[Senate Report 113-270]
[From the U.S. Government Publishing Office]
Calendar No. 490
113th Congress } { Report
2d Session } SENATE { 113-270
_______________________________________________________________________
CYBERSECURITY ACT OF 2013
__________
R E P O R T
OF THE
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 1353
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
November 12, 2014.--Ordered to be printed
________
U.S. GOVERNMENT PRINTING OFFICE
49-010 WASHINGTON : 2014
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred thirteenth congress
second session
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California JOHN THUNE, South Dakota
BILL NELSON, Florida ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington ROY BLUNT, Missouri
MARK PRYOR, Arkansas MARCO RUBIO, Florida
CLAIRE McCASKILL, Missouri KELLY AYOTTE, New Hampshire
AMY KLOBUCHAR, Minnesota DEAN HELLER, Nevada
MARK BEGICH, Alaska DAN COATS, Indiana
RICHARD BLUMENTHAL, Connecticut TIM SCOTT, South Carolina
BRIAN SCHATZ, Hawaii TED CRUZ, Texas
ED MARKEY, Massachusetts DEB FISCHER, Nebraska
CORY BOOKER, New Jersey RON JOHNSON, Wisconsin
JOHN WALSH, Montana
Ellen Doneski, Staff Director
John Williams, General Counsel
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel
Calendar No. 490
113th Congress } { Report
SENATE
2d Session } { 113-270
======================================================================
CYBERSECURITY ACT OF 2013
_______
November 12, 2014.--Ordered to be printed
_______
Mr. Rockefeller, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 135]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 1353) to provide for an
ongoing, voluntary public-private partnership to improve
cybersecurity, and to strengthen cybersecurity research and
development, workforce development and education, and public
awareness and preparedness, and for other purposes, having
considered the same, reports favorably thereon with an
amendment (in the nature of a substitute) and recommends that
the bill (as amended) do pass.
Purpose of the Bill
The purpose of S. 1353 is to help secure the Nation from
cyber threats by clarifying the statutory authority of the
National Institute of Standards and Technology (NIST) to
facilitate and support the development of a set of voluntary,
industry-led standards and best practices to reduce cyber risks
to critical infrastructure. The bill would also ensure that the
Federal Government supports cutting-edge research, increases
public awareness, and improves our workforce to better address
cyber threats.
Background and Needs
I. THE NATURE AND SCOPE OF THE CYBER THREAT
Over the past two decades, the growth of the Internet and our
country's increasing use of interconnected networks have
produced unprecedented economic growth and innovation. However,
our ever-increasing reliance upon the Internet has also allowed
new threats to develop. As individuals, businesses, and
governments shift more of their activities and store more of
their information online, they become vulnerable to attackers
intent on conducting malicious surveillance, stealing
information, or disrupting operations. These attackers range
from amateur hackers, to criminals, to state sponsors. The type
of attack could be untargeted malware, denial of service, or an
advanced persistent threat.\1\
---------------------------------------------------------------------------
\1\See e.g., Mandiant, APT1: Exposing One of China's Cyber
Espionage Units, February 18, 2013, at http://intelreport.mandiant.com.
---------------------------------------------------------------------------
Top government officials and cybersecurity experts have
repeatedly warned about the seriousness of the threat cyber
incidents pose to our economic and national security. In
January 2012 testimony on worldwide threats before the Senate
Select Intelligence Committee, Robert Mueller, then-Director of
the Federal Bureau of Investigation, said that cyber threats
will surpass the threat of terrorism in the foreseeable
future.\2\ Former National Security Agency Director General
Keith Alexander described the consequences of cyber espionage
as the ``greatest transfer of wealth in history.''\3\ Former
Director of the National Counterterrorism Center Michael Leiter
has described cyber attacks against the United States as ``a
Pearl Harbor of slow moving deadly gas rather than blowing
things up. We are being robbed blind.''\4\ With respect to
economic security, a July 2013 joint Center for Strategic and
International Studies-McAfee report estimates as much as a $100
billion annual loss to the U.S. economy with as many as 508,000
U.S. jobs lost or displaced due to malicious cyber activity.\5\
---------------------------------------------------------------------------
\2\Testimony of Robert Mueller, Senate Select Intelligence
Committee, Current and Projected National Security Threats to the
United States, January 31, 2012, at http://www.gpo.gov/fdsys/pkg/CHRG-
112shrg74790/pdf/CHRG-112shrg74790.pdf.
\3\Josh Rogin, ``NSA Chief: Cybercrime constitutes the `greatest
transfer of wealth in history','' Foreign Policy, July 9, 2012, at
http://thecable.foreignpolicy.com/posts/2012/07/09/nsachief_
cybercrime_constitutes_the_greatest_transfer_of_wealth_in_history.
\4\Erin Mershon, ``Deal Possible on Cybersecurity if Senate Can
Pass Similar Bill, Rogers Says,'' Communications Daily, September 26,
2013.
\5\James Andrew Lewis and Stewart Baker, The Economic Impact of
Cybercrime and Espionage, Center for Strategic and International
Studies, McAfee, July 23, 2013, at http://csis.org/files/publication/
60396rpt_cybercrime-cost_0713_ph4_0.pdf.
---------------------------------------------------------------------------
A growing cyber threat affects both the Federal Government
and the U.S. economy. According to Department of Homeland
Security (DHS) data, the number of cyber incidents reported by
Federal agencies to the United States Computer Emergency
Readiness Team increased 782 percent between 2006 and 2012,
with 48,562 incidents reported in 2012.\6\ Symantec estimates
that targeted cyber attacks focused on individuals or specific
companies increased 42 percent in 2012 compared with the
preceding 12 months. Within that increase, targeted attacks
specifically aimed at small businesses increased from 18
percent in the same period.\7\ Verizon analysis of 2012 data
breaches shows that 95 percent of targeted state-affiliated
espionage incidents rely on the relatively simple technique of
e-mail phishing, and, once attackers have gained access, 66
percent of breaches go undiscovered for months or even
years.\8\
---------------------------------------------------------------------------
\6\U.S. Government Accountability Office, Cybersecurity: National
Strategy, Roles, and Responsibilities Need to Be Better Defined and
More Effectively Implemented, GAO-13-187, February 2013, at http://
www.gao.gov/assets/660/652170.pdf.
\7\Symantec, Internet Security Threat Report, 2013, at http://
www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main--
report_v18_2012_21291018.en-us.pdf.
\8\Verizon, 2013 Data Breach Investigations Report, 2013, at http:/
/www.verizonenterprise.com/resources/reports/rp_data-breach-
investigations-report-2013_en_xg.pdf.
---------------------------------------------------------------------------
National and homeland security officials are especially
concerned about cyber attacks targeted at the industrial
control systems (ICS) that operate and monitor large physical
systems in the United States. The ICS managing some of our
country's most critical infrastructure, including the electric
grid, oil pipelines, transportation networks, and financial
institutions, are now accessible via the Internet and, as a
result, could potentially be manipulated or attacked by
malicious actors using computers in other parts of the world.
The vulnerabilities of our country's critical infrastructure
create a potentially serious threat to the American public.\9\
Ninety percent of this infrastructure is owned and operated by
private entities.\10\, \11\
---------------------------------------------------------------------------
\9\See e.g., Presidential Directive/NSC-63 (May 22, 1998)
(``Because of our military strength, future enemies, whether nations,
groups or individuals, may seek to harm us in non-traditional ways
including attacks within the United States. Because our economy is
increasingly reliant upon interdependent and cyber-supported
infrastructures, non-traditional attacks on our infrastructure and
information systems may be capable of significantly harming both our
military power and our economy.'')
\10\National Infrastructure Advisory Council, Critical
Infrastructure Partnership Strategic Assessment, October 14, 2008, at
http://www.dhs.gov/xlibrary/assets/niac/
niac_critical_infrastructure_protection_assessment_final_report.pdf, p.
16.
\11\Industrial Control Systems Cyber Emergency Response Team,
Control System Internet Accessibility, ICS-ALERT-10-301-01, October 28,
2010, at https://ics-cert.us-cert.gov/alerts/ICS-Alert-11-343-01A.
---------------------------------------------------------------------------
With access to an infrastructure operator's network,
attackers could change control parameters to disable or destroy
the infrastructure. U.S. infrastructure, as a ``system of
systems,'' is potentially vulnerable to cascading damages, such
as if an electricity blackout leads to disruptions in water
treatment, emergency communications, and oil and gas
production. In an op-ed published in the Wall Street Journal in
2012, President Obama described such a scenario:
It doesn't take much to imagine the
consequences of a successful cyber attack. In a
future conflict, an adversary unable to match
our military supremacy on the battlefield might
seek to exploit our computer vulnerabilities
here at home. Taking down vital banking systems
could trigger a financial crisis. The lack of
clean water or functioning hospitals could
spark a public health emergency. And as we've
seen in past blackouts, the loss of electricity
can bring businesses, cities and entire regions
to a standstill.\12\
---------------------------------------------------------------------------
\12\Barack Obama, ``Taking the Cyberattack Threat Seriously,'' Wall
Street Journal, July 19, 2012.
---------------------------------------------------------------------------
News reports of cyber attacks on critical infrastructure,
government systems, and businesses show that destructive
attacks are not merely theoretical ``red-team'' scenarios. In
Saudi Arabia, for example, 2012 media reports indicated that a
cyber attack on Saudi Aramco, the world's largest exporter of
oil, strategically erased data from 30,000 computers on the
company's network.\13\ More recently, the press has reported
sustained attacks on U.S. financial services companies,\14\
universities,\15\ and energy companies\16\ designed to take
down websites, steal intellectual property, and destroy data or
manipulate infrastructure, respectively. The press itself has
also come under attack, including The New York Times, which was
knocked offline for several hours in August 2013 by the so-
called Syrian Electronic Army.\17\
---------------------------------------------------------------------------
\13\Wael Mahdi, ``Saudi Arabia Says Aramco Cyberattack Came From
Foreign States,'' Bloomberg, December 9, 2012, at http://
www.bloomberg.com/news/2012-12-09/saudi-arabia-says-aramco-cyberattack-
came-from-foreign-states.html.
\14\Joseph Menn, ``Cyber attacks against banks more severe than
most realize,'' Reuters, May 18, 2013, at http://www.reuters.com/
article/2013/05/18/us-cyber-summit-banks-idUSBRE94G0ZP20130518.
\15\Richard Perez-Pena, ``Universities Face a Rising Barrage of
Cyberattacks,'' The New York Times, July 16, 2013, at http://
www.nytimes.com/2013/07/17/education/barrage-of-cyberattacks-
challenges-campus-culture.html?pagewanted=all.
\16\David E. Sanger and Nicole Perlroth, ``Cyberattacks Against
U.S. Corporations Are on the Rise,'' The New York Times, May 12, 2013,
at http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-
us-corporations.html?pagewanted=all.
\17\Lee Ferran, ``Who's The Syrian Group Allegedly Behind The New
York Times Cyber Attack?,'' ABC News, August 28, 2013, at http://
abcnews.go.com/Blotter/syrian-electronic-army-group-allegedly-york-
times-cyber/story?id=20095458.
---------------------------------------------------------------------------
In response to the industry-wide and ever-changing cyber
threat, title I of the Cybersecurity Act of 2013 would promote
the development of a set of voluntary standards and best
practices that critical infrastructure operators in the United
States can adopt to improve the security of their systems and
lower the risk of a cyber attack that causes serious damage to
the United States. Title I would clarify the authority of NIST,
the Federal Government's leading technical standards and
measurement agency, to support an industry-led effort to
develop these voluntary standards and best practices, and
ensure this process will be ongoing to provide flexibility to
meet evolving threats.
II. CYBERSECURITY RESEARCH AND DEVELOPMENT AND WORKFORCE NEEDS
While warning about the vulnerabilities of our information
networks to cyber attacks, policymakers have also expressed
concerns that the United States is under-investing in
cybersecurity research and not training a sufficient amount of
workers capable of defending government agencies and private
sector businesses from cyber attacks.
In December 2011, the White House Office of Science and
Technology Policy (OSTP) released ``Trustworthy Cyberspace:
Strategic Plan for the Federal Cybersecurity Research and
Development Program.'' The plan sought to strengthen the often
piecemeal cybersecurity research and development conducted by
Federal agencies under the auspices of the Networking and
Information Technology Research and Development (NITRD)
Program. Four strategic goals have been set to guide research
and development progress: inducing change, developing
scientific foundations, maximizing research impact, and
accelerating transition to practice.\18\
---------------------------------------------------------------------------
\18\Executive Office of the President, Trustworthy Cyberspace:
Strategic Plan for the Federal Cybersecurity Research and Development
Program, National Science and Technology Council, December 2011, at
http://www.whitehouse.gov/sites/default/files/microsites/ostp/
fed_cybersecurity_rd_strategic_plan_2011.pdf.
---------------------------------------------------------------------------
According to several reports, the Federal and private sector
cybersecurity workforce is facing increasing demand and
potential shortages. A 2013 study found that, over the past 5
years, demand for cybersecurity professionals grew 3.5 times
faster than general information technology jobs and 12 times
faster than for all other jobs.\19\ A 2012 assessment by the
National Initiative for Cybersecurity Education (NICE) in
partnership with the Federal Chief Information Officers Council
found that nearly 80 percent of Federal cybersecurity workers
surveyed were over the age of 40, with the majority nearing
retirement age.\20\ In 2013, the news reported that the
Department of Defense has an intent to expand Cyber
Command,\21\ yet security clearance and citizenship
requirements, let alone education requirements, will make
hiring those additional employees challenging. The National
Science Foundation's (NSF) Scholarship for Service Program,
which serves as a Federal Government pipeline for cybersecurity
talent, currently graduates and places an average of just 150
students per year in Federal agencies.\22\ Cynthia Dion-
Schwarz, former Deputy Assistant Director of the NSF's Computer
& Information Science & Engineering Directorate, commented,
``The outlook is grim because we are not producing, from an
education perspective, the people with the right skills sets to
just have the entry-level skills needed in order to make
progress in cybersecurity.''\23\
---------------------------------------------------------------------------
\19\Burning Glass Technologies, Initial Findings on Cyber Security
Jobs, February 2013, at http://www.burning-glass.com/cybersecurity/
BGTCyberSecurityReport.pdf.
\20\National Initiative for Cybersecurity Education, 2012
Information Technology Workforce Assessment for Cybersecurity, March
14, 2013, at https://cio.gov/wp-content/uploads/downloads/2013/04/
ITWAC-Summary-Report_04-01-2013.pdf.
\21\Elisabeth Bumiller, ``Pentagon Expanding Cybersecurity Force to
Protect Network Against Attacks,'' The New York Times, January 27,
2013, at http://www.nytimes.com/2013/01/28/us/pentagon-to-beef-up-
cybersecurity-force-to-counter-attacks.html. See also, Cheryl Pellerin,
``Rogers: Cybercom Defending Networks, Nation,'' DoD News, Defense
Media Activity, August 18, 2014, at http://www.defense.gov/news/
newsarticle.aspx?id=122949.
\22\Briefing by Victor P. Piotrowski, Lead Program Director, NSF,
to Senate Commerce, Science, and Transportation Staff, July 29, 2013.
\23\Amber Corrin, ``Desperately seeking cybersecurity pros,'' FCW,
October 26, 2012, at http://fcw.com/articles/2012/10/26/cyber-
workforce.aspx.
---------------------------------------------------------------------------
Titles II through IV of the Cybersecurity Act of 2013 seek to
address these challenges. Title II would task OSTP with
coordinating Federal agencies' cybersecurity research and
development and would support basic cybersecurity research at
NSF, in collaboration with academia and industry. Title III of
the bill would authorize cybersecurity education and workforce
development initiatives, including competitions and challenges,
the scholarship-for-service program, and a study examining the
education, training, and certification needs of the
cybersecurity workforce. Title IV of the bill would authorize
and expand the work of the NIST-coordinated NICE.
Summary of Provisions
The purpose of S. 1353 is to help improve the security of the
Nation from cyber threats by clarifying NIST's statutory
authority to facilitate and support the development of a set of
voluntary, industry-led standards and best practices to reduce
cyber risks to critical infrastructure. The bill would also
ensure that the Federal Government supports cutting-edge
research, increases public awareness, and improves our
workforce to better address cyber threats.
Title I of the bill would update the existing statutory
authority of NIST to ensure that the agency will, on an ongoing
basis, facilitate and support the development of a voluntary,
industry-led set of standards and best practices to reduce
cyber risks to critical infrastructure. It also would ensure
that the information shared in this process may not be used for
regulatory purposes. The set of standards and best practices
that would be developed through this process must--
be voluntary;
be developed in close and continuous
coordination with industry;
not conflict with or duplicate existing
regulatory requirements;
incorporate voluntary consensus standards
and industry best practices and align with voluntary
international standards; and
be technology neutral.
This section also would call on the Comptroller General of
the United States to assess the progress, voluntary nature, and
adoption of the standards and best practices to reduce cyber
risks to critical infrastructure.
Because of its technical expertise and its well-earned
reputation as an ``honest broker'' in the standards development
process, NIST is particularly well positioned to coordinate the
development of these cybersecurity standards and practices.
NIST's role in the development of standards is not that of a
regulator, but of a convener and facilitator. NIST brings
together knowledgeable players from government and industry and
supports their efforts to build consensus around common
standards. Industries adopt NIST standards because the
standards that emerge from the NIST process consistently have
high technical quality and utility. There are many well-
documented cases where NIST standards have improved the quality
of goods and services produced by U.S. companies while lowering
transaction costs and promoting innovation.\24\ In addition to
the important role it plays in developing standards in the
United States, NIST also actively works to harmonize U.S.-based
standards with international standards.\25\
---------------------------------------------------------------------------
\24\See e.g., Erik Puskar, Selected Impacts of Documentary
Standards Supported by NIST, 2008 Edition, NISTIR 7548, January 2009;
David Leach and John T. Scott, The Economic Impacts of Documentary
Standards: A Case Study of the Flat Panel Display Measurement Standard
(FPDM), CGR G2012-0299, December 2011.
\25\Maureen A. Breitenberg, The ABCs of Standards Activities,
NISTIR 7614, August 2009.
---------------------------------------------------------------------------
Title II of the bill would call for a Federal cybersecurity
research and development plan to be developed by OSTP and the
coordination of research and development activities at NSF,
NIST, other Federal agencies, academia, and the private sector.
The bill also would authorize coordinated research to address
gaps in knowledge preventing the development of secure
technologies. In addition, agencies participating in the NITRD
Program would be tasked with supporting research on the science
of cybersecurity.
Title III of the bill would call for a National Academy of
Sciences study of the current state of higher level
cybersecurity education and professional certification; would
enable support of innovative competitions and challenges under
America COMPETES Act authority to identify, develop, and
recruit talented professionals and to stimulate innovation in
cybersecurity research and development; and would authorize an
existing NSF-led cyber scholarship-for-service program.
Title IV of the bill would call on NIST to continue to
coordinate, in conjunction with other Federal agencies, a
cybersecurity public awareness campaign, initiatives to support
formal cybersecurity education, and an ongoing evaluation and
forecast of the workforce needs of the Federal Government.
Title IV also would require NIST to develop, implement, and
transmit to Congress a strategic plan in support of this
program.
Legislative History
Since Senator Rockefeller became Chairman in early 2009, the
Commerce Committee has devoted significant attention to the
cybersecurity challenges facing the country. Chairman
Rockefeller convened a Committee hearing on March 19, 2009,
entitled, ``Cybersecurity: Assessing Our Vulnerabilities and
Developing an Effective Response.'' On April 1, 2009, Chairman
Rockefeller and Senator Snowe introduced S. 773, the
Cybersecurity Act of 2009. S. 773 would have authorized the
President and certain Federal agencies to take steps to protect
government information systems and critical infrastructure from
cyber attacks. It also would have ordered NIST to develop
cybersecurity standards within one year and promoted
cybersecurity research, training, and awareness.
After a second hearing, entitled ``Cybersecurity: Next Steps
to Protect Our Critical Infrastructure,'' on February 23, 2010,
the Committee favorably reported an amended version of S. 773
on March 24, 2010, by voice vote. Although S. 773 was never
considered on the Senate floor, portions of the legislation
were included in a bipartisan cybersecurity bill, S. 3414, that
the Senate considered during the 112th Congress.
In addition to legislation, in the 112th Congress, the
Committee continued to actively gather information about the
cybersecurity threats to our national and economic security. As
part of this effort, on September 19, 2012, Chairman
Rockefeller wrote letters to the chief executive officers of
the 500 largest companies in the United States requesting
information about the companies' cybersecurity practices and
their view of how the public and private sectors should be
working together to best address cybersecurity risks. More than
300 companies responded to this letter. In a January 28, 2013,
memorandum to Chairman Rockefeller summarizing the responses of
these companies, Committee staff reported that the companies
generally supported strengthening the public-private
partnership to address our country's cybersecurity
vulnerabilities, but were concerned about legislation that
might result in an inflexible, ``one-size-fits-all'' set of
practices that could potentially conflict with existing sector-
specific Federal regulations or slow down companies' responses
to cyber attacks.\26\
---------------------------------------------------------------------------
\26\Memorandum from Democratic Staff to Chairman Rockefeller of the
Senate Commerce, Science and Transportation Committee, January 28,
2013, at http://www.commerce.senate.gov/public/
?a=Files.Serve&File_id=5a85f211-a5c9-4306-9c84-d3a6b88024f6.
---------------------------------------------------------------------------
The Committee's cybersecurity work continued in the 113th
Congress. After President Obama issued an Executive Order
entitled, ``Improving Critical Infrastructure Cybersecurity,''
on February 12, 2013 (Exec. Order No. 13636), the Committee
held a joint hearing with the Committee on Homeland Security
and Governmental Affairs on March 7, 2013, entitled, ``The
Cybersecurity Partnership Between the Private Sector and Our
Government: Protecting Our National and Economic Security.''
This hearing examined the development and implementation of the
February 12 Executive Order and discussed ways government and
industry can work together to protect critical infrastructure
from cyber attacks.
Chairman Rockefeller and Ranking Member Thune introduced S.
1353, the Cybersecurity Act of 2013, on July 24, 2013, and on
July 25, 2013, the Committee held a hearing entitled, ``The
Partnership Between NIST and the Private Sector: Improving
Cybersecurity.'' This hearing focused on the role NIST was
playing in developing the Cybersecurity Framework, called for
in the Executive Order, to reduce cyber risks to critical
infrastructure. The hearing also examined the broader role NIST
plays in developing information security standards and the
clarifications of NIST's authority proposed in S. 1353.
On July 30, 2013, the Committee met in open Executive Session
and, by voice vote, ordered the bill to be reported favorably
with an amendment in the nature of a substitute. Several
amendments--one from Senator Klobuchar, one jointly from
Senator Klobuchar and Senator Blunt, one from Senator Warner,
one from Senator Heinrich, and one from Senator Schatz--were
agreed to as part of the substitute amendment.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
S. 1353--Cybersecurity Act of 2013
Summary: S. 1353 would direct several agencies within the
federal government to take certain actions to facilitate
public-private cooperation on cybersecurity standards, improve
research and development in cybersecurity technologies, and
further education and public awareness on cybersecurity
matters. Several of the bill's requirements pertain to existing
or planned programs and initiatives, while others create new
requirements or expand the scope of existing efforts.
CBO estimates that implementing S. 1353 would cost $56
million over the 2014-2018 period, assuming appropriation of
the necessary amounts. Pay-as-you-go procedures do not apply to
this legislation because it would not affect direct spending or
revenues.
S. 1353 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would impose no costs on state, local, or tribal
governments.
Estimated cost to the Federal Government: The estimated
budgetary impact of S. 1353 is shown in the following table.
The costs of this legislation fall within budget functions 250
(general science, space, and technology) and 370 (commerce and
housing credit).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars 2014--
-------------------------------------------------------
2014 2015 2016 2017 2018 2014-2018
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Cybersecurity Standards and Public-Private
Collaboration:
Estimated Authorization Level....................... * 1 * * 1 2
Estimated Outlays................................... * 1 * * 1 2
Cybersecurity Research and Development:
Estimated Authorization Level....................... * 14 13 14 13 55
Estimated Outlays................................... * 2 8 12 12 35
Cybersecurity Education, Training, and Public Awareness:
Estimated Authorization Level....................... 4 4 4 4 4 20
Estimated Outlays................................... 3 4 4 4 4 19
Total Changes:
Estimated Authorization Level................... 5 19 17 18 18 77
Estimated Outlays............................... 4 7 12 16 17 56
----------------------------------------------------------------------------------------------------------------
Note: Components may not sum to totals because of rounding. * = less than $500,000.
Basis of estimate: For this estimate, CBO assumes that the
bill will be enacted early in 2014, the necessary amounts will
be appropriated each year, and spending will follow historical
patterns for similar activities.
Cybersecurity standards and public-private collaboration
Title I would codify certain elements of Executive Order
13636 by directing the National Institute of Standards and
Technology (NIST) to develop a framework of voluntary standards
designed to reduce risks arising from cyberattacks on critical
infrastructure that is privately owned and operated. The agency
expects to spend about $6 million to develop the standards (the
preliminary framework was completed in October 2013) and
anticipates spending a similar amount annually to review and
update the framework as required by the executive order. Based
on information from the agency, CBO estimates that codifying
the requirements of the executive order would not significantly
increase the agency's costs.
Title I also would require the Government Accountability
Office (GAO) to assess progress made by NIST in developing the
framework and the private sector in adopting the standards; GAO
also would be required to prepare a summary of its findings and
report to the Congress every two years. CBO estimates that
implementing this provision would cost $2 million over the
2014-2018 period, assuming the availability of appropriated
funds.
Cybersecurity research and development
Title II would require the Director of the National Science
Foundation (NSF) to review existing infrastructure used to test
cybersecurity technologies within one year of the bill's
enactment. Based on the results of the review, the NSF would be
authorized to award grants to establish additional
infrastructure to test cybersecurity technologies. Based on
information provided by the agency, CBO estimates that
implementing this provision would cost $33 million over the
2014-2018 period, assuming the appropriation of the necessary
amounts.
Title II also would require the Director of the Office of
Science and Technology Policy (OSTP) to develop a federal
cybersecurity research and development plan in consultation
with nonfederal entities. Under the legislation, the director
would be required to update the plan and report to the Congress
every three years. Based on information provided by OSTP, CBO
estimates that implementing this provision would cost about $2
million over the next five years.
Cybersecurity education, training, and public awareness
Title III would require the Director of the NSF to contract
with the National Academy of Sciences (NAS) to conduct a study
of education, training, and certification programs for the
development of professionals in the areas of information
infrastructure and cybersecurity. Based on information from the
NAS, CBO estimates that implementing this provision of title
III would cost $1 million over the 2014-2018 period, assuming
appropriation of the necessary amounts.
Other provisions of title III would require the Director of
the NSF to continue a scholarship-for-service program to train
professionals to meet the cybersecurity needs of federal,
state, local, and tribal governments. This title also would
require several agencies, including the Department of Commerce,
NSF, and the Department of Homeland Security, to support
competitions to identify and recruit individuals to enhance
innovation in basic and applied cybersecurity that can be used
to advance the mission of the agency. Based on information from
those agencies, CBO estimates that implementing those
provisions would not significantly increase discretionary
spending over the 2014-2018 period because those activities are
already occurring under current law.
Title IV would require NIST to continue to coordinate a
national campaign to increase public awareness of cybersecurity
threats. The agency also would be required to develop and
implement a strategic plan to guide federal agencies' support
of the campaign. Based on information from NIST, CBO expects
that implementing those requirements would cost $18 million
over the 2014-2018 period, assuming appropriation of the
necessary amounts, for personnel and administrative costs.
Pay-As-You-Go Considerations: None.
Intergovernmental and private-sector impact: S. 1353
contains no intergovernmental or private-sector mandates as
defined in UMRA and would impose no costs on state, local, or
tribal governments.
Estimate prepared by: Federal costs: Susan Willie and
Martin von Gnechten; Impact on state, local, and tribal
governments: J'nell L. Blanco; Impact on the private sector:
Marin Burnett.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
The bill would require NIST to, on an ongoing basis,
facilitate and support the development of a voluntary,
industry-led set of standards, guidelines, best practices,
methodologies, procedures, and processes to reduce cyber risks
to critical infrastructure. The bill would also authorize
existing research and development activities, support
cybersecurity workforce training and education, and support
efforts to raise public awareness of the cyber threat. The bill
would not subject any individuals or businesses affected by the
bill to any additional regulations, as the product of NIST's
and industry's work is voluntary.
ECONOMIC IMPACT
The bill would not authorize new funding. It is anticipated
that research conducted under the authority of title II and
section 301 of the bill may lead to new technologies and
solutions to evolving cyber threats. Section 302 would have a
positive impact on the availability of qualified cybersecurity
professionals to the Federal Government. Section 401 could also
have a positive impact over time by reducing the number of
individual victims of malicious cyber activities and associated
costs.
PRIVACY
The bill would not have any adverse impact on the personal
privacy of individuals.
PAPERWORK
The bill would not increase paperwork requirements for
private individuals or businesses. The bill would require three
reports from the Federal Government and one study to be carried
out by the National Academy of Sciences on behalf of the
Federal Government.
The first report would be from the Comptroller General of the
United States assessing the progress, voluntary nature, and
adoption of the standards and best practices to reduce cyber
risks to critical infrastructure. This report would be
delivered to the Committee on Commerce, Science, and
Transportation of the Senate, the Committee on Energy and
Commerce of the House of Representatives, and the Committee on
Science, Space, and Technology of the House of Representatives
one year after enactment and every two years thereafter for six
years.
The second report would be a Federal cybersecurity research
and development plan from the Director of OSTP. This plan would
be delivered to the Committee on Commerce, Science, and
Transportation of the Senate and the Committee on Science,
Space, and Technology of the House of Representatives within
one year of enactment and every three years thereafter.
The third report would be a strategic plan for the national
cybersecurity awareness and preparedness campaign from the
Director of NIST. This plan would be delivered to the Committee
on Commerce, Science, and Transportation of the Senate and the
Committee on Science, Space, and Technology of the House of
Representatives within one year of enactment and every five
years thereafter.
The National Academy of Sciences study, supported by the
Director of NSF, the Director of the Office of Personnel
Management (OPM), and the Secretary of Homeland Security, would
be a comprehensive study of government, academic, and private-
sector education, accreditation, training, and certification
programs for the development of professionals in information
infrastructure and cybersecurity. This study would be due to
the President and Congress within one year of enactment, though
it is possible more time may be required for the final draft.
The bill also would require the Director of NSF, in
coordination with the Director of OSTP, to conduct a review of
cybersecurity test beds in existence on the date of enactment.
This review would trigger the awarding of additional grants for
test beds if needed to support the research and testing needs
of the Federal cybersecurity research and development plan. The
Committee envisions further assessments of effectiveness of
these grants to be included in annual budget justifications
after the initial two years given to allow any new test beds to
begin operation.
Congressionally Directed Spending
In compliance with paragraph 4(b) of rule XLIV of the
Standing Rules of the Senate, the Committee provides that no
provisions contained in the bill, as reported, meet the
definition of congressionally directed spending items under the
rule.
Section-by-Section Analysis
Section 1. Short title; table of contents.
This section would provide that the legislation may be cited
as the Cybersecurity Act of 2013. This section would also
provide the table of contents for the legislation.
Section 2. Definitions.
This section would define three key terms.
Section 3. No regulatory authority.
This section would clarify that no regulatory authority is
conferred on any Federal, State, tribal, or local department or
agency by the bill.
TITLE I--PUBLIC-PRIVATE COLLABORATION ON CYBERSECURITY
Sec. 101. Public-private collaboration on cybersecurity.
This section would update the existing statutory authority of
NIST to ensure that NIST would, consistent with existing
authority, on an ongoing basis, facilitate and support the
development of a voluntary, non-regulatory, industry-led set of
standards and best practices to reduce cyber risks to critical
infrastructure. The set of standards and best practices that
would be developed through this process: must be voluntary;
must be developed in close and continuous coordination with
industry; must not conflict with or duplicate existing
regulatory requirements; must incorporate voluntary consensus
standards and industry best practices and align with voluntary
international standards; and must be technology neutral.
The Committee recognizes that several industries are subject
to regulatory requirements, standards, and processes pertaining
to security: therefore, this process must not duplicate
regulatory processes and not conflict with or supercede
requirements, mandatory standards, and related process. This
limitation, however is not intended to prevent NIST from
recognizing existing standards or best practices, or to impose
an obligation upon NIST to resolve possible inconsistencies
among existing standards and best practices that may be
utilized by different entities. The aim of this legislation is
not to create a single, one-size-fits-all standard or set of
standards; rather, it is to identify on an ongoing basis
industry-led standards and best practices that may mitigate
dynamic cyber threats and vulnerabilities. Further, information
shared with NIST in this process or for purposes of this
process may not be used to regulate the activity of any entity.
This section would also require a study and report from the
Comptroller General assessing the progress made by NIST in
facilitating the standards and best practices to reduce cyber
risks to critical infrastructure, the extent to which such
standards are voluntary and their development led by industry
representatives, and the extent to which critical
infrastructure sectors have adopted the voluntary standards and
best practices, among other considerations. The report would be
due to the relevant congressional committees one year after
enactment and every two years thereafter for six years.
TITLE II--CYBERSECURITY RESEARCH AND DEVELOPMENT
Sec. 201. Federal cybersecurity research and development.
This section would call on the Director of OSTP, in
coordination with relevant Federal agencies, to develop a
Federal cybersecurity research and development plan to identify
and prioritize research needed to meet several key objectives,
while recognizing that the Director of OSTP has flexibility in
determining additional objectives. The Director of OSTP may
coordinate with relevant stakeholders, including industry,
academia, and appropriate national laboratories to determine
additional objectives. This section would ensure Federal
research as part of this plan is not duplicative of private
sector efforts. The plan would be updated triennially. This
section would also require the Director of NSF to support
research to inform computer science programs and professional
development, and would add several research areas to NSF's
authority to address gaps in knowledge preventing the
development of secure technologies. This section would also
call on the Director of NSF to evaluate the need for additional
cybersecurity test beds and would authorize the Director of
NSF, the Secretary of Commerce, and the Secretary of Homeland
Security to support further development of test beds if
necessary to meet the needs of the national cybersecurity
research and development plan. This section would also require
the Director of OSTP to coordinate cybersecurity research and
development activities across the Federal Government. Agencies
would also support research on the science of cybersecurity.
Sec. 202. Computer and network security research centers.
This section would amend existing NSF authority to establish
computer and network security research centers, especially
criteria related to selection of new centers which would
conduct research specific to improving security and resiliency
of information infrastructure, reducing cyber vulnerabilities,
and anticipating and mitigating consequences of cyber attacks
on critical infrastructure. New criteria would also include the
ability of research centers to transition new technologies into
the private sector or Federal Government, among others.
Research areas that centers may pursue would be enhanced in
section 201 of the bill.
TITLE III--EDUCATION AND WORKFORCE DEVELOPMENT
Sec. 301. Cybersecurity competitions and challenges.
This section would call on the Secretary of Commerce,
Director of NSF, and Secretary of Homeland Security, in
consultation with the Director of OPM, to support competitions
and challenges to identify, develop, and recruit talented
individuals who could secure government and private sector
information infrastructure, as well as to stimulate innovation
in basic and applied cybersecurity research. This authority
would be derived from section 105 of the America COMPETES
Reauthorization Act of 2010 (P.L. 111-358; 124 Stat. 3989),
which adds section 24 of the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3719). The participating
agencies would seek the participation of high school,
university, and graduate students, veterans, and other relevant
organizations and individuals. This section would call on
competitions and challenges to focus on certain skill gaps and
would encourage cooperation with existing regional, State,
school, and private sector initiatives.
Sec. 302. Federal cyber scholarship-for-service program.
This section would authorize an existing NSF initiative, in
coordination with the Director of OPM and Secretary of Homeland
Security, to recruit, educate, and develop the next generation
of Federal cybersecurity professionals. NSF would support
scholarships for students enrolled at institutions of higher
education studying for degrees or specialized program
certifications in the cybersecurity field, under which a
recipient would work in the cybersecurity mission of a Federal,
State, local, or tribal agency for a period equal to the length
of the scholarship following receipt of the student's degree.
This section would define agency hiring authority and
eligibility for the scholarship, and provide for repayment of
the scholarship should a recipient fail to meet the terms of
the program as established by the Director of NSF. NSF would
evaluate and report periodically to Congress on the success of
recruiting and retaining scholarship recipients in the public
sector workforce. The Committee believes additional incentives
within existing authority, such as loan repayment programs,
should be considered by Federal agencies to attract and retain
a talented workforce. The Committee will continue to examine
the effectiveness of such incentives.
Sec. 303. Study and analysis of education, accreditation, training, and
certification of information infrastructure and cybersecurity
professionals.
This section would call on the Director of NSF, the Director
of OPM, and the Secretary of Homeland Security to jointly
contract with the National Academy of Sciences for a
comprehensive study of government, academic, and private-sector
education, accreditation, training, and certification programs
for the development of professionals in information
infrastructure and cybersecurity. The study would include an
evaluation of the knowledge needed for professionals to secure
information systems; an assessment of whether existing
education, accreditation, training, and certification programs
provide the necessary body of knowledge; an evaluation of the
state of cybersecurity education at U.S. institutions of higher
education; an analysis of barriers to the Federal Government in
recruiting and hiring cybersecurity talent; and an analysis of
the capacity of U.S. institutions of higher education to
provide current and future cybersecurity professionals to meet
the needs of the Federal Government, State and local entities,
and private sector. The study would be due to the President and
Congress within one year of enactment. The Committee recognizes
that the National Academy of Sciences released a report in
September 2013 entitled ``Professionalizing the Nation's
Cybersecurity Workforce'' and believes that the study in this
section should not duplicate existing or prior work in this
area.
TITLE IV--CYBERSECURITY AWARENESS AND PREPAREDNESS
Sec. 401. National cybersecurity awareness and preparedness campaign.
This section would call on the Director of NIST, in
consultation with relevant Federal agencies, to continue
coordination of a national cybersecurity awareness and
preparedness campaign. This initiative would include a public
awareness media campaign; a campaign to increase the
understanding of State and local government and institutions of
higher education of effective risk management; support for
formal cybersecurity education programs; and initiatives to
evaluate and forecast future cybersecurity workforce needs of
the Federal Government, among others. This section would call
for a strategic plan to guide the awareness and preparedness
campaign.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the Standing
Rules of the Senate, changes in existing law made by the bill,
as reported, are shown as follows (existing law proposed to be
omitted is enclosed in black brackets, new material is printed
in italic, existing law in which no change is proposed is shown
in roman):
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
[15 U.S.C. 271 et seq.]
SEC. 2. ESTABLISHMENT, FUNCTIONS, AND ACTIVITIES.
[15 U.S.C. 272]
* * * * * * *
(c) Implementation Activities.--In carrying out the functions
specified in subsection (b), the Secretary, acting through the
Director may, among other things--
(1) construct physical standards;
(2) test, calibrate, and certify standards and
standard measuring apparatus;
(3) study and improve instruments, measurement
methods, and industrial process control and quality
assurance techniques;
(4) cooperate with the States in securing uniformity
in weights and measures laws and methods of inspection;
(5) cooperate with foreign scientific and technical
institutions to understand technological developments
in other countries better;
(6) prepare, certify, and sell standard reference
materials for use in ensuring the accuracy of chemical
analyses and measurements of physical and other
properties of materials;
(7) in furtherance of the purposes of this Act,
accept research associates, cash donations, and donated
equipment from industry, and also engage with industry
in research to develop new basic and generic
technologies for traditional and new products and for
improved production and manufacturing;
(8) study and develop fundamental scientific
understanding and improved measurement, analysis,
synthesis, processing, and fabrication methods for
chemical substances and compounds, ferrous and
nonferrous metals, and all traditional and advanced
materials, including processes of degradation;
(9) investigate ionizing and nonionizing radiation
and radioactive substances, their uses, and ways to
protect people structures, and equipment from their
harmful effects;
(10) determine the atomic and molecular structure of
matter, through analysis of spectra and other methods,
to provide a basis for predicting chemical and physical
structures and reactions and for designing new
materials and chemical substances, including
biologically active macromolecules;
(11) perform research on electromagnetic waves,
including optical waves, and on properties and
performance of electrical, electronic, and
electromagnetic devices and systems and their essential
materials, develop and maintain related standards, and
disseminate standard signals through broadcast and
other means;
(12) develop and test standard interfaces,
communication protocols, and data structures for
computer and related telecommunications systems;
(13) study computer systems (as that term is defined
in section 20(d) of this Act) and their use to control
machinery and processes;
(14) perform research to develop standards and test
methods to advance the effective use of computers and
related systems and to protect the information stored,
processed, and transmitted by such systems and to
provide advice in support of policies affecting Federal
computer and related telecommunications systems;
(15) on an ongoing basis, facilitate and support the
development of a voluntary, industry-led set of
standards, guidelines, best practices, methodologies,
procedures, and processes to reduce cyber risks to
critical infrastructure (as defined under subsection
(e));
[(15)] (16) determine properties of building
materials and structural elements, and encourage their
standardization and most effective use, including
investigation of fire-resisting properties of building
materials and conditions under which they may be most
efficiently used, and the standardization of types of
appliances for fire prevention;
[(16)] (17) undertake such research in engineering,
pure and applied mathematics, statistics, computer
science, materials science, and the physical sciences
as may be necessary to carry out and support the
functions specified in this section;
[(17)] (18) compile, evaluate, publish, and otherwise
disseminate general, specific and technical data
resulting from the performance of the functions
specified in this section or from other sources when
such data are important to science, engineering, or
industry, or to the general public, and are not
available elsewhere;
[(18)] (19) collect, create, analyze, and maintain
specimens of scientific value;
[(19)] (20) operate national user facilities;
[(20)] (21) evaluate promising inventions and other
novel technical concepts submitted by inventors and
small companies and work with other Federal agencies,
States, and localities to provide appropriate technical
assistance and support for those inventions which are
found in the evaluation process to have commercial
promise;
[(21)] (22) demonstrate the results of the
Institute's activities by exhibits or other methods of
technology transfer, including the use of scientific or
technical personnel of the Institute for part-time or
intermittent teaching and training activities at
educational institutions of higher learning as part of
and incidental to their official duties; and
[(22)] (23) undertake such other activities similar
to those specified in this subsection as the Director
determines appropriate.
(d) Management Costs.--In carrying out the extramural funding
programs of the Institute, including the programs established
under sections 25, 26, and 28 of this Act, the Secretary may
retain reasonable amounts of any funds appropriated pursuant to
authorizations for these programs in order to pay for the
Institute's management of these programs.
(e) Cyber Risks.--
(1) In general.--In carrying out the activities under
subsection (c)(15), the Director--
(A) shall--
(i) coordinate closely and
continuously with relevant private
sector personnel and entities, critical
infrastructure owners and operators,
sector coordinating councils,
Information Sharing and Analysis
Centers, and other relevant industry
organizations, and incorporate industry
expertise;
(ii) consult with the heads of
agencies with national security
responsibilities, sector-specific
agencies, State and local governments,
the governments of other nations, and
international organizations;
(iii) identify a prioritized,
flexible, repeatable, performance-
based, and cost-effective approach,
including information security measures
and controls, that may be voluntarily
adopted by owners and operators of
critical infrastructure to help them
identify, assess, and manage cyber
risks;
(iv) include methodologies--
(I) to identify and mitigate
impacts of the cybersecurity
measures or controls on
business confidentiality; and
(II) to protect individual
privacy and civil liberties;
(v) incorporate voluntary consensus
standards and industry best practices;
(vi) align with voluntary
international standards to the fullest
extent possible;
(vii) prevent duplication of
regulatory processes and prevent
conflict with or superseding of
regulatory requirements, mandatory
standards, and related processes; and
(viii) include such other similar and
consistent elements as the Director
considers necessary; and
(B) shall not prescribe or otherwise
require--
(i) the use of specific solutions;
(ii) the use of specific information
or communications technology products
or services; or
(iii) that information or
communications technology products or
services be designed, developed, or
manufactured in a particular manner.
(2) Limitation.--Information shared with or provided
to the Institute for the purpose of the activities
described under subsection (c)(15) shall not be used by
any Federal, State, tribal, or local department or
agency to regulate the activity of any entity.
(3) Definitions.--In this subsection:
(A) Critical infrastructure.--The term
``critical infrastructure'' has the meaning
given the term in section 1016(e) of the USA
PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
(B) Sector-specific agency.--The term
``sector-specific agency'' means the Federal
department or agency responsible for providing
institutional knowledge and specialized
expertise as well as leading, facilitating, or
supporting the security and resilience programs
and associated activities of its designated
critical infrastructure sector in the all-
hazards environment.
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
[15 U.S.C. 7401 et seq.)
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.
[15 U.S.C. 7403]
(a) Computer and network security research grants.--
(1) In general.--The Director shall award grants for
basic research on innovative approaches to the
structure of computer and network hardware and software
that are aimed at enhancing computer security. Research
areas may include--
(A) authentication, cryptography, and other
secure data communications technology;
(B) computer forensics and intrusion
detection;
(C) reliability of computer and network
applications, middleware, operating systems,
control systems, and communications
infrastructure;
(D) privacy and confidentiality;
(E) network security architecture, including
tools for security administration and analysis;
(F) emerging threats;
(G) vulnerability assessments and techniques
for quantifying risk;
(H) remote access and wireless security;
[and]
(I) enhancement of law enforcement ability to
detect, investigate, and prosecute cyber-
crimes, including those that involve piracy of
intellectual property[.] ;
(J) secure fundamental protocols that are
integral to inter-network communications and
data exchange;
(K) secure software engineering and software
assurance, including--
(i) programming languages and systems
that include fundamental security
features;
(ii) portable or reusable code that
remains secure when deployed in various
environments;
(iii) verification and validation
technologies to ensure that
requirements and specifications have
been implemented; and
(iv) models for comparison and
metrics to assure that required
standards have been met;
(L) holistic system security that--
(i) addresses the building of secure
systems from trusted and untrusted
components;
(ii) proactively reduces
vulnerabilities;
(iii) addresses insider threats; and
(iv) supports privacy in conjunction
with improved security;
(M) monitoring and detection;
(N) mitigation and rapid recovery methods;
(O) security of wireless networks and mobile
devices; and
(P) security of cloud infrastructure and
services.
(2) Merit review; competition.--Grants shall be
awarded under this section on a merit-reviewed
competitive basis.
(3) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this subsection--
(A) $35,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $46,000,000 for fiscal year 2005;
(D) $52,000,000 for fiscal year 2006; and
(E) $60,000,000 for fiscal year 2007.
(b) Computer and Network Security Research Centers.--
(1) In general.--The Director shall award multiyear
grants, subject to the availability of appropriations,
to institutions of higher education, nonprofit research
institutions, or consortia thereof to establish
multidisciplinary Centers for Computer and Network
Security Research. Institutions of higher education,
nonprofit research institutions, or consortia thereof
receiving such grants may partner with 1 or more
government laboratories or for-profit institutions, or
other institutions of higher education or nonprofit
research institutions.
(2) Merit review; competition.--Grants shall be
awarded under this subsection on a merit-reviewed
competitive basis.
(3) Purpose.--The purpose of the Centers shall be to
generate innovative approaches to computer and network
security by conducting cutting-edge, multidisciplinary
research in computer and network security, including
[the research areas] improving the security and
resiliency of information infrastructure, reducing
cyber vulnerabilities, and anticipating and mitigating
consequences of cyber attacks on critical
infrastructure, by conducting research in the areas
described in subsection (a)(1).
(4) Applications.--An institution of higher
education, nonprofit research institution, or consortia
thereof seeking funding under this subsection shall
submit an application to the Director at such time, in
such manner, and containing such information as the
Director may require. The application shall include, at
a minimum, a description of--
(A) the research projects that will be
undertaken by the Center and the contributions
of each of the participating entities;
(B) how the Center will promote active
collaboration among scientists and engineers
from different disciplines, such as computer
scientists, engineers, mathematicians, and
social science researchers;
(C) how the Center will contribute to
increasing the number and quality of computer
and network security researchers and other
professionals, including individuals from
groups historically underrepresented in these
fields; and
(D) how [the center] the Center will
disseminate research results quickly and widely
to improve cyber security in information
technology networks, products, and services.
(5) Criteria.--In evaluating the applications
submitted under paragraph (4), the Director shall
consider, at a minimum--
(A) the ability of the applicant to generate
innovative approaches to computer and network
security and effectively carry out the research
program;
(B) the experience of the applicant in
conducting research on computer and network
security and the capacity of the applicant to
foster new multidisciplinary collaborations;
(C) the capacity of the applicant to attract
and provide adequate support for a diverse
group of undergraduate and graduate students
and postdoctoral fellows to pursue computer and
network security research; [and]
(D) the extent to which the applicant will
partner with government laboratories, for-
profit entities, other institutions of higher
education, or nonprofit research institutions,
and the role the partners will play in the
research undertaken by the Center[.] ;
(E) the demonstrated capability of the
applicant to conduct high performance
computation integral to complex computer and
network security research, through on-site or
off-site computing;
(F) the applicant's affiliation with private
sector entities involved with industrial
research described in subsection (a)(1);
(G) the capability of the applicant to
conduct research in a secure environment;
(H) the applicant's affiliation with existing
research programs of the Federal Government;
(I) the applicant's experience managing
public-private partnerships to transition new
technologies into a commercial setting or the
government user community;
(J) the capability of the applicant to
conduct interdisciplinary cybersecurity
research, basic and applied, such as in law,
economics, or behavioral sciences; and
(K) the capability of the applicant to
conduct research in areas such as systems
security, wireless security, networking and
protocols, formal methods and high-performance
computing, nanotechnology, or industrial
control systems.
(6) Annual meeting.--The Director shall convene an
annual meeting of the Centers in order to foster
collaboration and communication between Center
participants.
(7) Authorization of appropriations.--There are
authorized to be appropriated for the National Science
Foundation to carry out this subsection--
(A) $12,000,000 for fiscal year 2003;
(B) $24,000,000 for fiscal year 2004;
(C) $36,000,000 for fiscal year 2005;
(D) $36,000,000 for fiscal year 2006; and
(E) $36,000,000 for fiscal year 2007.
[all]