
program will be informed by the needs of industry and 
government.
    In managing the research program, the Committee intends 
that NIST use the model developed by DARPA for managing its 
research programs. Consistent with that model, the bill 
specifies that the research program must be managed by program 
managers who have expertise in computer security research and 
also substantial knowledge of the vulnerabilities of existing 
computer systems. Ideal candidates will have a thorough 
knowledge of the needs of the user community as well as the 
capabilities of the research community that generates the basic 
knowledge and innovations needed to fulfill these needs.
    The bill requires that program managers be given broad 
authority for defining the research goals of their programs, 
for identifying and motivating talented researchers to propose 
research projects to address the program goals, and for 
selecting specific research proposals for funding. Because of 
the large influence the program managers will have on the 
ultimate success of the research program, the Committee expects 
the NIST Director to carefully review the qualifications of 
potential program managers and to take advantage of the 
Intergovernmental Personnel Act and recruitment of new civil 
service employees, as well as current NIST employees, to ensure 
that highly qualified individuals are placed in these 
positions.

                       Attracting New Researchers

    While research funding is critical to ensuring advances in 
computer systems security research, a larger pool of talented 
researchers is also required to drive innovation at the 
necessary rate. While one way to promote the development and 
expansion of an able research community is by providing 
opportunities for junior researchers to gain post-doctoral 
training while initiating their own careers as independent 
investigators, another is to sponsor senior researchers 
interested in changing their research focus to problems of 
computer systems security. Therefore, the Act authorizes NIST 
to establish a program that would provide both post-doctoral 
research support to U.S. citizens, nationals, or permanent 
resident aliens in computer security research, and support for 
senior researchers.

                             Data Required

    The Committee directs NIST to include in the report 
required under section 22(e) of the NIST Act, as added by this 
bill, data on the numbers of individuals from underrepresented 
groups supported by fellowships or research assistantships by 
activities authorized by the bill, and a description of the 
participation by minority serving institutions in activities 
authorized by the bill.

                          VIII. Cost Estimate

    Rule XIII, clause 3(d)(2) of the House of Representatives 
requires each committee report accompanying each bill or joint 
resolution of a public character to contain: (1) an estimate, 
made by such committee, of the costs which would be incurred in 
carrying out such bill or joint resolution in the fiscal year 
in which it is reported, and in each of the five fiscal years 
following such fiscal year (or for the authorized duration of 
any program authorized by such bill or joint resolution, if 
less than five years); (2) a comparison of the estimate of 
costs described in subparagraph (1) of this paragraph made by 
such committee with an estimate of such costs made by any 
Government agency and submitted to such committee; and (3) when 
practicable, a comparison of the total estimated funding level 
for the relevant program (or programs) with the appropriate 
levels under current law. However, House Rule XIII, clause 
3(d)(B) provides that this requirement does not apply when a 
cost estimate and comparison prepared by the Director of the 
Congressional Budget Office under section 402 of the 
Congressional Budget Act of 1974 has been timely submitted 
prior to the filing of the report and included in the report 
pursuant to House Rule XIII, clause 3(c)(3). A cost estimate 
and comparison prepared by the Director of the Congressional 
Budget Office under section 402 of the Congressional Budget Act 
of 1974 has been timely submitted to the Committee on Science 
prior to the filing of this report and is included in Section 
IX of this report pursuant to House Rule XIII, clause 3(c)(3).
    Rule XIII, clause 3(c)(2) of the House of Representatives 
requires each committee report that accompanies a measure 
providing new budget authority (other than continuing 
appropriations), new spending authority, or new credit 
authority, or charges in revenues or tax expenditures to 
contain a cost estimate, as required by section 308(a)(1) of 
the Congressional Budget Act of 1974 and, when practicable with 
respect to estimate of new budget authority, a comparison of 
the total estimated funding level for the relevant program (or 
programs) to the appropriate levels under current law. H.R. 
3394 does not contain any new budget authority, credit 
authority, or changes in revenues or tax expenditures. Assuming 
that the sums authorized under the bill are appropriated, H.R. 
3394 does authorize additional discretionary spending, as 
described in the Congressional Budget Office report on the 
bill, which is contained in Section IX of this report.

             IX. Congressional Budget Office Cost Estimate

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, December 17, 2001.
Hon. Sherwood L. Boehlert,
Chairman, Committee on Science,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3394, the Cyber 
Security Research and Development Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Kathleen 
Gramp.
            Sincerely,
                    Barry B. Anderson, (for Dan L. Crippen,
                                                         Director).
    Enclosure.

H.R. 3394--Cyber Security Research and Development Act

    Summary: H.R. 3394 would authorize appropriations for 
several research initiatives related to computer security at 
two agencies--the National Science Foundation (NSF) and the 
National Institute of Standards and Technology (NIST). The bill 
would establish the terms and conditions for awarding grants, 
fellowships, cooperative agreements related to computer 
security, and would authorize NIST to conduct similar research 
at its laboratories. It would authorize the appropriation of 
$878 million over the 2002-2007 period for these activities, 
and any amounts necessary to continue the fellowships and 
cooperative agreements at NIST through 2012. This total would 
include funding for the ongoing activities of the Computer 
System Security and Privacy Advisory Board and a study by the 
National Academy of Sciences on the vulnerability of the 
nation's network infrastructure.
    Assuming appropriation of the specified amounts, CBO 
estimates that implementing this bill would cost $420 million 
over the 2002-2006 period. The bill would not affect direct 
spending or receipts; therefore, pay-as-you-go procedures would 
not apply.
    H.R. 3394 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would impose no costs on state, local, or tribal 
governments.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of H.R. 3394 is shown in the following table. 
The costs of this legislation fall within budget functions 250 
(general science, space, and technology) and 376 (commerce and 
housing credit). For this estimate, CBO assumes that funds will 
be appropriated near the beginning of each fiscal year and that 
outlays will occur at rates similar to those for other research 
programs at NSF and NIST.

----------------------------------------------------------------------------------------------------------------
                                                                       By fiscal year, in million of dollars--
                                                                    --------------------------------------------
                                                                       2002     2003     2004     2005     2006
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Authorization level................................................        1      105      152      184      206
Estimated outlays..................................................        1       30       85      134      170
----------------------------------------------------------------------------------------------------------------

    Pay-as-you-go considerations: None.
    Estimated impact on State, local, and tribal governments: 
H.R. 3394 contains no intergovernmental mandates as defined in 
UMRA and would impose no costs on state, local, or tribal 
governments. The bill would benefit state governments by 
authorizing the appropriation of $878 million, much would be 
for grant programs to institutions of higher education 
(including public universities) to develop programs to improve 
the security of computer networks.
    Estimated impact on the private sector: This bill contains 
no new private-sector mandates as defined in UMRA.
    Estimate prepared by: Federal costs: Kathleen Gramp 
(National Science Foundation) and Ken Johnson (NIST); impact on 
State, local, and tribal governments: Elyse Goldman; impact on 
the private sector: Jean Talarico.
    Estimate approved by: Peter H. Fontaine, Deputy Assistant 
Director for Budget Analysis.

                  X. Compliance With Public Law 104-4

    H.R. 3394 contains no unfunded mandates.

          XI. Committee Oversight Findings and Recommendations

    Rule XIII, clause 3(c)(1) of the House of Representatives 
requires each committee report to include oversight findings 
and recommendations required pursuant to clause 2(b)(1) of rule 
X. The Committee on Science's oversight findings and 
recommendations are reflected in the body of this report.

                XII. Constitutional Authority Statement

    Rule XII, clause 3(d)(1) of the House of Representatives 
requires each report of a committee on a bill or joint 
resolution of a public character to include a statement citing 
the specific powers granted to the Congress in the Constitution 
to enact the law proposed by the bill or joint resolution. 
Article I, section 8 of the Constitution of the United States 
grants Congress the authority to enact H.R. 3394.

               XIII. Federal Advisory Committee Statement

    H.R. 3394 does not establish nor authorize the 
establishment of any advisory committee.

                 XIV. Congressional Accountability Act

    The Committee finds that H.R. 3394 does not relate to the 
terms and conditions of employment or access to public services 
or accommodations within the meaning of section 102(b)(3) of 
the Congressional Accountability Act (Public Law 104-1).

       XV. Statement on Preemption of State, Local, or Tribal Law

    This bill is not intended to preempt any state, local, or 
tribal law.

       XVI. Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, existing law in which no change is 
proposed is shown in roman):

SECTION 3 OF THE NATIONAL SCIENCE FOUNDATION ACT OF 1950

           *       *       *       *       *       *       *



                      FUNCTIONS OF THE FOUNDATION

  Sec. 3. (a) The Foundation is authorized and directed--
          (1) * * *

           *       *       *       *       *       *       *

          (6) to provide a central clearinghouse for the 
        collection, interpretation, and analysis of data on 
        scientific and engineering and to provide a source of 
        information for policy formulation by other agencies of 
        the Federal Government; [and]
          (7) to initiate and maintain a program for the 
        determination of the total amount of money for 
        scientific and engineering research, including money 
        allocated for the construction of the facilities 
        wherein such research is conducted, received by each 
        educational institution and appropriate nonprofit 
        organization in the United States, by grant, contract, 
        or other arrangement from agencies of the Federal 
        Government, and to report annually thereon to the 
        President and the Congress[.]; and
          (8) to take a leading role in fostering and 
        supporting research and education activities to improve 
        the security of networked information systems.

           *       *       *       *       *       *       *

                              ----------                              


NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT

           *       *       *       *       *       *       *


  Sec. 20. (a) * * *

           *       *       *       *       *       *       *

  (d) As part of the research activities conducted in 
accordance with subsection (b)(4), the Institute shall--
          (1) conduct a research program to address emerging 
        technologies associated with assembling a networked 
        computer system from components while ensuring it 
        maintains desired security properties;
          (2) carry out research and support standards 
        development activities associated with improving the 
        security of real-time computing and communications 
        systems for use in process control; and
          (3) carry out multidisciplinary, long-term, high-risk 
        research on ways to improve the security of computer 
        systems.
  [(d)] (e) As used in this section--
          (1) the term ``computer system''--
                  (A) * * *
                  (B) includes--
                          (i) computers and computer networks;

           *       *       *       *       *       *       *

  (f) There are authorized to be appropriated to the Secretary 
$1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 
2004 to enable the Computer System Security and Privacy 
Advisory Board, established by section 21, to identify emerging 
issues, including research needs, related to computer security, 
privacy, and cryptography and, as appropriate, to convene 
public meetings on those subjects, receive presentations, and 
publish reports, digests, and summaries for public distribution 
on those subjects.

           *       *       *       *       *       *       *



            RESEARCH PROGRAM ON SECURITY OF COMPUTER SYSTEMS


  Sec. 22. (a) Establishment.--The Director shall establish a 
program of assistance to institutions of higher education that 
enter into partnerships with for-profit entities to support 
research to improve the security of computer systems. The 
partnerships may also include government laboratories. The 
program shall--
          (1) include multidisciplinary, long-term, high-risk 
        research;
          (2) include research directed toward addressing needs 
        identified through the activities of the Computer 
        System Security and Privacy Advisory Board under 
        section 20(f); and
          (3) promote the development of a robust research 
        community working at the leading edge of knowledge in 
        subject areas relevant to the security of computer 
        systems by providing support for graduate students, 
        post-doctoral researchers, and senior researchers.
  (b) Fellowships.--(1) The Director is authorized to establish 
a program to award post-doctoral research fellowships to 
individuals who are citizens, nationals, or lawfully admitted 
permanent resident aliens of the United States and are seeking 
research positions at institutions, including the Institute, 
engaged in research activities related to the security of 
computer systems, including the research areas described in 
section 4(a)(1) of the Cyber Security Research and Development 
Act.
  (2) The Director is authorized to establish a program to 
award senior research fellowships to individuals seeking 
research positions at institutions, including the Institute, 
engaged in research activities related to the security of 
computer systems, including the research areas described in 
section 4(a)(1) of the Cyber Security Research and Development 
Act. Senior research fellowships shall be made available for 
established researchers at institutions of higher education who 
seek to change research fields and pursue studies related to 
the security of computer systems.
  (3)(A) To be eligible for an award under this subsection, an 
individual shall submit an application to the Director at such 
time,in such manner, and containing such information as the 
Director may require.
  (B) Under this subsection, the Director is authorized to 
provide stipends for post-doctoral research fellowships at the 
level of the Institute's Post Doctoral Research Fellowship 
Program and senior research fellowships at levels consistent 
with support for a faculty member in a sabbatical position.
  (c) Awards; Applications.--The Director is authorized to 
award grants or cooperative agreements to institutions of 
higher education to carry out the program established under 
subsection (a). To be eligible for an award under this section, 
an institution of higher education shall submit an application 
to the Director at such time, in such manner, and containing 
such information as the Director may require. The application 
shall include, at a minimum, a description of--
          (1) the number of graduate students anticipated to 
        participate in the research project and the level of 
        support to be provided to each;
          (2) the number of post-doctoral research positions 
        included under the research project and the level of 
        support to be provided to each;
          (3) the number of individuals, if any, intending to 
        change research fields and pursue studies related to 
        the security of computer systems to be included under 
        the research project and the level of support to be 
        provided to each; and
          (4) how the for-profit entities and any other 
        partners will participate in developing and carrying 
        out the research and education agenda of the 
        partnership.
  (d) Program Operation.--(1) The program established under 
subsection (a) shall be managed by individuals who shall have 
both expertise in research related to the security of computer 
systems and knowledge of the vulnerabilities of existing 
computer systems. The Director shall designate such individuals 
as program managers.
  (2) Program managers designated under paragraph (1) may be 
new or existing employees of the Institute or individuals on 
assignment at the Institute under the Intergovernmental 
Personnel Act of 1970.
  (3) Program managers designated under paragraph (1) shall be 
responsible for--
          (A) establishing and publicizing the broad research 
        goals for the program;
          (B) soliciting applications for specific research 
        projects to address the goals developed under 
        subparagraph (A);
          (C) selecting research projects for support under the 
        program from among applications submitted to the 
        Institute, following consideration of--
                  (i) the novelty and scientific and technical 
                merit of the proposed projects;
                  (ii) the demonstrated capabilities of the 
                individual or individuals submitting the 
                applications to successfully carry out the 
                proposed research;
                  (iii) the impact the proposed projects will 
                have on increasing the number of computer 
                security researchers;
                  (iv) the nature of the participation by for-
                profit entities and the extent to which the 
                proposed projects address the concerns of 
                industry; and
                  (v) other criteria determined by the 
                Director, based on information specified for 
                inclusion in applications under subsection (c); 
                and
          (D) monitoring the progress of research projects 
        supported under the program.
  (e) Review of Program.--(1) The Director shall periodically 
review the portfolio of research awards monitored by each 
program manager designated in accordance with subsection (d). 
In conducting those reviews, the Director shall seek the advice 
of the Computer System Security and Privacy Advisory Board, 
established under section 21, on the appropriateness of the 
research goals and on the quality and utility of research 
projects managed by program managers in accordance with 
subsection (d).
  (2) The Director shall also contract with the National 
Research Council for a comprehensive review of the program 
established under subsection (a) during the 5th year of the 
program. Such review shall include an assessment of the 
scientific quality of the research conducted, the relevance of 
the research results obtained to the goals of the program 
established under subsection (d)(3)(A), and the progress of the 
program in promoting the development of a substantial academic 
research community working at the leading edge of knowledge in 
the field. The Director shall submit to Congress a report on 
the results of the review under this paragraph no later than 
six years after the initiation of the program.
  (f) Definitions.--For purposes of this section--
          (1) the term ``computer system'' has the meaning 
        given that term in section 20(d)(1); and
          (2) the term ``institution of higher education'' has 
        the meaning given that term in section 101 of the 
        Higher Education Act of 1965 (20 U.S.C. 1001).

           *       *       *       *       *       *       *

  Sec. [22] 32. Appropriations to carry out the provisions of 
this Act may remain available for obligation and expenditure 
for such period or periods as may be specified in the Acts 
making such appropriations.

                    XVII. Committee Recommendations

    On December 6, 2001, a quorum being present, the Committee 
on Science favorably reported the Cyber Security Research and 
Development Act, by a voice vote, and recommends its enactment.

      XVIII. Statement of General Performance Goals and Objectives

    Pursuant to clause (3)(c) of House rule XIII, the goals of 
H.R. 3394 are (1) to increase the amount of innovative basic 
cyber security research being supported by the Federal 
Government; (2) to increase the number of world class 
researchers conducting cyber security research in the United 
States; (3) build new partnerships between industry, academia, 
and Federal agencies and laboratories; and (4) increase the 
number and quality of undergraduate and graduate students 
preparing for careers in information assurance research, 
development, and implementation.

               XIX. Exchange of Committee Correspondence

                          House of Representatives,
                                      Committee on Science,
                                  Washington, DC, January 28, 2002.
Hon. John Boehner,
Chairman, Committee on Education and The Workforce, House of 
        Representatives, Washington, DC.
    Dear Chairman Boehner: Thank you for your letter regarding 
the Education and the Workforce Committee's jurisdictional 
interest in H.R. 3394, the Cyber Security Research and 
Development Act.
    I acknowledge your committee's jurisdiction over portions 
of H.R. 3394 and appreciate your cooperation in moving the bill 
to the House floor expeditiously. I concur that your decision 
to forego further action on the bill will not prejudice the 
Education and Workforce Committee with respect to its 
jurisdictional prerogatives on H.R. 3394 or on similar or 
related legislation. Should a conference occur on H.R. 3394 or 
similar legislation, the Committee on Science will support your 
request to have conferees on this or similar legislation that 
falls within your Committee's jurisdiction. I will include a 
copy of your letter and this response in the Committee's report 
on the bill as well as in the Congressional Record when the 
House considers the legislation.
    Once again, thank you for your cooperation in this matter.
            Sincerely,
                                      Sherwood L. Boehlert,
                                                          Chairman.
                                ------                                

                             Committee on Education
                               and the Workforce,
                                  Washington, DC, January 28, 2002.
Hon. Sherwood L. Boehlert,
Chairman, Committee on Science,
Rayburn HOB, Washington, DC.
    Dear Chairman Boehlert: Thank you for working with me 
regarding H.R. 3394, the ``Cyber Security Research and 
Development Act'', which was referred to the Committee on 
Science and in addition the Committee on Education and the 
Workforce, and ordered favorably reported by your Committee on 
December 6, 2001. I understand your desire to have this 
legislation considered expeditiously by the House; hence, I do 
not intend to hold a hearing or markup on this legislation.
    In agreeing to waive consideration by our Committee, I 
would expect you to agree that this procedural route should not 
be construed to prejudice the Committee on Education and the 
Workforce's jurisdictional interest and prerogatives on this or 
any similar legislation and will not be considered as precedent 
for consideration of matters of jurisdictional interest to my 
Committee in the future. I would also expect your support in my 
request to the Speaker for the appointment of conferees from my 
Committee with respect to matters within the jurisdiction of my 
Committee should a conference with the Senate be convened on 
this or similar legislation.
    I would appreciate your including our exchange of letters 
in your Committee's report to accompany H.R. 3394, which I 
understand you intend to file this week. Again, I thank you for 
working with me in developing this legislation and I look 
forward to working with you on these issues in the future.
            Sincerely,
                                              John Boehner,
                                                          Chairman.

                XX. Proceedings of Full Committee Markup


 PROCEEDINGS OF THE FULL COMMITTEE MARKUP ON H.R. 3394, CYBER SECURITY 
             RESEARCH AND DEVELOPMENT ACT, DECEMBER 6, 2001

    The committee met, pursuant to call, at 11:10 a.m., in room 
2318 of the Rayburn House Office Building, Hon. Sherwood L. 
Boehlert (chairman of the committee) presiding.
    Chairman Boehlert. Good morning. The Committee on Science 
will be in order. Pursuant to notice, the Committee on Science 
is meeting today to consider the following measures, H.R. 3394, 
the Cyber Security Research and Development Act, and H.R. 3400, 
the Networking and Information Technology Research Advancement 
Act. I ask unanimous consent for the authority to recess the 
Committee at any point and, without objection, so ordered.
    This morning we will mark up two important bills to boost 
our Nation's efforts in information technology. The first bill, 
H.R. 3394, which I introduced with my partner, Mr. Hall, 
creates new research programs to improve cyber security. The 
second bill, H.R. 3400, introduced by Research Subcommittee 
Chairman Nick Smith and Ranking Member Eddie Bernice Johnson, 
will augment and improve our existing interagency programs in 
networking and information technology.
    Both bills have the hallmarks of Science Committee 
legislation. They promote targeted solutions to real problems 
that were raised by expert witnesses at Committee hearings. 
They are designed to solve problems over the long-run, not just 
temporarily; and they are bipartisan. Indeed, the majority and 
minority staffs of the Committee worked together on these bills 
from day one.
    Let me say a bit more about H.R. 3394, the Cyber Security 
Research and Development Act, and Mr. Smith will discuss H.R. 
3400 in detail when we take it up at a later time.
    As I have pointed out repeatedly in recent weeks, the cyber 
security threat is real and potentially devastating. Experts 
from industry, government, and academia have told us that we 
simply do not have enough people conducting enough promising 
research on how to protect our computers and networks. And no 
federal agency is charged with solving that problem.
    H.R. 3394 attacks those concerns head on. It creates new 
programs at the National Science Foundation and the National 
Institute of Standards and Technology to draw new researchers 
into the cyber security field, to promote incentives to conduct 
more creative research, and to encourage undergraduates, 
graduate students, and post-docs to study cyber security.
    Right now, it's hard even to come up with a figure for how 
much the Federal Government is devoting to cyber security 
research, but the number is believed to be in the range of $60 
million, a pittance, really, considering the risk. This bill 
authorizes almost $800 million over 5 years to build a cadre of 
researchers and to set them to work on the problem.
    We hope to move this bill to the Floor early next year, and 
we are working with the Senate to develop a companion measure. 
This Committee must continue to lead the way indeveloping long-
term solutions to the problems that have come to the forefront since 
September 11.
    The Chair recognizes distinguished Ranking Member, Mr. Hall 
of Texas.
    [Statement of Mr. Boehlert follows:]

              Opening Statement of Hon. Sherwood Boehlert

     This morning we will mark up two important bills to boost 
our nation's efforts in information technology. The first bill, 
H.R. 3394, which I introduced with Mr. Hall, creates new 
research programs to improve cybersecurity. The second, H.R. 
3400, introduced by Research Subcommittee Chairman Nick Smith 
and Ranking Member Eddie Bernice Johnson, will augment and 
improve our existing interagency program in networking and 
information technology.
    Both bills have the hallmarks of Science Committee 
legislation--they promote targeted solutions to real problems 
that were raised by expert witnesses at Committee hearings; 
they are designed to solve problems over the long-run, not just 
temporarily; and they are bipartisan. Indeed, the majority and 
minority staffs of the Committee worked together on these bills 
from day one.
    Let me say a bit more about H.R. 3394, the ``Cyber Security 
Research and Development Act,'' and Mr. Smith will discuss H.R. 
3400 in detail when we take it up a little later.
    As I've pointed out repeatedly in recent weeks, the 
cybersecurity threat is real and potentially devastating. 
Experts from industry, government and academia have told us 
that we simply do not have enough people conducting promising 
research on how to protect our computers and networks. And no 
federal agency is charged with solving that problem.
    H.R. 3394 attacks those concerns head on. It creates new 
programs at the National Science Foundation and the National 
Institute of Standards and Technology to draw new researchers 
into the cyber security field, to provide incentives to conduct 
more creative research, and to encourage undergraduates, 
graduate students and post-docs to study cybersecurity.
    Right now, it's hard even to come up with a figure for how 
much the federal government is devoting to cybersecurity 
research, but the number is believed to be in the range of $60 
million--a pittance, really, considering the risk. This bill 
authorizes almost $800 million over five years to build a cadre 
of researchers and set them to work on the problem.
    We hope to move this bill to the floor early next year, and 
we are working with the Senate to develop a companion measure.
    This Committee must continue to lead the way in developing 
long-term solutions to the problems that have come to the fore 
since September 11th.

    Mr. Hall. Mr. Chairman, thank you. And, of course, this 
bill just hopefully paves the way for better computer security. 
And when you say that, you have just about said everything you 
can say for the bill, and you covered it very well. As the 
Committee knows, in the past few years, computer virus attacks 
by the computer hackers and electronic identification theft 
have become more common, and the events this fall makes us 
realize how vulnerable we are.
    We have had recent testimony before the Science Committee. 
These are too few scientists and too few engineers engaged in 
research on information security and too little funding for the 
security research, as you have pointed out.
    H.R. 3394 simply establishes substantial new research 
programs at the National Science Foundation and the National 
Institute of Standards and Technology. And these programs will 
support graduate students, postdoctoral researchers, senior 
researchers, while encouraging stronger ties between 
universities and industry.
    And the provisions pertaining to the thrust of these bills 
were first developed by Representative Baird and are contained 
in H.R. 3316, which is the bill he introduced a few weeks ago. 
I think that is very important and this Chairman and this 
Committee has given a lot of credence to that. I want to thank 
Congressman Baird for his important contribution to the 
legislation.
    Mr. Chairman, if I could, I would like to yield to him for 
any comments he wishes to make, limited down to my 15 minutes.
    [Statement of Mr. Hall follows:]

                Opening Statement of Hon. Ralph M. Hall

    The Cyber Security Research and Development Act, H.R. 3394, 
which Chairman Boehlert and I recently introduced, fills an 
important gap in current information technology research 
programs--namely, the need for better computer security.
    In the past few years, computer viruses, attacks by 
computer hackers, and electronic identification theft have 
become more common. The events of this fall have made us 
realize just how vulnerable we are to attack and have 
underscored the need to enhance the protection of the Nation's 
physical and electronic infrastructure.
    Recent testimony before the Science Committee highlighted 
an obstacle to achieving this goal. Currently there are too few 
scientists and engineers engaged in research on information 
security and too little funding for security research. and as 
federal agencies and private industry have found, there are few 
people with specialized computer security skills.
    H.R. 3394 establishes substantial new research programs at 
the Nation Science Foundation and the National Institute of 
Standards and Technology. Programs at both agencies are multi-
year and will increase the community of computer security 
researchers.
    These programs will support graduate students, post-
doctoral researchers and senior researchers, while encouraging 
stronger ties between universities and industry. This industry 
linkage will provide a reality check for the research 
priorities and will facilitate transfer of research results 
into new products and services.
    The provisions pertaining to NIST were first developed by 
Rep. Baird and are contained in H.R. 3316, a bill he introduced 
a few weeks ago. I want to thank Congressman Baird for his 
important contribution to this legislation, and yield to him 
for any comments he wishes to make on the bill.

    Chairman Boehlert. Without objection, go to.
    Mr. Baird. Mr. Chairman, and, Ranking Member, thank you 
very much. I want to thank you for your leadership on this 
important issue. Certainly coming from the great State of 
Washington where technology is so important to our economy, we 
know these issues well. And I want to emphasize that this is 
not just about an economic issue. It is actually about saving 
human lives with our air traffic control system, emergency 
medical response, water production, et cetera, all governed and 
communicated through information technology. Making sure that 
technology and the infrastructure is secure is not just an 
economic good policy; it is about saving lives.
    And I commend you for your leadership. Providing 
researchers and trained graduate students who can conduct 
research into this area is absolutely critical today and for 
the long-term viability of our economy. And I am privileged to 
be part of this. And thank you for including my statement.
    Chairman Boehlert. Thank you very much, Mr. Baird. Without 
objection, all additional member opening statements will be 
placed in the record at this point.
    [Statement of Mr. Smith of Michigan follows:]

            Opening Statement of Hon. Congressman Nick Smith

    Thank you, Mr. Chairman, for holding this markup today on 
two pieces of legislation that will significantly revamp our 
information technology and computer security research efforts. 
In keeping with the spirit of this Committee, I think we have 
put together two truly bipartisan bills will provide guidance 
and funding for important federal research and development 
challenges.
    I am pleased to be the sponsor of one of these bills along 
with my friend and colleague Congresswoman Johnson of Texas. 
Our bill, H.R. 3400, the Networking and Information Technology 
Research and Advancement Act (NITRA), will update and re-
authorize federally funded basic research in information 
technology. The bill authorizes a multi-agency research 
initiative that will ensure that America stays at the cutting 
edge of new information technologies that stimulate economic 
growth, stimulate further scientific advancements, and make all 
of our lives better.
    Additionally, I am proud to be a cosponsor of H.R. 3394, 
the Cybersecurity Research and Development Act, which will 
establish a research plan among several agencies to shore up 
the security of our computer systems. While much attention has 
been focused on other, more tangible forms of terrorism, we 
must not overlook the national security threat posed to our 
computer systems. In this age where we are increasingly 
dependent on computers for daily activities, the need for 
computer security cannot be understated. H.R. 3394 devotes 
significant resources to respond to these threats.
    I urge members to support both of these bills that will 
strengthen our research efforts to foster innovation, continued 
economic growth, and improve our national security from the 
very real threat of cyberterrorism. I am looking forward to 
this markup, and I am hopeful that we can pass these bills 
through committee and move ahead with floor preparation as 
expeditiously as possible.

    [Statement of Ms. Eddie Bernice Johnson follows:]

            Opening Statement of Hon. Eddie Bernice Johnson

    Mr. Speaker, I understand and support the Cyber Security 
Research and Development Act's aim to support research and 
education activities associated with increasing network and 
computer security.
    The events over the last few months have given America more 
reasons to establish and sustain research programs to stimulate 
the development of vigorous research enterprise in network and 
computer security. Also, the events have provided us with 
another opportunity to reevaluate our society and to appreciate 
the wealth of diversity in our nation.
    However, this legislation can provide an opportunity, which 
the language of the bill does not address. We can use this 
legislation to reiterate our commitment to diversity by 
providing an opportunity for us to ensure that everyone is 
provided the tools to succeed.
    For this reason, I would like the opportunity to work with 
the Majority, before this bill goes to the House floor for a 
vote. My aim is to place language within H.R. 3394 that will 
encourage participation from individuals of traditionally 
underrepresented groups and minority serving institutions.
    So often these individuals and institutions are unable to 
participate in the kinds of opportunities that this legislation 
will provide. I believe that we must make a valiant effort to 
include them as we have done in several pieces of legislation 
this committee has passed this session.
    I have provided the Majority staff with the changes I am 
proposing and look forward to working with you in our endless 
efforts to ensure opportunity to all.

    [Statement of Mr. Forbes follows:]

               Opening Statement of Hon. J. Randy Forbes

    Mr. Chairman, I would like to express my strong support 
both for the Networking and Information Technology Research 
Advancement Act, as well as the Cyber Security Research and 
Development Act. As a cosponsor of both pieces of legislation, 
I appreciate my colleagues' efforts to coordinate our national 
response to the very serious threat of cyber terrorism.
    Though it won't bring the death and destruction of 
biological or chemical weapons, cyber terrorism holds the power 
to disrupt our way of life, harm people's personal interests, 
and cause tremendous losses for businesses. Both bills before 
us are necessary for updating our national ability to thwart 
terrorist plots to disrupt our economy and do harm to our way 
of life using our own computer networks. As we heard from 
various witnesses who have come before this Committee over the 
past several months, have bright and innovative minds in this 
nation, but they need direction and coordination to maximize 
their efforts to find ways to prevent cyber terrorist attacks 
and ameliorate their consequences.
    The bills before us today will coordinate the various 
research and development efforts that currently exist and 
increase the overall federal contribution for them. In 
addition, they will revise the rules under which federal 
dollars operate to give our science and technology experts the 
ability to think outside the box. Our enemies use their evil 
cunning as a weapon. We should not be restricted in our 
thinking to defeat their efforts.
    Mr. Chairman, I appreciate your bringing these bills to our 
Committee so quickly. I am hopeful that they will get such 
prompt treatment by the Congress as a whole so that we can 
begin to implement this coordinated policy. Thank you.

    Chairman Boehlert. We will now consider H.R. 3394, the 
Cyber Security Research and Development Act. I ask unanimous 
consent that the bill be considered as read and open to 
amendment at any point. And I ask the members to proceed with 
the amendments in the order on the roster. And since we don't 
have a roster, I will ask, are there any amendments? Mr. 
Matheson.
    Mr. Matheson. I have none.
    Chairman Boehlert. Okay. Okay. All right. Yes. Who do--do I 
see a hand? Ms. Johnson.
    Ms. Johnson. Thank you, Mr. Chairman. I want to express my 
appreciation, and I have an amendment at the desk and would 
like to ask for that consideration. I have been in contact with 
the staff. And all it does is simply request the research 
dollars to keep in mind the Historically Black Universities 
and--Colleges and Universities, as well as the Hispanic Serving 
Colleges and Universities, as the money is distributed. And I 
would be happy to work with you and the staff with----
    Chairman Boehlert. And I will look forward to working with 
you. This is a cause near and dear to your heart and to mine 
also. So we will work cooperatively and do something for the 
Floor.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    Chairman Boehlert. Anyone else seek recognition? Any 
further discussion? If no, the vote occurs on the bill. Okay. I 
reported--we haven't got--I am just trying to count for 
numbers. You are worth two, Jim. All right. We are just 23, 24. 
We are getting there.
    Mr. Mathson. Okay.
    Chairman Boehlert. Do I hear 25? Are we all set? Yeah. Here 
we are. Since there are no further discussion, no further 
amendments, the vote occurs on the bill. All in favor, say aye. 
Noes? The ayes have it. Without objection, the bill is ordered 
reported.
    Mr. Hall. Mr. Chairman----
    Chairman Boehlert. Yes, sir.
    Mr. Hall. Mr. Chairman----
    Chairman Boehlert. Mr. Hall.
    Mr. Hall. I move that the Committee favorably report H.R. 
3394 to the House with the recommendation that the bill do 
pass. Furthermore, I move the staff be instructed to prepare 
the legislative report and make the necessary and technical and 
conforming changes, and that the Chairman take all necessary 
steps to bring the bill before the House for consideration. I 
yield back my time.
    Chairman Boehlert. All right. The Chair notes the presence 
of a reporting quorum. The question is on the motionto report 
the bill favorably. Those in favor of the motion will signify by saying 
aye. Opposed, no. The ayes appear to have it. The bill is favorably 
reported. Without objection, the motion to reconsider is laid upon the 
table. I move that members have 2 subsequent calendar days in which to 
submit supplemental, minority, or additional views on the measure. 
Without objection, so ordered.
    I move, pursuant to Clause 1 of the Rule 22 of the House--
Rules of the House of Representatives, that the Committee 
authorize the Chairman to offer such motions as may be 
necessary in the House to go to conference with the Senate on 
the bill H.R. 3394, or a similar Senate bill. Without 
objection, so ordered.
    [H.R. 3394 follows:]

    
    
    [The information follows:]

H.R. 3394--The Cyber Security Research and Development Act, Introduced 
 by Mr. Boehlert, Mr. Hall (TX), Mr. Smith (TX), Mr. Baird, Mr. Smith 
                (MI), and Ms. Eddie Bernice Johnson (TX)

                       SECTION-BY-SECTION SUMMARY

Sec. 1. Short title
    ``Cyber Security Research and Development Act''
Sec. 2. Findings
    Discuss the interdependent nature of critical infrastructures 
brought about by advancements in computing and communications 
technology; the increased consequences of failure of communications and 
other critical services caused by exponential increases in 
interconnectivity; the nation's lack of preparedness for a coordinated 
cyber and physical attack; the lack of sufficient long-term research 
funding and the shortage of outstanding researchers in the field of 
cyber security; and the lack of coordination among government, 
academia, and industry for computer security; and the need to 
significantly increase the Federal investment in computer and network 
security research and development.
Sec. 3. Definitions
    Defines the term `Director' as the Director of the National Science 
Foundation (NSF) (Note that where the term `Director' is used in 
section 8 it refers to the Director of the National Institute for 
Standards and Technology (NIST)). Uses the definition for `institution 
of higher education' found in the Higher Education Act of 1965.
Sec. 4. National Science Foundation research
    (1) Establishes an NSF program to award merit-based grants for 
basic research on innovative approaches to enhance computer security. 
Research areas for which grants can be used include authentication and 
cryptography, computer forensics and intrusion detection, reliability 
of computer and network applications, and privacy. Authorizes 
appropriations of $35 million for FY 2003, $40 million for FY 2004, $46 
million for 2005, $52 million for FY 2006, and $60,000 for FY 2007.
    (b) Establishes an NSF program to award multi-year grants to 
institutions of higher education (or consortia thereof) to establish 
multidisciplinary Centers for Computer and Network Security Research. 
Consortia applying for grants may partner with one or more government 
laboratories or for-profit institutions. Applications for Center grants 
are to be reviewed on the basis of criteria that include: the ability 
of the institution (or consortium) to generate innovative approaches to 
computer and network security research; the applicant's support for 
students pursuing research in computer and network security; and the 
extent to which government laboratories or industry partners will 
participate in the Center's research activities. Requires the Director 
to convene an annual meeting of Centers to foster greater collaboration 
and communication. Authorizes appropriations of $12 million for FY 
2003, $24 million for FY 2004, $36 million for FY 2005, and $36 million 
for FY 2006 and FY 2007.
Sec. 5. National Science Foundation computer and network security 
        programs
    (a) Establishes a competitive, merit-based NSF program to award 
grants to institutions of higher education (or consortia thereof) to 
create or improve undergraduate and master's degree programs in 
computer security. Grants can be used for uses that include curriculum 
development, equipment acquisition, faculty enhancement, and the 
establishment of a student internship program in government or 
industry. Requires applicants to describe the plan for building 
increased capacity in computer and network security, to articulate the 
roles and responsibilities of each partnering institution or 
collaborative group, and to provide evidence of high potential for 
success in educating and placing students in relevant jobs or graduate 
programs. Instructs the Director to evaluate the impact of the program 
on increasing the quality and quantity of computer and network security 
professionals. Authorizes $15 million for FY 2003 and $20 million for 
each of fiscal years 2004-2007.
    (b) Expands NSF's existing program for community colleges 
(established by the Scientific and Advanced Technology Act of 1992) to 
include grants to improve education in fields related to computer and 
network security. Authorizes $1 million for FY 2003 and $1.25 million 
for each of fiscal years 2004-2007.
    (c) Establishes a competitive, merit-based NSF program to award 
grants to institutions of higher education to establish programs for 
students pursuing studies in computer and network security research 
leading to a doctorate degree. Grant funds are to be used to support 
student fellowships of at least $25,000 per year, to pay student 
tuition and fees, and to support students in scientific internship 
programs. Authorizes appropriations of $10 million for FY 2003, and $20 
million for each fiscal year 2004-2007.
    (d) Directs NSF to include computer and network security as an 
approved field of specialization under its current Graduate Research 
Fellowships program.
Sec. 6. Consultation
    Requires the NSF Director to consult with other Federal agencies in 
carrying out the programs described in Sections 4 and 5.
Sec. 7. Fostering research and education in computer and network 
        security
    Amends the National Science Foundation Act of 1950 to require NSF 
to take a leading role in fostering and supporting research and 
education in computer and network security.
Sec. 8. National Institute of Standards and Technology Research Program
    Amends the National Institute of Standards and Technology Act to 
establish a program that provides assistance to institutions of higher 
education that partner with for-profit entities to support 
multidisciplinary, long-term, high-risk research to improve the 
security of computer systems. Partnerships may also include government 
laboratories. Authorizes the Director to award research fellowships to 
post-doctoral researchers engaged in computer security research and to 
senior researchers who wish to transition from other research fields to 
computer security research. Instructs the NIST Director to select 
Program Managers who are responsible for establishing the research 
goals for the program, soliciting applications for specific research 
projects to address these goals, and selecting research projects for 
funding. Calls for the NIST Director to periodically review the 
portfolio of research awards in consultation with NIST's existing 
Computer System Security and Privacy Advisory Board. Also instructs the 
Director to contract with the National Academy of Sciences to conduct a 
formal review of the program and to submit a report of this review to 
Congress.
Sec. 9. Computer security review, public meetings, and information
    Authorizes funding ($1,060,000 for FY 2003 and $1,090,000 for FY 
2004) to enable NIST's Computer System Security and Privacy Advisory 
Board to identify emerging issues, including research needs related to 
computer security, privacy, and cryptography and, as appropriate, to 
convene public meetings on those subjects, receive presentations, and 
generate reports for public distribution.
Sec. 10. Intramural security research
    Amends the National Institute of Standards and Technology Act 
authorize NIST to pursue, as part of the agency's in-house research 
program, research related to computer security including the 
development of emerging technologies to ensure security of networked 
systems assembled from components, improved security of real-time 
computing and communications systems used in industrial and critical 
infrastructure operations, and improved security of computer systems.
Sec. 11. Authorization of appropriations
    Authorizes appropriations for sections 8 and 10 of the bill. For 
the research programs in section 8, provides $25 million for FY 2003, 
$40 million for FY 2004, $55 million for FY 2005, $70 million for FY 
2006, $85 million for FY 2007, and such sums as may be necessary for 
fiscal years 2008 through 2012. Authorizes appropriations for section 
10 at $6 million for FY 2003, $6.2 million for FY 2004, $6.4 million 
for FY 2005, $6.6 million for FY 2006, and $6.8 million for FY 2007.
Sec. 12. National Academy of Sciences study on computer and network 
        security in critical infrastructures
    Authorizes the Director of NIST to enter into an agreement with the 
National Research Council (NRC) of the National Academy of Sciences to 
conduct a study of the vulnerabilities of the Nation's critical 
infrastructure networks and make recommendations for appropriate 
improvements. The study requires the NRC to review existing data to 
identify gaps in the security of critical infrastructure networks, make 
recommendations for research priorities to address these gaps, and 
review the security of network-related infrastructure including 
industrial process controls. A report of the study results is to be 
submitted to Congress. Authorizes $700,000 for the purpose of carrying 
out the study.
                                 ________

Summary of H.R. 3394--The Cyber Security Research and Development Act--
 Introduced by Mr. Boehlert, Mr. Hall (TX), Mr. Smith (TX), Mr. Baird, 
           Mr. Smith (MI) and Ms. Eddie Bernice Johnson (TX)

    The Committee on Science held two full committee hearings devoted 
to research and development needs related to cyber security. These 
hearings offered a sobering view of the security of our nation's 
critical infrastructures and highlighted the lack of world-class 
research being conducted to address these cyber security needs. Four 
challenges emerged from these hearings that demand an immediate and 
sustained response:
     Too little cyber security research is being conducted and 
the research that is funded is incremental and unlikely to lead to the 
development of breakthrough approaches to cyber security.
     There is inadequate coordination between government, 
academia, and industry and no Federal agency has stepped forward to 
take the lead in supporting cyber security research.
     Too few researchers are prepared to meet our current and 
projected cyber security research needs.
     Too few undergraduate and graduate students are pursuing 
studies in cyber security related fields.
    The Cyber Security Research and Development Act responds to these 
challenges. It creates important new research programs at the National 
Science Foundation (NSF) and the National Institute of Standards and 
Technology (NIST). Building upon NSF's proven capacity to mobilize the 
academic research community, the Act authorizes NSF to create new 
academic centers and fellowships to stimulate innovative thinking about 
cyber security. Building upon NIST's proven ability to work with 
industry, the Act authorizes NIST to initiate a new research grant 
program that strengthens the interaction between government, academia, 
and industry.
    Funding for NSF is provided for competitive, peer-reviewed grant 
programs, including:
     $233 million over five years for a program providing 
grants to researchers for the pursuit of particularly innovative 
computer and network security basic research.
     $144 million over five years to fund multi-year grants to 
colleges and universities to establish multidisciplinary Centers for 
Computer and Network Security Research, alone or in partnership with 
other universities or with businesses and government laboratories.
     $95 million over five years for the award of grants to 
colleges and universities to improve undergraduate and master's degree 
programs including through the creation of internship programs and new 
courses.
     $6 million over five years to make grants to community 
colleges in order to enhance their ability to contribute to the supply 
of computer and network security technicians.
     $90 million over five years to establish a competitive 
grant program that will enable colleges and universities to offer 
fellowships, research opportunities in industry, and other educational 
opportunities to students pursuing doctoral degrees in computer and 
network security.
    The Act authorizes NIST to use an administrative model that has 
been successfully implemented at the Defense Advanced Research Projects 
Agency. The Act authorizes NIST to invest talented project managers 
with broad latitude to establish cyber security research objectives and 
to solicit and award proposals. This structure shortens the approval 
time for research proposals and allows the project manager to move 
quickly to in vest in promising new ideas.
    The funding for NIST includes:
     $275 million over five years for a grant program to 
support high-risk, cutting-edge research by academic researchers who 
are working with industry.
     Establishes research fellowships to increase the number of 
researchers engaged in computer and network security research.
     $32 million over five years for an in-house research 
program in computer and network security.
    Finally, the bill requires a National Academy of Sciences study and 
report to Congress on the nation's critical infrastructure 
vulnerabilities.

               CYBER SECURITY RESEARCH AND DEVELOPMENT ACT YEARLY AUTHORIZATION OF APPROPRIATIONS
                                            [In millions of dollars]
----------------------------------------------------------------------------------------------------------------
                       Program                         FY2003    FY2004    FY2005    FY2006    FY2007     Total
----------------------------------------------------------------------------------------------------------------
Section 4 National Science Foundation Research:
    Computer and Network Security Research Grants...     35        40        46        52        60       233
    Computer and Network Security Research Centers..     12        24        36        36        36       144
Section 5 National Science Foundation Computer and
 Network Security Programs:
    Computer and Network Security Capacity Building      15        20        20        20        20        95
     Grants.........................................
    Scientific and Advanced Technology Act of 1992..      1         1.25      1.25      1.25      1.25      6
    Graduate Traineeships in Computer and Network        10        20        20        20        20        90
     Security Research..............................
Section 6. Fostering Research and Education in
 Computer and Network Security......................
Section 7. National Institute of Standards and           25        40        55        70        85       275
 Technology Research Program........................
Section 8. Computer Security Review, Public               1.03      1.06  ........  ........  ........      2.09
 Meetings, and Information..........................
Section 9. Intramural Security Research.............      6         6.2       6.4       6.6       6.8      32
Section 11. National Academy of Sciences Study on         0.7   ........  ........  ........  ........      0.7
 Computer and Network Security in Critical
 Infrastructures....................................
                                                               -------------------------------------------------
      Total.........................................    105.73    152.51    184.65    205.85    229.05    877.79
----------------------------------------------------------------------------------------------------------------

    Five Year Total: $877.79 million.