Congressional Record: January 28, 2002 (Senate)
Page S176-S183                      



 
          STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS

      By Mr. EDWARDS:
  S. 1900. A bill to protect against cyberterrorism and cybercrime, and 
for other purposes; the Committee on Commerce, Science, and 
Transportation.
                                 ______
                                 
      By Mr. EDWARDS:
  S. 1901. A bill to authorize the National Science Foundation and the 
National Security Agency to establish programs to increase the number 
of qualified faculty teaching advanced courses conducting research in 
the field of cybersecurity, and for other purposes; to the Committee on 
Health, Education, Labor, and Pensions.
  Mr. EDWARDS. Mr. president, since the horrifying events of September 
11, our country's number one priority has been to secure our families 
against the scourge of terrorism.
  First, in our hearts, of course, are the men and women on the 
frontlines of the fight: the soldiers fighting for freedom half a world 
away; the firefighters and police officers in New York; the postal 
workers here in Washington.
  Those of us elected to serve in Washington have a special 
responsibility to protect our security. To discharge that duty, I have 
been working with my colleagues here in the Senate. We have made a 
great deal of progress, but there's a lot more work to do.
  After a long debate, Congress passed and the President signed 
important legislation, based partly on a bill I introduced, to tighten 
security in our airports. But we have to do more.
  There are several bills that I have helped author that are working 
their way through Congress. Two of these bills, to tighten security at 
seaports and to protect against bioterrorism, have already passed the 
Senate and are awaiting action in the House. Another bill, to tighten 
our border security, should reach the Senate floor soon. All three 
should be enacted quickly. You can be sure our enemies are not waiting 
for us to act.
  One of the greatest challenges in the struggle for security is to 
prepare for the next attack, not just the last one. We have seen how 
vicious thugs can destroy innocent life with airplanes, how they can 
terrorize ordinary people with biological weapons. We are responding to 
those threats. But what about threats whose awful consequences we 
haven't yet felt?
  Today I want to talk about one of those threats: the threat of 
"cyberterrorism", an attack against the computer networks upon which 
our safety and economy now depend. Computers have become a foundation 
of our electricity, oil, gas, water, telephones, emergency services, 
and banks, not to mention our national defense apparatus.
  Computer networks have brought extraordinary improvements in the way 
we live and work. We communicate more often, more quickly, more 
cheaply. With the push of a button in a classroom or a bedroom, our 
children can get more information than most libraries have ever held.
  Yet there is a dark side to the internet, a new set of dangers. 
Today, if you ask an expert quietly, he or she will tell you that 
cyberspace is a very vulnerable place. Terrorists could cause terrible 
harm. They might be able to stop all traffic on the internet. Shut down 
power for entire cities for extended periods. Disrupt our phones. 
Poison our water. Paralyze our emergency services--police, 
firefighters, ambulances. The list goes on. We now live in a world 
where a terrorist can do as much damage with a keyboard and a modem as 
with a gun or a bomb.

  Already, one hacker has broken into a computer-controlled waste 
management system and caused millions of gallons of raw sewage to spill 
into parks, rivers, and private property. You probably haven't heard 
about this attack because it occurred in Australia. But imagine if 
terrorists launched calculated, coordinated attacks on America.
  Our enemies are already targeting our networks. After September 11, a 
Pakistani group hacked into two government web services, including one 
at the Department of Defense, and declared a "cyber jihad" against 
the United States. Another series of attacks, known as "Moonlight 
Maze," assaulted the Pentagon, Department of Energy, and NASA, and 
obtained vast quantities of technical defense research. To date, we can 
be thankful that these attacks have not been terribly sophisticated. 
But that could change soon. As the Defense Science Board recently 
stated, the U.S. will eventually be attached "by a sophisticated 
adversary using an effective array of information warfare tools and

[[Page S177]]

techniques. Two choices are available: adapt before the attack or 
afterward."
  In addition, cybercrime is already a billion-dollar drain on our 
economy, a drain growing larger each year. In 1955, one survey reported 
that losses from FBI-reported computer crime had already reached $2 
billion. Last year, the "ILOVEYOU" virus alone caused $8.7 billion in 
damage worldwide, much of it here. Cyberattacks have shut down major 
web sites like Yahoo! and eBay, not to mention the FBI. According to a 
recent survey, 85 percent of large corporations and government agencies 
detected computer security breaches over the prior 12 months. Two 
thirds suffered financial losses as a result.
  So the danger is clear, and the only question is how we address it. I 
think we need to address it in many ways. Today I want to focus on just 
two that are especially critical.
  The first is to encourage computer users to take proven measures to 
protect themselves. In the industry, these proven measures are known as 
"best practices"--steps like using customized passwords, not the ones 
that come with software, or promptly installing known "patches" to 
keep intruders out.
  The National Academy of Sciences recently reported that cybersecurity 
today is far worse than what known best practices can provide. As a 
result, viruses have shut down tens of thousands of machines even after 
patches to block them were widely available. Because the password 
protections on some systems are so weak, intruders have taken the 
"routers" that control Internet traffic hostage. And the government 
is as guilty as anyone. According to the report card issued by a member 
of the House of Representatives, most government agencies rate between 
a "D" and an "F" on cybersecurity. Improving our security by 
implementing existing best practices is our first big task.
  Our second challenge is to train more researchers, teachers, and 
workers to fight cyberthreats. Today the private sector engages in some 
short-term R&D on cybersecurity. But broader research and knowledge 
needs aren't being met. In addition, our workforce in cybersecurity is 
woefully inadequate, especially in academia. Each year, American 
universities award Ph.D.'s in computer science to about one thousand 
people each year. But less than one-half of one-percent specialize in 
cybersecurity, and fewer still go on to train others in the discipline. 
As Dr. Bill Chu, Chairman of the Software and Information Systems 
Department at the University of North Carolina at Charlotte and one of 
the country's leading experts on cybersecurity puts it: "The weakest 
link . . .  is the lack of qualified information security 
professionals. The majority of information technology professionals in 
this country have not been trained in the basics of information 
security. Information technology faculty in most universities do not 
have sufficient background to properly train students."
  As a whole, the challenge of cybersecurity is not unlike the 
challenge of a terrible disease like cancer. First, we have to 
encourage everyone to do what they can to reduce the risk of disease--
don't smoke, eat right, exercise. That is what cybersecurity "best 
practices" like changing passwords are all about. Second, we have to 
make sure we have got top-notch scientists working to find new 
medicines to prevent and fight the disease. And that is why we need 
more cyber teachers and researchers.
  To tackle these two challenges, I'm proud today to introduce two new 
bills that will support an intensive, $400 million cybersecurity effort 
over the next five years. The first bill is called the Cyberterrorism 
Preparedness Act of 2002.
  That bill's first step is to establish a new, nonprofit, 
nongovernment, consortium of academic and private sector experts to lay 
out a clear set of "best practices" that protect against cyberattack. 
The White House Office of Science and Technology Policy, the Institute 
for Defense Analyses, and the President's Committee of Advisors on 
Science and Technology have all recommended a new, nonprofit 
cybersecurity consortium. Such a consortium can work closely with the 
private sector, unfettered by bureaucracy, in a way that all the 
country can see and learn from.

  The goals of the consortium are simple: first, the establishment of 
"best practices" that are tailored to different computer systems and 
needs; second, the widest possible dissemination of those practices; 
and third, long-term, multi-disciplinary research on cybersecurity-
research that isn't occurring now.
  The second part of the Cyberterrorism Preparedness Act will implement 
"best practices" for government systems. The government has a duty to 
lead by example, something we aren't doing right now. And so, within 6 
months after this Act passed, the National Institute of Standards and 
Technology would immediately begin the process of implementing best 
practices for government agencies, beginning with small-scale tests and 
concluding with government-wide adoption of the recommended best 
practices.
  The last part of my bill will assess the issue of best practices for 
the private sector. While the bill doesn't impose new mandates beyond 
the government, it does require careful consideration of how to 
encourage the widest possible use of known best practices. There's a 
particular focus on entities that do business with the Federal 
Government as grantees or contractors. Government agencies should not 
be exposed to security vulnerabilities in the products supplied by 
these companies. And Federal dollars should not be flowing to firms 
that expose America to cyberterrorism. So the new consortium would be 
required to study whether and how government could condition grants and 
contracts on the adoption of cybersecurity best practices. The 
President is authorized to implement recommendations from that study.
  The Cyberterrorism Preparedness Act will address the first goal of 
cybersecurity--making sure we're taking the steps we already know to 
improve our security. The second bill I am introducing today--the 
Cybersecurity Research and Education Act--focuses on our second task: 
"training the trainers" and increasing the number of researchers, 
teachers, and workers committed to cybersecurity.
  First, the bill establishes a Cybersecurity Graduate Fellowship 
Program at the National Science Foundation. Individuals selected to 
participate in the program will receive a loan that covers the full 
tuition and fees as well as a living stipend for 4 years of doctoral 
study. Upon graduation, these loans will be forgiven at 20 percent per 
year for each year that the individual teaches at a college or 
university. After only 5 years of teaching, the entire loan will be 
paid off. That way, we can ensure that the money we invest in these 
promising young scientists will be used to train others interested in 
cybersecurity.

  Second, my bill also establishes a competitive sabbatical for 
Distinguished Faculty in Cybersecurity. Under the program, a qualified 
faculty member will receive a stipend to spend a year working and 
researching at the Department of Defense, a university specializing in 
cybersecurity, or some other appropriate facility. Universities sending 
faculty on sabbatical will receive funding to hire a temporary 
replacement instructor. In addition, when the faculty member returns, 
the university will get a generous grant to enhance its cybersecurity 
infrastructure needs. For example, the university could purchase 
advanced computing equipment and hire graduate research assistants. 
Participants in this program will have a unique opportunity to engage 
in cutting-edge research with some of the best minds in the country. 
When they return to their schools, these faculty will be even better 
equipped to advance the state of cybersecurity education.
  Third, this bill will create a Cybersecurity Awareness, Training, and 
Education Program at the National Security Agency. NSA has a strong 
history of supporting cybersecurity education, as exemplified through 
initiatives such as the Centers of Excellence program and the National 
Colloquium for Information Systems Security Education. The program I 
propose would build on NSA's expertise and would enable the agency to 
make grants to universities specializing in cybersecurity. The grants 
could be used for projects like teaching basic computer security to K-
12 teachers, or for the development of a "virtual university." 
Students who don't

[[Page S178]]

have access to nearby course offerings would then be able to take 
cybersecurity classes online.
  All of these programs are critical in our fight against 
cyberterrorism. A strong and vibrant academic community is essential 
for building the trained workforce of tomorrow. We must be committed to 
funding long-term research. And we must vigilantly maintain basic 
cybersecurity protections in government, while promoting them in the 
private sector.
  When it comes to the threat of a sophisticated, coordinated 
cyberterrorist attack, the question most likely is not whether such an 
attack will come. The question is when. And so we must be prepared to 
fight against a "cyberjihad," and we must be prepared to win.
  I ask unanimous consent that the text of my two bills be printed in 
the Record.
  There being no objection, the bills were ordered to be printed in the 
Record, as follows:

                                S. 1900

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the "Cyberterrorism Preparedness 
     Act of 2002".

     SEC. 2. GRANT FOR PROGRAM FOR PROTECTION OF INFORMATION 
                   INFRASTRUCTURE AGAINST DISRUPTION.

       (a) In General.--The National Institute of Standards and 
     Technology shall, using amounts authorized to be appropriated 
     by section 5, award a grant to a qualifying nongovernmental 
     entity for purposes of a program to support the development 
     of appropriate cybersecurity best practices, support long-
     term cybersecurity research and development, and perform 
     functions relating to such activities. The purpose of the 
     program shall be to provide protection for the information 
     infrastructure of the United States against terrorist or 
     other disruption or attack or other unwarranted intrusion.
       (b) Qualifying Nongovernmental Entity.--For purposes of 
     this section, a qualifying nongovernmental entity is any 
     entity that--
       (1) is a nonprofit, nongovernmental consortium composed of 
     at least three academic centers of expertise in cybersecurity 
     and at least three private sector centers of expertise in 
     cybersecurity;
       (2) has a board of directors of at least 12 members who 
     include senior administrators of academic centers of 
     expertise in cybersecurity and senior managers of private 
     sector centers of expertise in cybersecurity and of whom not 
     more than one third are affiliated with the centers 
     comprising the consortium;
       (3) is operated by individuals from academia, the private 
     sector, or both who have--
       (A) a demonstrated expertise in cybersecurity; and
       (B) the capacity to carry out the program required under 
     subsection (g);
       (4) has in place a set of rules to ensure that conflicts of 
     interest involving officers, employees, and members of the 
     board of directors of the entity do not undermine the 
     activities of the entity;
       (5) has developed a detailed plan for the program required 
     under subsection (g); and
       (6) meets any other requirements established by the 
     National Institute of Standards and Technology for purposes 
     of this Act.
       (c) Application.--Any entity seeking a grant under this 
     section shall submit to the National Institute of Standards 
     and Technology an application therefor, in such form and 
     containing such information as the National Institute for 
     Standards and Technology shall require.
       (d) Selection of Grantee.--The entity awarded a grant under 
     this section shall be selected after full and open 
     competition among qualifying nongovernmental entities.
       (e) Dispersal of Grant Amount.--Amounts available for the 
     grant under this section pursuant to the authorization of 
     appropriations in section 5 shall be dispersed on a fiscal 
     year basis over the five fiscal years beginning with fiscal 
     year 2003.
       (f) Consultation.--In carrying out activities under this 
     section, including selecting an entity for the award of a 
     grant, dispersing grant amounts, and overseeing activities of 
     the entity receiving the grant, the National Institute of 
     Standards and Technology--
       (1) shall consult with an existing interagency entity, or 
     new interagency entity, consisting of the elements of the 
     Federal Government having a substantial interest and 
     expertise in cybersecurity and designated by the President 
     for purposes of this Act; and
       (2) may consult separately with any such element of the 
     Federal Government.
       (g) Program Using Grant Amount.--
       (1) In general.--The entity awarded a grant under this 
     section shall carry out a national program for the purpose of 
     protecting the information infrastructure of the United 
     States against disruption. The program shall consist of--
       (A) multi-disciplinary research and development to identify 
     appropriate cybersecurity best practices, to measure the 
     effectiveness of cybersecurity best practices that are put 
     into use, and to identify sound means to achieve widespread 
     use of appropriate cybersecurity best practices that have 
     proven effective;
       (B) multi-disciplinary, long-term, or high-risk research 
     and development (including associated human resource 
     development) to improve cybersecurity; and
       (C) the activities required under paragraphs (3) and (4).
       (2) Conduct of research and development.--
       (A) In general.--Except as provided in subparagraph (B), 
     research and development under subparagraphs (A) and (B) of 
     paragraph (1) shall be carried out using funds and other 
     support provided by the grantee to entities selected by the 
     grantee after full and open competition among entities 
     determined by the grantee to be qualified to carry out such 
     research and development.
       (B) Conduct by grantee.--The grantee may carry out research 
     and development referred to in subparagraph (A) in any fiscal 
     year using not more than 15 percent of the amount dispersed 
     to the grantee under this Act in such fiscal year by the 
     National Institute of Standards and Technology.
       (3) Recommendations on cybersecurity best practices.--
       (A) Recommendations.--Not later than 18 months after the 
     selection of the grantee under this section, the grantee 
     shall prepare a report containing recommendations for 
     appropriate cybersecurity best practices.
       (B) Updates.--The grantee shall update the recommendations 
     made under subparagraph (A) not less often than once every 
     six months, and may update any portion of such 
     recommendations more frequently if the grantee determines 
     that circumstances so require.
       (C) Considerations.--In making recommendations under 
     subparagraph (A), and any update of such recommendations 
     under subparagraph (B), the grantee shall--
       (i) review the most current cybersecurity best practices 
     identified by the National Institute of Standards and 
     Technology under section 3(a); and
       (ii) consult with--

       (I) the entities carrying out research and development 
     under paragraph (1)(A);
       (II) entities employing cybersecurity best practices; and
       (III) a wide range of academic, private sector, and public 
     entities.

       (D) Dissemination.--The grantee shall submit the report 
     under subparagraph (A), and any update of the report under 
     paragraph (B), to the bodies and officials specified in 
     paragraph (5), and shall widely disseminate the report, and 
     any such update, among government (including State and local 
     government), private, and academic entities.
       (4) Activities relating to widespread use of cybersecurity 
     best practices.--
       (A) In general.--Not later than two years after the 
     selection of the grantee under this section, the grantee 
     shall submit to the bodies and officials specified in 
     paragraph (5) a report containing--
       (i) an assessment of the advisability of requiring the 
     contractors and grantees of the Federal Government to use 
     appropriate cybersecurity best practices; and
       (ii) recommendations for sound means to achieve widespread 
     use of appropriate cybersecurity best practices that have 
     proven effective.
       (B) Report elements.--The report under subparagraph (A) 
     shall set forth--
       (i) whether or not the requirement described in 
     subparagraph (A)(i) is advisable, including whether the 
     requirement would impose undue or inappropriate burdens, or 
     other inefficiencies, on contractors and grantees of the 
     Federal Government;
       (ii) if the requirement is determined advisable--

       (I) whether, and to what extent, the requirement should be 
     subject to exceptions or limitations for particular 
     contractors or grantees, including the types of contractors 
     or grantees and the nature of the exceptions or limitations; 
     and
       (II) which cybersecurity best practices should be covered 
     by the requirement and with what, if any, exceptions or 
     limitations; and

       (iii) any other matters that the grantee considers 
     appropriate.
       (5) Specified bodies and officials.--The bodies and 
     officials specified in this paragraph are as follows:
       (A) The appropriate committees of Congress.
       (B) The President.
       (C) The Director of the Office of Management and Budget.
       (D) The National Institute of Standards and Technology.
       (E) The interagency entity designated by the President 
     under subsection (f)(1).
       (h) Grant Administration.--
       (1) Use of grant competition and management systems.--The 
     National Institute of Standards and Technology may permit the 
     entity awarded the grant under this section to utilize the 
     grants competition system and grants management system of the 
     National Institute of Standards and Technology for purposes 
     of the efficient administration of activities by the entity 
     under subsection (g).
       (2) Rules.--The National Institute of Standards and 
     Technology shall establish any rules and procedures that the 
     National Institute of Standards and Technology considers 
     appropriate to further the purposes of this section. Such 
     rules may include provisions relating to the ownership of any 
     intellectual property created by the entity

[[Page S179]]

     awarded the grant under this section or funded by the entity 
     under subsection (g).
       (i) Supplement Not Supplant.--The National Institute of 
     Standards and Technology shall take appropriate actions to 
     ensure that activities under this section supplement, rather 
     than supplant, other current governmental and nongovernmental 
     efforts to protect the information infrastructure of the 
     United States.

     SEC. 3. APPROPRIATE CYBERSECURITY BEST PRACTICES FOR THE 
                   FEDERAL GOVERNMENT.

       (a) NIST Recommendations.--
       (1) In general.--Not later than 180 days after the date of 
     the enactment of this Act, the National Institute of 
     Standards and Technology shall submit to the bodies and 
     officials specified in subsection (e) a report that--
       (A) identifies appropriate cybersecurity best practices 
     that could reasonably be adopted by the departments and 
     agencies of the Federal Government over the 24-month period 
     beginning on the date of the report; and
       (B) sets forth proposed demonstration projects for the 
     adoption of such best practices by various departments and 
     agencies of the Federal Government beginning 90 days after 
     the date of the report.
       (2) Updates.--The National Institute of Standards and 
     Technology may submit to the bodies and officials specified 
     in subsection (e) any updates of the report under paragraph 
     (1) that the National Institute of Standards and Technology 
     consider appropriate due to changes in circumstances.
       (3) Consultation.--In preparing the report under paragraph 
     (1), and any updates of the report under paragraph (2), the 
     National Institute of Standards and Technology shall consult 
     with departments and agencies of the Federal Government 
     having an interest in the report and such updates, and with 
     academic centers of expertise in cybersecurity and private 
     sector centers of expertise in cybersecurity.
       (b) Demonstration Projects for Implementation of 
     Recommendations.--
       (1) In general.--Commencing not later than 90 days after 
     receipt of the report under subsection (a), the President 
     shall carry out the demonstration projects set forth in the 
     report, including any modification of any such demonstration 
     project that the President considers appropriate.
       (2) Updates.--If the National Institute of Standards and 
     Technology updates under subsection (a)(2) any recommendation 
     under subsection (a)(1)(A) that is relevant to a 
     demonstration project under paragraph (1), the President 
     shall modify the demonstration project to take into account 
     such update.
       (3) Report.--Not later than nine months after commencement 
     of the demonstration projects under this subsection, the 
     President shall submit to the appropriate committees of 
     Congress a report on the demonstration projects. The report 
     shall set forth the following:
       (A) An assessment of the extent to which the adoption of 
     appropriate cybersecurity best practices by departments and 
     agencies of the Federal Government under the demonstration 
     projects has improved cybersecurity at such departments and 
     agencies.
       (B) An assessment whether or not the adoption of 
     appropriate cybersecurity best practices by departments and 
     agencies of the Federal Government under the demonstration 
     projects has affected the capability of such departments and 
     agencies to carry out their missions.
       (C) A description of the cost of the adoption of 
     appropriate cybersecurity best practices by departments and 
     agencies of the Federal Government under the demonstration 
     projects.
       (D) A description of a security-enhancing missions-
     comparable, cost-effective program, to the extent such 
     program is feasible, for the adoption of appropriate 
     cybersecurity best practices government-wide.
       (E) Any other matters that the President considers 
     appropriate.
       (c) Adoption of Cybersecurity Best Practices Government-
     Wide.--The President shall implement a program for the 
     adoption of appropriate cybersecurity best practices 
     government-wide commencing not later than six months after 
     the date of the report.
       (d) Incorporation of Recommendations.--If during the 
     development or implementation of the program under subsection 
     (c) the President receives any recommendations under 
     paragraph (3) or (4) of section 3(g), the President shall 
     modify the program in order to take into account such 
     recommendations.
       (e) Specified Bodies and Officials.--The bodies and 
     officials specified in this subsection are as follows:
       (1) The appropriate committees of Congress.
       (2) The President.
       (3) The Director of the Office of Management and Budget.
       (4) The interagency entity designated by the President 
     under section 3(f)(1).

     SEC. 4. DEFINITIONS.

       In this Act:
       (1) Appropriate committees of congress.--The term 
     "appropriate committees of Congress" means--
       (A) the Committee on Commerce, Science, and Transportation 
     of the Senate; and
       (B) the Committee on Science of the House of 
     Representatives.
       (2) Cybersecurity.--The term "cybersecurity" means 
     information assurance, including information security, 
     information technology disaster recovery, and information 
     privacy.
       (3) Cybersecurity best practice.--The term "cybersecurity 
     best practice" means a computer hardware or software 
     configuration, information system design, operational 
     procedure, or measure, structure, or method that most 
     effectively protects computer hardware, software, networks, 
     or network elements against an attack that would cause harm 
     through the installation of unauthorized computer software, 
     saturation of network traffic, alteration of data, disclosure 
     of confidential information, or other means.
       (4) Appropriate cybersecurity best practice.--The term 
     "appropriate cybersecurity best practice" means a 
     cybersecurity best practice that--
       (A) permits, as needed, customization or expansion for the 
     computer hardware, software, network, or network element to 
     which the best practice applies;
       (B) takes into account the need for security protection 
     that balances--
       (i) the risk and magnitude of harm threatened by potential 
     attack; and
       (ii) the cost of imposing security protection; and
       (C) takes into account the rapidly changing nature of 
     computer technology.

     SEC. 5. AUTHORIZATION OF APPROPRIATIONS.

       There is hereby authorized to be appropriated for the 
     National Institute of Standards and Technology for purposes 
     of activities under this Act, amounts as follows:
       (1) For fiscal year 2003, $70,000,000.
       (2) For each of the fiscal years 2004 through 2007, such 
     sums as may be necessary.
                                  ____


                                S. 1901

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the "Cybersecurity Research and 
     Education Act of 2002".

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) critical elements of the Nation's basic economic and 
     physical infrastructure rely on information technology for 
     effective functioning;
       (2) increased reliance on technology has left our Nation 
     vulnerable to the threat of cyberterrorism;
       (3) long-term research on practices, methods, and 
     technologies that will help ensure the safety of our 
     information infrastructure remains woefully inadequate;
       (4) there is a critical shortage of faculty at institutions 
     of higher education who specialize in disciplines related to 
     cybersecurity;
       (5) a vigorous scholarly community in fields related to 
     cybersecurity is necessary to help conduct research and 
     disseminate knowledge about the practical application of the 
     community's findings; and
       (6) universities in the United States award the Ph.D. 
     degree in computer sciences to approximately 1,000 
     individuals each year, but of those awarded this degree, less 
     than 0.3 percent specialize in cybersecurity and still fewer 
     become employed in faculty positions at institutions of 
     higher education.

     SEC. 3. DEFINITIONS.

       In this Act:
       (1) Cybersecurity.--The term "cybersecurity" means 
     information assurance, including scientific, technical, 
     management, or any other relevant disciplines required to 
     ensure computer and network security, including, but not 
     limited to, a discipline related to the following functions:
       (A) Secure System and network administration and 
     operations.
       (B) Systems security engineering.
       (C) Information assurance systems and product acquisition.
       (D) Cryptography.
       (E) Threat and vulnerability assessment, including risk 
     management.
       (F) Web security.
       (G) Operations of computer emergency response teams.
       (H) Cybersecurity training, education, and management.
       (I) Computer forensics.
       (J) Defensive information operations.
       (2) Cybersecurity infrastructure.--The term "cybersecurity 
     infrastructure" includes--
       (A) equipment that is integral to research and education 
     capabilities in cybersecurity, including, but not limited 
     to--
       (i) encryption devices;
       (ii) network switches;
       (iii) routers;
       (iv) firewalls;
       (v) wireless networking gear;
       (vi) protocol analyzers;
       (vii) file servers;
       (viii) workstations;
       (ix) biometric tools; and
       (x) computers; and
       (B) technology support staff (including graduate students) 
     that is integral to research and education capabilities in 
     cybersecurity.
       (3) Director.--The term "Director" means the Director of 
     the National Science Foundation.
       (4) Institution of higher education.--The term 
     "institution of higher education" has the meaning given the 
     term in section 101(a)

[[Page S180]]

     of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).
       (5) Other relevant discipline.--The term "other relevant 
     discipline" includes, but is not limited to, the following 
     fields as the fields specifically relate to securing 
     information infrastructures:
       (A) Biometrics.
       (B) Software engineering.
       (C) Computer science and engineering.
       (D) Law.
       (E) Business management or administration.
       (F) Psychology.
       (G) Mathematics.
       (H) Sociology.
       (6) Qualified institution.--The term "qualified 
     institution" means an institution of higher education that, 
     at the time of submission of an application pursuant to any 
     of the programs authorized by this Act--
       (A) has offered, for not less than 3 years prior to the 
     date the application is submitted under this Act, a minimum 
     of 2 graduate courses in cybersecurity (not including short-
     term special seminars or 1-time classes offered by visitors);
       (B) has not less than 3 faculty members who teach 
     cybersecurity courses--
       (i) each of whom has published not less than 1 refereed 
     cybersecurity research article in a journal or through a 
     conference during the 2-year period preceding the date of 
     enactment of this Act;
       (ii) at least 1 of whom is tenured; and
       (iii) each of whom has demonstrated active engagement in 
     the cybersecurity scholarly community during the 2-year 
     period preceding the date of enactment of this Act, such as 
     serving as an editor of a cybersecurity journal or 
     participating on a program committee for a cybersecurity 
     conference or workshop;
       (C) has graduated not less than 1 Ph.D. scholar in 
     cybersecurity during the 2-year period preceding the date of 
     enactment of this Act; and
       (D) has not less than 3 graduate students enrolled who are 
     pursuing a Ph.D. in cybersecurity.

     SEC. 4. CYBERSECURITY GRADUATE FELLOWSHIP PROGRAM.

       (a) Purpose.--The purpose of this section is--
       (1) to encourage individuals to pursue academic careers in 
     cybersecurity upon the completion of doctoral degrees; and
       (2) to stimulate advanced study and research, at the 
     doctoral level, in complex, relevant, and important issues in 
     cybersecurity.
       (b) Establishment.--The Director is authorized to establish 
     a Cybersecurity Fellowship Program (referred to in this 
     section as the "fellowship program") to annually award 3 to 
     5-year graduate fellowships to individuals for studies and 
     research at the doctoral level in cybersecurity.
       (c) Cybersecurity Fellowship Program Advisory Board.--
       (1) Establishment.--There is established a Cybersecurity 
     Fellowship Program Advisory Board (referred to in this 
     section as the "Board").
       (2) Membership.--The Director shall appoint members of the 
     Board who shall include--
       (A) not fewer than 3 full-time faculty members--
       (i) each of whom teaches at an institution of higher 
     education; and
       (ii) each of whom has a specialty in cybersecurity; and
       (B) not fewer than 2 research scientists employed by a 
     Federal agency with duties that include cybersecurity 
     activities.
       (3) Terms.--Members of the Board shall be appointed for 
     renewable 2-year terms.
       (d) Application.--Each individual desiring to receive a 
     graduate fellowship under this section shall submit an 
     application to the Director at such time, in such manner, and 
     containing such information as the Director, in consultation 
     with the Board, shall require.
       (e) Award.--The Director is authorized to award graduate 
     fellowships under the fellowship program that shall--
       (1) be made available to individuals, through a competitive 
     selection process, for study at a qualified institution and 
     in accordance with the procedures established in subsection 
     (h);
       (2) be in an amount that is sufficient to cover annual 
     tuition and fees for doctoral study at a qualified 
     institution for the duration of the graduate fellowship, and 
     shall include, in addition, an annual living stipend of 
     $20,000; and
       (3) be for a duration of 3 to 5-years, the specific 
     duration of each graduate fellowship to be determined by the 
     Director in consultation with the Board on a case-by-case 
     basis.
       (f) Repayment.--Each graduate fellowship shall--
       (1) subject to paragraph (f)(2), be subject to full 
     repayment upon completion of the doctoral degree according to 
     a repayment schedule established and administered by the 
     Director;
       (2) be forgiven at the rate of 20 percent of the total 
     amount of graduate fellowship assistance received under this 
     section for each academic year that a recipient is employed 
     as a full-time faculty member at an institution of higher 
     education for a period not to exceed 5 years; and
       (3) be monitored by the Director to ensure compliance with 
     this section.
       (g) Eligibility.--To be eligible to receive a graduate 
     fellowship under this section, an individual shall--
       (1) be a citizen of the United States;
       (2) be matriculated or eligible to be matriculated for 
     doctoral studies at a qualified institution; and
       (3) demonstrate a commitment to a career in higher 
     education.
       (h) Selection.--
       (1) In general.--The Director, in consultation with the 
     Board, shall select recipients for graduate fellowships.
       (2) Duties.--The Director, in consultation with the Board, 
     shall--
       (A) establish criteria for a competitive selection process 
     for recipients of graduate fellowships;
       (B) establish and promulgate an application process for the 
     fellowship program;
       (C) receive applications for graduate fellowships;
       (D) annually review applications and select recipients of 
     graduate fellowships; and
       (E) establish and administer a repayment schedule for 
     recipients of graduate fellowships.
       (3) Consideration.--In making selections for graduate 
     fellowships, the Director, to the extent possible and in 
     consultation with the Board, shall consider applicants whose 
     interests are of an interdisciplinary nature, encompassing 
     the social scientific as well as technical dimensions of 
     cybersecurity.
       (i) Authorization of Appropriations.--There are authorized 
     to be appropriated to carry out this section $5,000,000 for 
     each of fiscal years 2003 through 2005, and such sums as may 
     be necessary for each succeeding fiscal year.

     SEC. 5. SABBATICAL FOR DISTINGUISHED FACULTY IN 
                   CYBERSECURITY.

       (a) Establishment.--The Director is authorized to award 
     grants to institutions of higher education to enable faculty 
     members who are teaching cybersecurity subjects to spend a 
     sabbatical from teaching working at--
       (1) the National Security Agency;
       (2) the Department of Defense;
       (3) the National Institute of Standards and Technology;
       (4) a research laboratory supported by the Department of 
     Energy; or
       (5) a qualified institution.
       (b) Application.--Each institution of higher education 
     desiring to receive a grant under this section shall submit 
     an application to the Director at such time, in such manner, 
     and containing such information as the Director shall 
     require.
       (c) Grant Awards.--
       (1) In general.--The Director shall award a grant under 
     this section only if the National Science Foundation and the 
     agency or institution where the faculty member will spend the 
     sabbatical approve the sabbatical placement.
       (2) Number and duration.--For each fiscal year, the 
     Director shall award grants for not more than 25 sabbatical 
     positions that will each be for a 1-year period.
       (3) Amount of award.--
       (A) In general.--Each institution of higher education that 
     is awarded a grant under this section shall receive $250,000 
     for each faculty member who will spend a sabbatical pursuant 
     to the grant.
       (B) Use of award.--The Director shall award a grant under 
     this section in 2 disbursements in the following manner:
       (i) First disbursement.--The first disbursement shall be 
     made upon selection of a grant recipient and shall consist of 
     the following:

       (I) $20,000 to provide a stipend for living expenses to 
     each faculty member awarded a sabbatical under this section.
       (II) An amount sufficient for the grant recipient to hire a 
     qualified replacement for the faculty member awarded a 
     sabbatical under this section for the term of the sabbatical, 
     if such a replacement is possible.

       (ii) Second disbursement.--The second disbursement shall be 
     made at the conclusion of the sabbatical, only if the faculty 
     member completes the sabbatical in its entirety, and shall be 
     used for the grant recipient's cybersecurity infrastructure 
     needs, including--

       (I) acquiring equipment or technology;
       (II) hiring graduate students; or
       (III) supporting any other activity that will enhance the 
     grant recipient's course offerings and research in 
     cybersecurity.

       (d) Eligibility.--To be eligible to receive a grant under 
     this section, an institution of higher education shall submit 
     an application under subsection (b) that--
       (1) identifies the faculty member to whom the institution 
     of higher education will provide a sabbatical and ensures 
     that the faculty member is a citizen of the United States;
       (2) ensures that the faculty member to whom the institution 
     of higher education will provide a sabbatical is tenured at 
     that institution of higher education and meets general 
     standards of excellence in research or teaching; and
       (3) explains how the faculty member to whom the institution 
     of higher education will provide a sabbatical will--
       (A) integrate into the faculty member's course offerings 
     knowledge related to cybersecurity that is gained during the 
     sabbatical; and
       (B) in conjunction with the institution of higher 
     education, use the second disbursement of funds available 
     under subsection (c)(3)(B)(ii).
       (e) Authorization of Appropriations.--There is authorized 
     to be appropriated to carry out this section $8,000,000 for 
     each of fiscal years 2003 through 2005.

[[Page S181]]

     SEC. 6. ENHANCING CYBERSECURITY INFRASTRUCTURE.

       (a) Establishment.--The Director is authorized to award 
     grants to qualified institutions to fund activities that 
     provide, enhance, and facilitate acquisition of cybersecurity 
     infrastructure at qualified institutions.
       (b) Use of Grant Award.--Each qualified institution that 
     receives a grant under this section shall use the grant funds 
     for needs specifically related to--
       (1) cybersecurity education and research; and
       (2) development efforts related to cybersecurity.
       (c) Matching Funds.--Each qualified institution that 
     receives a grant under this section shall contribute to the 
     activities assisted under this section non-Federal matching 
     funds equal to not less than 25 percent of the amount of the 
     grant.
       (d) Authorization of Appropriations.--There is authorized 
     to be appropriated to carry out this section $10,000,000 for 
     each of fiscal years 2003 through 2005.

     SEC. 7. CYBERSECURITY AWARENESS, TRAINING, AND EDUCATION 
                   PROGRAM.

       (a) Purpose.--The purpose of this section is to increase 
     the quality of education and training in cybersecurity, 
     thereby increasing the number of qualified students entering 
     the field of cybersecurity to adequately address the Nation's 
     increasing dependence on information technology and to defend 
     the Nation's increasingly vulnerable information 
     infrastructure.
       (b) Establishment.--The Director of the National Security 
     Agency is authorized to award grants, on a competitive basis, 
     to qualified institutions to establish Cybersecurity 
     Awareness, Training, and Education Programs (referred to in 
     this section as "information programs").
       (c) Application.--
       (1) In general.--Each qualified institution desiring to 
     receive a grant under this section shall submit an 
     application to the Director of the National Security Agency 
     at such time, in such manner, and accompanied by such 
     information as the Director of the National Security Agency 
     shall require.
       (2) Plans.--Each application submitted pursuant to 
     paragraph (1) shall include a plan for establishing and 
     maintaining an information program under this section, 
     including a description of--
       (A) the design, structure, and scope of the proposed 
     information program, including unique qualities that may 
     distinguish the proposed information program from possible 
     approaches of other qualified institutions;
       (B) research being conducted in the disciplines encompassed 
     by the plan;
       (C) any integration of the information program with other 
     federally funded programs related to cybersecurity education, 
     such as the National Science Foundation Scholarship for 
     Service Program, the Department of Defense Multidisciplinary 
     Research Program of the University Research Initiative, and 
     the Department of Defense Information Assurance Scholarship 
     Program;
       (D) necessary costs for information infrastructure to 
     support the information program;
       (E) how the qualified institution will protect the 
     integrity and security of the information infrastructure and 
     any student testing mechanisms; and
       (F) other relevant information.
       (3) Collaboration.--A qualified institution desiring to 
     receive a grant under this section may propose collaboration 
     with other qualified institutions.
       (d) Grant Awards.--Each qualified institution that receives 
     a grant under this section shall use the grant funds to--
       (1) establish or enhance a Center for Studies in 
     Cybersecurity Awareness, Training, and Education that shall--
       (A) establish a professionally produced, web-based 
     collection of cybersecurity programs of instruction that have 
     been approved for general public dissemination by the authors 
     and owners of the programs;
       (B) maintain a web-based directory of cybersecurity 
     education and training related conferences and symposia;
       (C) sponsor the development of specific instructional 
     materials in cybersecurity and other relevant disciplines, 
     including--
       (i) intrusion detection;
       (ii) overview of information assurance;
       (iii) ethical use of computing systems;
       (iv) network security;
       (v) cryptography;
       (vi) risk management;
       (vii) malicious logic; and
       (viii) system security engineering;
       (D) sponsor cybersecurity education symposia;
       (E) collaborate with the National Colloquium for 
     Information Assurance Education;
       (F) create a `Virtual Academy' for sharing courseware and 
     laboratory exercises in cybersecurity; and
       (G) review and participate in integrating various 
     cybersecurity education and training standards into unified 
     curricula; and
       (2) establish or enhance a Center for the Development of 
     Faculty in Cybersecurity that shall--
       (A) establish criteria for recognition and certification of 
     cybersecurity trainers and educators;
       (B) establish faculty training outreach to teachers in 
     kindergarten through grade 12 and to faculty of part B 
     institutions (as defined in section 322 of the Higher 
     Education Act of 1965 (20 U.S.C. 1061));
       (C) build, test, and evaluate laboratory exercises that 
     represent use of model practices in cybersecurity for use in 
     training and education programs; and
       (D) establish an integrated program to include the programs 
     described in this paragraph and paragraph (1).
       (e) Authorization of Appropriations.--There are authorized 
     to be appropriated to carry out this section--
       (1) $1,500,000 for fiscal year 2003;
       (2) $2,000,000 for fiscal year 2004;
       (3) $3,000,000 for fiscal year 2005; and
       (4) $4,500,000 for fiscal year 2006.

     SEC. 8. CYBERSECURITY WORKFORCE AND FACILITIES STUDY.

       (a) Study.--The Comptroller General shall conduct a study 
     and collect data on the following:
       (1) The cybersecurity workforce, including--
       (A) the size and nature of the cybersecurity workforce by 
     occupation category (including academic faculty at 
     institutions of higher education), level of education and 
     training, personnel demographics, and industry 
     characteristics; and
       (B) the role of foreign workers in the cybersecurity 
     workforce.
       (2) Academic cybersecurity research facilities, including--
       (A) total academic research space available or utilized for 
     research relating to cybersecurity;
       (B) academic research space relating to cybersecurity that 
     is in need of major repair or renovation;
       (C) new or ongoing projects at institutions of higher 
     education expected to produce new or renovated research space 
     to be used for research relating to cybersecurity; and
       (D) any research space needs related to cybersecurity and 
     based on projections of growth in educational programs and 
     research, including costs and initiatives required to meet 
     such needs and possible consequences of failure to meet such 
     needs.
       (3) Other information that the Comptroller General 
     determines appropriate.
       (b) Report.--Not later than 6 months after the date of 
     enactment of this Act, and biennially thereafter, the 
     Comptroller General shall prepare and submit a report on the 
     study conducted pursuant to subsection (a) to the--
       (1) Committee on Health, Education, Labor and Pensions of 
     the Senate; and
       (2) Committee on Education and the Workforce of the House 
     of Representatives.
                                 ______