marked up and reported (as amended) by the Research and Science Education Subcommittee on September 23, 2009
and
Section-by-Section
I. Purpose
The purpose of the Cybersecurity Research and Development Amendments Act of 2009 is to improve the coordination and prioritization of federal cybersecurity research and development activities, to strengthen the cybersecurity workforce, and to reauthorize cybersecurity related programs at the National Science Foundation.
The purpose of the Cybersecurity Coordination and Awareness Act of 2009 is to authorize the Director of the National Institute of Standards and Technology (NIST) to coordinate United States Government representation in international cybersecurity technical standards development. The bill also tasks NIST to develop and implement a cybersecurity awareness and education program, increase development focus on identity management technical standards, and reinforce work currently being done in security specifications for government information systems.
II. Background and Need for the Legislation
Information technology (IT) has evolved rapidly over the last decade, leading to markedly increased connectivity and productivity. The benefits provided by these advancements have lead to the widespread use and incorporation of information technologies across major sectors of the economy. This level of connectivity and the dependence of our critical infrastructures on IT have also increased the vulnerability of these systems. Reports of cyber criminals and nation-states accessing sensitive information and disrupting services have risen steadily over the last decade, heightening concerns over the adequacy of our cybersecurity measures.
According to the Office of Management and Budget, Federal agencies spend $6 billion annuallyon cybersecurity to protect a $72 billion IT infrastructure. In addition, the Federal government funds $356 million in cybersecurity research each year. Despite this spending, the Government Accountability Office continually says the U.S. IT infrastructure is vulnerable to attack and the Federal agencies tasked with its protection are not fulfilling their responsibilities.
On May 29, 2009, the Obama Administration released a 60-day review of cyberspace policies across the federal government. The document details a number of near-term and mid-term action plans and states that it will not only take increased organization and coordination within the Federal government, but also extensive public-private partnerships and international collaboration to achieve these recommendations.
Specifically, the review recommends the development of an R&D framework that focuses on strategies for innovative technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure. In the mid-term, it recommends that federal agencies expand support for R&D to ensure the Nation’s continued ability to compete in the information age economy.
The task of coordinating unclassified cybersecurity R&D lies with the Networking and Information Technology Research and Development (NITRD) program, which was originally authorized in statute by the High-Performance Computing Act of 1991 (P.L. 102-194). The NITRD program, which consists of 13 federal agencies, coordinates a broad spectrum of R&D activities related to information technology. It also includes an interagency working group and program component area focused specifically on cybersecurity and information R&D.
At a Technology and Innovation Subcommittee hearing on Thursday, October 22, witnesses discussed ways NIST can act on three of the Cyberspace Policy Review recommendations. The first of the Cyberspace Policy Review recommendations calls for a single entity to coordinate United States government representation for cybersecurity technical standards and develop an engagement plan for use with international standards bodies. Currently, the United States is represented by an array of organizations including the Department of State, Department of Commerce, Federal Communications Commission, and the United States Trade Representative. There needs to be a central coordinating strategy to guide the activities of these representatives and address the convergence of telecommunication, internet, and video devices and the inclusion of IT in the U.S. infrastructure (Healthcare IT and SmartGrid).
The second Cyberspace Policy Review recommendation is to address the need for a cybersecurity awareness and education campaign. Experts have stated that NIST’s technical standards and best practices are too highly technical for widespread use, and making this information usable by average internet users with less technical expertise will help raise the base level of cybersecurity knowledge among individuals, business, education, and government.
The third recommendation relates to the need to increase efforts in developing identity management systems. Identity management systems identify an individual for purposes of controlling access to resources, physical areas, or information (e.g. passwords, key cards, or biometrics). The Cyberspace Policy Review states that cybersecurity cannot be improved without first improving identity management. NIST currently has programs in identity management systems such as biometrics, but improvements need to be made in the interoperability and usability of these systems to encourage their growth and adoption.
In the 107th Congress, the Science and Technology Committee developed the Cyber Security Research and Development Act (P.L. 107-305). The bill created new programs and expanded existing programs at the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) for computer and network security. The authorizations established under the Cyber Security Research and Development Act expired in fiscal year 2007.
III. Subcommittee Actions
Cybersecurity Research and Development Amendments Act of 2009
The Subcommittee on Research and Science Education heard testimony in the 111th Congress relevant to the activities authorized in the bill at hearings held on June 10 and June 16, 2009. During the first hearing, the Subcommittee focused on priorities and existing gaps in the cybersecurity research portfolio, as well as the adequacy of cybersecurity education and workforce training programs. The Subcommittee heard from witnesses from academia and the private sector, including: 1) Dr. Seymour Goodman, Professor of International Affairs and Computing and Co-Director, Georgia Tech Information Security Center, Georgia Institute of Technology; 2) Ms. Liesyl Franz, Vice President, Information Security and Global Public Policy, TechAmerica; 3) Dr. Anita D’Amico, Director, Secure Decisions Division, Applied Visions, Inc.; 4) Dr. Fred Schneider, Samuel B. Eckert Professor of Computer Science, Department of Computer Science, Cornell University; 5) Mr. Timothy Brown, Vice President and Chief Architect, CA Security Management.
On June 16, 2009, the Subcommittee on Research and Science Education and the Subcommittee on Technology and Innovation held a joint hearing entitled “Agency Response to Cyberspace Policy Review.” The hearing reviewed the response of the Department of Homeland Security, the National Institute of Standards and Technology, the National Science Foundation, and the Defense Advanced Research Projects Agency to the findings and recommendations in the Administration’s 60-day Cyberspace Policy Review.
The Subcommittee on Research and Science Education met to consider the Cybersecurity Research and Development Amendments Act of 2009 on September, 23, 2009 and considered the following amendments to the bill:
- Mr. Lipinski offered an amendment to reauthorize NSF’s cybersecurity research centers program, and to clarify the responsibilities and requirements of scholarship recipients and awardee institutions in the monitoring and reporting of information related to a scholarship recipient’s service obligation. The amendment was agreed to by a voice vote.
- Ms. Johnson offered an amendment requiring that the strategic plan describe how the program will increase the diversity of the cybersecurity workforce and specifying that the goal of promoting diversity be considered in the selection scholarships recipients. The amendment was agreed to by a voice vote.
Mr. Lipinski moved that the Subcommittee favorably report the bill, as amended, to the full Committee. The motion was agreed to by a voice vote.
Cybersecurity Coordination and Awareness Act of 2009
On October 22, 2009, the Subcommittee on Technology and Innovation held a hearing entitled “Cybersecurity Activities at NIST’s Information Technology Laboratories.” The hearing examined the recommendations made in the Cyberspace Policy Review. Six witnesses testified: Ms. Cita Furlani, Director, Information Technology Laboratory, NIST; Dr. Susan Landau, Distinguished Engineer, Sun Microsystems; Professor Fred Schneider, Samuel B. Eckert Professor, Computer Science, Cornell University; Dr. Phyllis Schneck, Vice President, Threat Intelligence, McAfee; Mr. William Wyatt Starnes, Founder and CEO, SignaCert, Inc.; Mr. Mark Bohannon, General Counsel and Senior Vice President, Public Policy, Software and Information Industry Association.
During the hearing, the witnesses highlighted three recommendations for NIST from the review: 1) NIST should coordinate a US federal representation for international cybersecurity technical standards development because it has the technical expertise required, it is a non-regulatory agency, and is internationally respected; 2) NIST should carry out a cybersecurity awareness campaign; and 3) NIST should increase efforts in the area of identity management.
The Technology and Innovation Subcommittee met to consider the Cybersecurity Coordination and Awareness Act of 2009 on November 4, 2009. The Subcommittee considered a joint manager’s amendment offered by Representatives Wu and Smith, which was agreed to by a voice vote.
Mr. Wu moved that the Subcommittee favorably report the bill, as amended, to the full Committee with the recommendation that the bill pass. The motion was agreed to by voice vote.
IV. Summary of Major Provisions of the Prints
Cybersecurity Research and Development Amendments Act of 2009
The bill requires that the agencies participating in the NITRD program develop a strategic plan to guide the overall direction of federal cybersecurity and information assurance R&D. It requires the agencies to solicit recommendations and advice from the advisory committee and a wide range of stakeholders and that they develop an implementation roadmap for the strategic plan.
The bill reauthorizes cybersecurity workforce and traineeship programs at NSF, including through the Advanced Technological Education program, the Integrative Graduate Education and Research Traineeship program and the Graduate Research Fellowship program. It also requires that the President conduct an assessment of cybersecurity workforce needs across the federal government and formally authorizes NSF to carry out the Scholarship for Service program.
Additionally, the bill reauthorizes cybersecurity research at NSF, including through the Trustworthy Computing program and it requires that the Director of the Office of Science and Technology Policy convene a university-industry task force to explore mechanisms for carrying out collaborative R&D.
Cybersecurity Coordination and Awareness Act of 2009
The Cybersecurity Coordination and Awareness Act directs NIST to develop and implement a proactive plan to ensure a coordinated United States Government engagement in international cybersecurity technical standards development. This plan is due to Congress within one year of enactment.
NIST is also required to deliver a plan to Congress, within 90 days of enactment, describing how it will develop and implement a cybersecurity awareness and education program. NIST is to collaborate with relevant federal agencies, industry and educational institutions in developing this program. The purpose of the program is to disseminate cybersecurity best practices and standards and to make these standards and practices usable by individuals, small to medium-sized businesses, state and local governments and educational institutions. NIST is also directed to utilize established Manufacturing Extension Partnership networks (under section 25 of the NIST Act), to the extent appropriate, to make cybersecurity information available to small manufacturing companies.
The bill directs NIST to engage in research and development programs to improve identity management systems. The programs have the goals of improving interoperability among identity management technologies, strengthening authentication methods, and improving privacy protection.
The bill amends section 8(c) of the Cybersecurity R & D Act (15 U.S.C. 7406(c)) by requiring the director of NIST to develop or identify, and revise or adapt as necessary, checklists, configuration profiles, and deployment recommendations for products and protocols that minimize the security risks associated with each hardware or software system used by the Federal Government.