H.R. 4061: Cybersecurity Enhancement Act of 2009

H.R. 4061

Cybersecurity Enhancement Act of 2009

Sponsor
Rep. Daniel Lipinski

Date
February 3, 2010 (111th Congress, 1st Session)

Staff Contact
Sarah Makin

Floor Situation

H.R. 4061 is being considered under suspension of the rules, requiring a two-thirds vote for passage. The legislation was introduced by Rep. Daniel Lipinski (D-IL) on November 7, 2009. The bill was approved by the Science and Technology Committee by voice vote in November 2009.

Bill Summary

H.R. 4061 reauthorizes several National Science Foundation (NSF) programs that aim to enhance cybersecurity.  The bill would require agencies participating in the Networking and Information Technology Research and Development program (NITRD) to develop, update, and implement a plan to guide the direction of federal cybersecurity and information assurance research and development.  The bill also reauthorizes cybersecurity workforce and traineeship programs at the NSF including the Integrative Graduate Education and Research Traineeship program and the Graduate Research Fellowship program.
 
H.R. 4061 requires the President to conduct an assessment of cybersecurity workforce needs across the federal government and authorizes NSF to carry out the Scholarship for Service program (which has never been authorized but has been funded previously).  The bill reauthorizes cybersecurity research at NSF and also reauthorizes the Trustworthy Computing program.
 
H.R. 4061 requires the Director of the Office of Science and Technology Policy to convene a university-industry task force to find ways to carry out collaborative research and development on cybersecurity technology.  The bill requires the National Institute of Standards and Technology (NIST) to develop and implement a plan to include U.S. representation in the development of international cybersecurity technical standards.
 
Finally, the bill would require NIST to develop and implement a cybersecurity awareness and education program for the dissemination of user-friendly cybersecurity best practices and technical standards.

Background

According to information provided by the Committee, the bill seeks to improve cybersecurity in the federal, private, and public sectors through coordination of federal cybersecurity research and development activities; strengthening of the cybersecurity workforce; coordination of U.S. representation in international cybersecurity technical standards development; and reauthorization of cybersecurity related programs at the NSF and the NIST.
 
Supporters of the bill site reports of cyber criminals and possibly nation-states accessing sensitive information as a reason for heightened concerns over the adequacy of cybersecurity measures.  For instance, in 2008, Rep. Smith (R-NJ) and Rep. Wolf (R-VA) reported their House computers being compromised by Chinese officials (for more on these incidents, see this news report).
 
Funding for cybersecurity research and development is approximately $350 million each year.  However, GAO testified in June, 2009 that the U.S. information technology infrastructure is vulnerable to attack and the federal agencies tasked with its protection are not fulfilling their responsibilities.
 
The NITRD program is chiefly responsible for coordinating unclassified cybersecurity research and development.  NSF’s budget of $127 million for FY 2010 makes it the principal agency supporting unclassified cybersecurity research and development and education.  NIST protects the federal information technology network by developing cybersecurity standards for federal non-classified network systems.
 
Regarding the U.S. involvement in international cybersecurity technical standards, the U.S. is currently represented by numerous organizations internationally, including the Department of State, Department of Commerce, Federal Communications Commission, and the United States Trade Representative.  However between them, there is no collective strategy. 
 
The Cyber Security Research and Development Act (P.L. 107-305) became public law in the 107th Congress.  The bill created new programs and expanded existing programs at NSF and NIST for computer and network security.  The authorizations established under the Cyber Security Research and Development Act expired in FY 2007.  This bill reauthorizes and increases the authorizations of many of those programs.

Cost

Based on information from NSF and NIST and assuming appropriation of the necessary amounts, CBO estimates that implementing H.R. 4061 would cost $639 million over the 2010-2014 period and $320 million after 2014.  Enacting the legislation would not affect direct spending or revenues.

Amendments

1)    Reps. Hastings, Alcee (D-FL) and Rodriguez D-TX):  The amendment addresses minority representation in the cybersecurity industry (including women, African Americans, Hispanics, and Native Americans).  The amendment would require that institutions "engage" minorities in cybersecurity (providing information on how they are doing so), and would require the Cybersecurity University-Industry Task Force to include minority-serving institutions.

2)    Rep. Polis (D-CO):  The amendment would allow participants in the Federal Cyber Scholarship for Service program to seek internships, or other appointments, in the private sector, with the discretion of the Director.

3)    Rep. Flake (R-AZ):  The amendment would prohibit the earmarking of funds authorized for grants in the bill.

4)    Rep. Matheson (D-UT):  The amendment would require the National Science Foundation (NSF) to study ways to improve detection, investigation, and prosecution of cyber crimes including piracy of intellectual property, crimes against children, and organized crime.

5)    Rep. Roskam (R-IL):  The amendment would strengthen the involvement of community colleges in the development of a national cybersecurity strategy.

6)    Rep. Edwards, Donna (D-MD):  The amendment would require the National Institute of Science and Technology (NIST) to work with other federal, State, and private sector partners to develop a framework that States may follow in order to achieve effective cybersecurity practices in a timely and cost effective manner.

7)    Rep. Paulsen (R-MN):  The amendment would require the Cybersecurity Strategic Research and Development Plan to outline how the U.S. can work strategically with international partners.

8)    Rep. Dahlkemper (D-PA):  The amendment would add to the uses for the Computer and Network Security Capacity Building Grants collaboration between community colleges, universities, and Manufacturing Extension Partnership Centers.

9)    Rep. Garamendi (D-CA):  The amendment requires the Cybersecurity Awareness and Education program to provide regional workshops.

10)  Reps. McCarthy, Carolyn (D-NY) and Kratovil (D-MD):  The amendment would emphasize that cybersecurity awareness and education efforts focus on novice computer users, young and elderly populations, low-income populations, and populations in areas of planned broadband expansion or deployment.

11)  Rep. Smith, Adam (D-WA):  The amendment would add "job security clearance and suitability requirements" to the issues that are considered in the cybersecurity workforce assessment.

12)  Rep. Langevin (D-RI):  The amendment would direct the Cybersecurity Workforce Assessment to examine expanding temporary assignments of private sector cybersecurity professionals to federal agencies.

13)  Rep. Sanchez, Loretta (D-CA):  The amendment would allow access to realistic threats and vulnerabilities to academic researchers during their strategic planning, and would propose guidelines for the sharing of "lessons learned" from the private sector to the public sector.

14)  Rep. Cuellar (D-TX):  The amendment would require the Cybersecurity Strategic Research and Development plan to determine how to strengthen all levels of cybersecurity education and training programs to secure an adequate, well-trained workforce.

15)  Rep. Shea-Porter (D-NH):  The amendment extends the service obligation for recipients of cybersecurity scholarships or fellowships on a sliding scale depending on the degree program.

16)  Rep. Clarke (D-NY):  The amendment would include contractors in the cybersecurity workforce assessment.

17)  Rep. Bright (D-AL):  The amendment would require a National Academy of Sciences study on the role of community colleges in cybersecurity education.  The study would be required to identify best practices related to cybersecurity education between community colleges and four-year educational institutions.

18)  Rep. Connolly (D-VA):  The amendment requires that the promotion of cybersecurity education include "children and young adults" along with the other targeted audiences.

19)  Reps. Halvorson (D-IL) and Shea-Porter (D-NH):  The amendment would include veteran status as an additional item for consideration when selecting for the Federal Cyber Scholarships for Service grant.

20)  Rep. Kilroy (D-OH):  The amendment would require the Federal Cyber Scholarship for Service program to include outreach activities to improve the recruitment of high school and community college students into cybersecurity-related fields.

21)  Rep. Kissell (D-NC):  The amendment would require the NSF Director to include language in its Computer and Network Security Capacity Building Grants mission statement highlighting importance of curriculum on the principles and techniques of designing secure software.

22)  Rep. Kratovil (D-MD):  The amendment would require the Director of the NSF to establish a National Center of Excellence for Cybersecurity as part of the Networking and Information Technology and Research Development Program.

23)  Rep. Nye (D-VA):  The amendment requires the Comptroller General to submit a report examining weaknesses within the current cybersecurity infrastructure.

24)  Rep. Owens (D-NY):  The amendment would require the Cybersecurity Strategic Research and Development plan to include a component on technologies to secure sensitive information shared among Federal agencies.

25)  Rep. Heinrich (D-NM):  The amendment would allow national laboratories to be included as stakeholders in the Cybersecurity Strategic Research and Development Plan.