[House Report 113-33]
[From the U.S. Government Publishing Office]
113th Congress Report
HOUSE OF REPRESENTATIVES
1st Session 113-33
======================================================================
CYBERSECURITY ENHANCEMENT ACT OF 2013
_______
April 11, 2013.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Smith of Texas, from the Committee on Science, Space, and
Technology, submitted the following
R E P O R T
[To accompany H.R. 756]
[Including cost estimate of the Congressional Budget Office]
The Committee on Science, Space, and Technology, to whom
was referred the bill (H.R. 756) to advance cybersecurity
research, development, and technical standards, and for other
purposes, having considered the same, report favorably thereon
with an amendment and recommend that the bill as amended do
pass.
CONTENTS
Page
I. Amendment.......................................................2
II. Purpose and Summary............................................10
III. Background and Need for the Legislation.......................10
IV. Hearing Summary................................................12
V. Committee Consideration........................................13
VI. Committee Votes................................................13
VII. Summary of Major Provisions of the Bill........................15
VIII. Committee Views................................................16
IX. Committee Oversight Findings...................................18
X. Statement on General Performance Goals and Objectives..........18
XI. New Budget Authority, Entitlement Authority, and Tax Expenditur18
XII. Advisory on Earmarks...........................................18
XIII. Committee Cost Estimate........................................18
XIV. Congressional Budget Office Cost Estimate......................19
XV. Federal Mandates Statement.....................................21
XVI. Compliance with House Resolution 5.............................21
XVII. Federal Advisory Committee Statement...........................21
XVIII.Applicability to Legislative Branch............................21
XIX. Section-by-Section Analysis of the Legislation.................21
XX. Changes in Existing Law Made by the Bill, As Reported..........24
XXI. Proceedings of the Full Committee Markup.......................31
I. Amendment
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity Enhancement Act of
2013''.
TITLE I--RESEARCH AND DEVELOPMENT
SEC. 101. DEFINITIONS.
In this title:
(1) National coordination office.--The term National
Coordination Office means the National Coordination Office for
the Networking and Information Technology Research and
Development program.
(2) Program.--The term Program means the Networking and
Information Technology Research and Development program which
has been established under section 101 of the High-Performance
Computing Act of 1991 (15 U.S.C. 5511).
SEC. 102. FINDINGS.
Section 2 of the Cyber Security Research and Development Act (15
U.S.C. 7401) is amended--
(1) by amending paragraph (1) to read as follows:
``(1) Advancements in information and communications
technology have resulted in a globally interconnected network
of government, commercial, scientific, and education
infrastructures, including critical infrastructures for
electric power, natural gas and petroleum production and
distribution, telecommunications, transportation, water supply,
banking and finance, and emergency and government services.'';
(2) in paragraph (2), by striking ``Exponential increases in
interconnectivity have facilitated enhanced communications,
economic growth,'' and inserting ``These advancements have
significantly contributed to the growth of the United States
economy,'';
(3) by amending paragraph (3) to read as follows:
``(3) The Cyberspace Policy Review published by the President
in May, 2009, concluded that our information technology and
communications infrastructure is vulnerable and has `suffered
intrusions that have allowed criminals to steal hundreds of
millions of dollars and nation-states and other entities to
steal intellectual property and sensitive military
information'.''; and
(4) by amending paragraph (6) to read as follows:
``(6) While African-Americans, Hispanics, and Native
Americans constitute 33 percent of the college-age population,
members of these minorities comprise less than 20 percent of
bachelor degree recipients in the field of computer
sciences.''.
SEC. 103. CYBERSECURITY STRATEGIC RESEARCH AND DEVELOPMENT PLAN.
(a) In General.--Not later than 12 months after the date of enactment
of this Act, the agencies identified in subsection 101(a)(3)(B)(i)
through (x) of the High-Performance Computing Act of 1991 (15 U.S.C.
5511(a)(3)(B)(i) through (x)) or designated under section
101(a)(3)(B)(xi) of such Act, working through the National Science and
Technology Council and with the assistance of the National Coordination
Office, shall transmit to Congress a strategic plan based on an
assessment of cybersecurity risk to guide the overall direction of
Federal cybersecurity and information assurance research and
development for information technology and networking systems. Once
every 3 years after the initial strategic plan is transmitted to
Congress under this section, such agencies shall prepare and transmit
to Congress an update of such plan.
(b) Contents of Plan.--The strategic plan required under subsection
(a) shall--
(1) specify and prioritize near-term, mid-term and long-term
research objectives, including objectives associated with the
research areas identified in section 4(a)(1) of the Cyber
Security Research and Development Act (15 U.S.C. 7403(a)(1))
and how the near-term objectives complement research and
development areas in which the private sector is actively
engaged;
(2) describe how the Program will focus on innovative,
transformational technologies with the potential to enhance the
security, reliability, resilience, and trustworthiness of the
digital infrastructure, and to protect consumer privacy;
(3) describe how the Program will foster the rapid transfer
of research and development results into new cybersecurity
technologies and applications for the timely benefit of society
and the national interest, including through the dissemination
of best practices and other outreach activities;
(4) describe how the Program will establish and maintain a
national research infrastructure for creating, testing, and
evaluating the next generation of secure networking and
information technology systems;
(5) describe how the Program will facilitate access by
academic researchers to the infrastructure described in
paragraph (4), as well as to relevant data, including event
data;
(6) describe how the Program will engage females and
individuals identified in section 33 or 34 of the Science and
Engineering Equal Opportunities Act (42 U.S.C. 1885a or 1885b)
to foster a more diverse workforce in this area; and
(7) describe how the Program will help to recruit and prepare
veterans for the Federal cybersecurity workforce.
(c) Development of Roadmap.--The agencies described in subsection (a)
shall develop and annually update an implementation roadmap for the
strategic plan required in this section. Such roadmap shall--
(1) specify the role of each Federal agency in carrying out
or sponsoring research and development to meet the research
objectives of the strategic plan, including a description of
how progress toward the research objectives will be evaluated;
(2) specify the funding allocated to each major research
objective of the strategic plan and the source of funding by
agency for the current fiscal year; and
(3) estimate the funding required for each major research
objective of the strategic plan for the following 3 fiscal
years.
(d) Recommendations.--In developing and updating the strategic plan
under subsection (a), the agencies involved shall solicit
recommendations and advice from--
(1) the advisory committee established under section
101(b)(1) of the High-Performance Computing Act of 1991 (15
U.S.C. 5511(b)(1)); and
(2) a wide range of stakeholders, including industry,
academia, including representatives of minority serving
institutions and community colleges, National Laboratories, and
other relevant organizations and institutions.
(e) Appending to Report.--The implementation roadmap required under
subsection (c), and its annual updates, shall be appended to the report
required under section 101(a)(2)(D) of the High-Performance Computing
Act of 1991 (15 U.S.C. 5511(a)(2)(D)).
(f) Cybersecurity Research Database.--The agencies involved in
developing and updating the strategic plan under subsection (a) shall
establish, in coordination with the Office of Management and Budget, a
mechanism to track ongoing and completed Federal cybersecurity research
and development projects and associated funding, and shall make such
information publically available.
SEC. 104. SOCIAL AND BEHAVIORAL RESEARCH IN CYBERSECURITY.
Section 4(a)(1) of the Cyber Security Research and Development Act
(15 U.S.C. 7403(a)(1)) is amended--
(1) by inserting ``and usability'' after ``to the
structure'';
(2) in subparagraph (H), by striking ``and'' after the
semicolon;
(3) in subparagraph (I), by striking the period at the end
and inserting ``; and''; and
(4) by adding at the end the following new subparagraph:
``(J) social and behavioral factors, including human-
computer interactions, usability, and user
motivations.''.
SEC. 105. NATIONAL SCIENCE FOUNDATION CYBERSECURITY RESEARCH AND
DEVELOPMENT PROGRAMS.
(a) Computer and Network Security Research Areas.--Section 4(a)(1) of
the Cyber Security Research and Development Act (15 U.S.C. 7403(a)(1))
is amended--
(1) in subparagraph (A) by inserting ``identity management,''
after ``cryptography,''; and
(2) in subparagraph (I), by inserting ``, crimes against
children, and organized crime'' after ``intellectual
property''.
(b) Computer and Network Security Research Grants.--Section 4(a)(3)
of such Act (15 U.S.C. 7403(a)(3)) is amended by striking subparagraphs
(A) through (E) and inserting the following new subparagraphs:
``(A) $119,000,000 for fiscal year 2014;
``(B) $119,000,000 for fiscal year 2015; and
``(C) $119,000,000 for fiscal year 2016.''.
(c) Computer and Network Security Research Centers.--Section 4(b) of
such Act (15 U.S.C. 7403(b)) is amended--
(1) in paragraph (4)--
(A) in subparagraph (C), by striking ``and'' after
the semicolon;
(B) in subparagraph (D), by striking the period and
inserting ``; and''; and
(C) by adding at the end the following new
subparagraph:
``(E) how the center will partner with government
laboratories, for-profit entities, other institutions
of higher education, or nonprofit research
institutions.''; and
(2) in paragraph (7) by striking subparagraphs (A) through
(E) and inserting the following new subparagraphs:
``(A) $5,000,000 for fiscal year 2014;
``(B) $5,000,000 for fiscal year 2015; and
``(C) $5,000,000 for fiscal year 2016.''.
(d) Computer and Network Security Capacity Building Grants.--Section
5(a)(6) of such Act (15 U.S.C. 7404(a)(6)) is amended by striking
subparagraphs (A) through (E) and inserting the following new
subparagraphs:
``(A) $25,000,000 for fiscal year 2014;
``(B) $25,000,000 for fiscal year 2015; and
``(C) $25,000,000 for fiscal year 2016.''.
(e) Scientific and Advanced Technology Act Grants.--Section 5(b)(2)
of such Act (15 U.S.C. 7404(b)(2)) is amended by striking subparagraphs
(A) through (E) and inserting the following new subparagraphs:
``(A) $4,000,000 for fiscal year 2014;
``(B) $4,000,000 for fiscal year 2015; and
``(C) $4,000,000 for fiscal year 2016.''.
(f) Graduate Traineeships in Computer and Network Security.--Section
5(c)(7) of such Act (15 U.S.C. 7404(c)(7)) is amended by striking
subparagraphs (A) through (E) and inserting the following new
subparagraphs:
``(A) $32,000,000 for fiscal year 2014;
``(B) $32,000,000 for fiscal year 2015; and
``(C) $32,000,000 for fiscal year 2016.''.
(g) Cyber Security Faculty Development Traineeship Program.--Section
5(e) of such Act (15 U.S.C. 7404(e)) is repealed.
SEC. 106. FEDERAL CYBER SCHOLARSHIP FOR SERVICE PROGRAM.
(a) In General.--The Director of the National Science Foundation
shall continue a Scholarship for Service program under section 5(a) of
the Cyber Security Research and Development Act (15 U.S.C. 7404(a)) to
recruit and train the next generation of Federal cybersecurity
professionals and to increase the capacity of the higher education
system to produce an information technology workforce with the skills
necessary to enhance the security of the Nation's communications and
information infrastructure.
(b) Characteristics of Program.--The program under this section
shall--
(1) provide, through qualified institutions of higher
education, including community colleges, scholarships that
provide tuition, fees, and a competitive stipend for up to 2
years to students pursing a bachelor's or master's degree and
up to 3 years to students pursuing a doctoral degree in a
cybersecurity field;
(2) provide the scholarship recipients with summer internship
opportunities or other meaningful temporary appointments in the
Federal information technology workforce; and
(3) increase the capacity of institutions of higher education
throughout all regions of the United States to produce highly
qualified cybersecurity professionals, through the award of
competitive, merit-reviewed grants that support such activities
as--
(A) faculty professional development, including
technical, hands-on experiences in the private sector
or government, workshops, seminars, conferences, and
other professional development opportunities that will
result in improved instructional capabilities;
(B) institutional partnerships, including minority
serving institutions and community colleges;
(C) development and evaluation of cybersecurity-
related courses and curricula; and
(D) public-private partnerships that will integrate
research experiences and hands-on learning into
cybersecurity degree programs.
(c) Scholarship Requirements.--
(1) Eligibility.--Scholarships under this section shall be
available only to students who--
(A) are citizens or permanent residents of the United
States;
(B) are full-time students in an eligible degree
program, as determined by the Director, that is focused
on computer security or information assurance at an
awardee institution; and
(C) accept the terms of a scholarship pursuant to
this section.
(2) Selection.--Individuals shall be selected to receive
scholarships primarily on the basis of academic merit, with
consideration given to financial need, to the goal of promoting
the participation of females and individuals identified in
section 33 or 34 of the Science and Engineering Equal
Opportunities Act (42 U.S.C. 1885a or 1885b), and to veterans.
For purposes of this paragraph, the term ``veteran'' means a
person who--
(A) served on active duty (other than active duty for
training) in the Armed Forces of the United States for
a period of more than 180 consecutive days, and who was
discharged or released therefrom under conditions other
than dishonorable; or
(B) served on active duty (other than active duty for
training) in the Armed Forces of the United States and
was discharged or released from such service for a
service-connected disability before serving 180
consecutive days.
For purposes of subparagraph (B), the term ``service-
connected'' has the meaning given such term under section 101
of title 38, United States Code.
(3) Service obligation.--If an individual receives a
scholarship under this section, as a condition of receiving
such scholarship, the individual upon completion of their
degree must serve as a cybersecurity professional within the
Federal workforce for a period of time as provided in paragraph
(5). If a scholarship recipient is not offered employment by a
Federal agency or a federally funded research and development
center, the service requirement can be satisfied at the
Director's discretion by--
(A) serving as a cybersecurity professional in a
State, local, or tribal government agency; or
(B) teaching cybersecurity courses at an institution
of higher education.
(4) Conditions of support.--As a condition of acceptance of a
scholarship under this section, a recipient shall agree to
provide the awardee institution with annual verifiable
documentation of employment and up-to-date contact information.
(5) Length of service.--The length of service required in
exchange for a scholarship under this subsection shall be 1
year more than the number of years for which the scholarship
was received.
(d) Failure To Complete Service Obligation.--
(1) General rule.--If an individual who has received a
scholarship under this section--
(A) fails to maintain an acceptable level of academic
standing in the educational institution in which the
individual is enrolled, as determined by the Director;
(B) is dismissed from such educational institution
for disciplinary reasons;
(C) withdraws from the program for which the award
was made before the completion of such program;
(D) declares that the individual does not intend to
fulfill the service obligation under this section; or
(E) fails to fulfill the service obligation of the
individual under this section,
such individual shall be liable to the United States as
provided in paragraph (3).
(2) Monitoring compliance.--As a condition of participating
in the program, a qualified institution of higher education
receiving a grant under this section shall--
(A) enter into an agreement with the Director of the
National Science Foundation to monitor the compliance
of scholarship recipients with respect to their service
obligation; and
(B) provide to the Director, on an annual basis,
post-award employment information required under
subsection (c)(4) for scholarship recipients through
the completion of their service obligation.
(3) Amount of repayment.--
(A) Less than one year of service.--If a circumstance
described in paragraph (1) occurs before the completion
of 1 year of a service obligation under this section,
the total amount of awards received by the individual
under this section shall be repaid or such amount shall
be treated as a loan to be repaid in accordance with
subparagraph (C).
(B) More than one year of service.--If a circumstance
described in subparagraph (D) or (E) of paragraph (1)
occurs after the completion of 1 year of a service
obligation under this section, the total amount of
scholarship awards received by the individual under
this section, reduced by the ratio of the number of
years of service completed divided by the number of
years of service required, shall be repaid or such
amount shall be treated as a loan to be repaid in
accordance with subparagraph (C).
(C) Repayments.--A loan described in subparagraph (A)
or (B) shall be treated as a Federal Direct
Unsubsidized Stafford Loan under part D of title IV of
the Higher Education Act of 1965 (20 U.S.C. 1087a and
following), and shall be subject to repayment, together
with interest thereon accruing from the date of the
scholarship award, in accordance with terms and
conditions specified by the Director (in consultation
with the Secretary of Education) in regulations
promulgated to carry out this paragraph.
(4) Collection of repayment.--
(A) In general.--In the event that a scholarship
recipient is required to repay the scholarship under
this subsection, the institution providing the
scholarship shall--
(i) be responsible for determining the
repayment amounts and for notifying the
recipient and the Director of the amount owed;
and
(ii) collect such repayment amount within a
period of time as determined under the
agreement described in paragraph (2), or the
repayment amount shall be treated as a loan in
accordance with paragraph (3)(C).
(B) Returned to treasury.--Except as provided in
subparagraph (C) of this paragraph, any such repayment
shall be returned to the Treasury of the United States.
(C) Retain percentage.--An institution of higher
education may retain a percentage of any repayment the
institution collects under this paragraph to defray
administrative costs associated with the collection.
The Director shall establish a single, fixed percentage
that will apply to all eligible entities.
(5) Exceptions.--The Director may provide for the partial or
total waiver or suspension of any service or payment obligation
by an individual under this section whenever compliance by the
individual with the obligation is impossible or would involve
extreme hardship to the individual, or if enforcement of such
obligation with respect to the individual would be
unconscionable.
(e) Hiring Authority.--
(1) Appointment in excepted service.--Notwithstanding any
provision of chapter 33 of title 5, United States Code,
governing appointments in the competitive service, an agency
shall appoint in the excepted service an individual who has
completed the academic program for which a scholarship was
awarded.
(2) Noncompetitive conversion.--Except as provided in
paragraph (4), upon fulfillment of the service term, an
employee appointed under paragraph (1) may be converted
noncompetitively to term, career-conditional or career
appointment.
(3) Timing of conversion.--An agency may noncompetitively
convert a term employee appointed under paragraph (2) to a
career-conditional or career appointment before the term
appointment expires.
(4) Authority to decline conversion.--An agency may decline
to make the noncompetitive conversion or appointment under
paragraph (2) for cause.
SEC. 107. CYBERSECURITY WORKFORCE ASSESSMENT.
Not later than 180 days after the date of enactment of this Act the
President shall transmit to the Congress a report addressing the
cybersecurity workforce needs of the Federal Government. The report
shall include--
(1) an examination of the current state of and the projected
needs of the Federal cybersecurity workforce, including a
comparison of the different agencies and departments, and an
analysis of the capacity of such agencies and departments to
meet those needs;
(2) an analysis of the sources and availability of
cybersecurity talent, a comparison of the skills and expertise
sought by the Federal Government and the private sector, an
examination of the current and future capacity of United States
institutions of higher education, including community colleges,
to provide current and future cybersecurity professionals,
through education and training activities, with those skills
sought by the Federal Government, State and local entities, and
the private sector, and a description of how successful
programs are engaging the talents of females and individuals
identified in section 33 or 34 of the Science and Engineering
Equal Opportunities Act (42 U.S.C. 1885a or 1885b);
(3) an examination of the effectiveness of the National
Centers of Academic Excellence in Information Assurance
Education, the Centers of Academic Excellence in Research, and
the Federal Cyber Scholarship for Service programs in promoting
higher education and research in cybersecurity and information
assurance and in producing a growing number of professionals
with the necessary cybersecurity and information assurance
expertise, including individuals from States or regions in
which the unemployment rate exceeds the national average;
(4) an analysis of any barriers to the Federal Government
recruiting and hiring cybersecurity talent, including barriers
relating to compensation, the hiring process, job
classification, and hiring flexibilities; and
(5) recommendations for Federal policies to ensure an
adequate, well-trained Federal cybersecurity workforce.
SEC. 108. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE.
(a) Establishment of University-Industry Task Force.--Not later than
180 days after the date of enactment of this Act, the Director of the
Office of Science and Technology Policy shall convene a task force to
explore mechanisms for carrying out collaborative research,
development, education, and training activities for cybersecurity
through a consortium or other appropriate entity with participants from
institutions of higher education and industry.
(b) Functions.--The task force shall--
(1) develop options for a collaborative model and an
organizational structure for such entity under which the joint
research and development activities could be planned, managed,
and conducted effectively, including mechanisms for the
allocation of resources among the participants in such entity
for support of such activities;
(2) identify and prioritize at least three cybersecurity
grand challenges, focused on nationally significant problems
requiring collaborative and interdisciplinary solutions;
(3) propose a process for developing a research and
development agenda for such entity to address the grand
challenges identified under paragraph (2);
(4) define the roles and responsibilities for the
participants from institutions of higher education and industry
in such entity;
(5) propose guidelines for assigning intellectual property
rights and for the transfer of research and development results
to the private sector; and
(6) make recommendations for how such entity could be funded
from Federal, State, and nongovernmental sources.
(c) Composition.--In establishing the task force under subsection
(a), the Director of the Office of Science and Technology Policy shall
appoint an equal number of individuals from institutions of higher
education, including minority-serving institutions and community
colleges, and from industry with knowledge and expertise in
cybersecurity.
(d) Report.--Not later than 12 months after the date of enactment of
this Act, the Director of the Office of Science and Technology Policy
shall transmit to the Congress a report describing the findings and
recommendations of the task force.
(e) Termination.--The task force shall terminate upon transmittal of
the report required under subsection (d).
(f) Compensation and Expenses.--Members of the task force shall serve
without compensation.
SEC. 109. CYBERSECURITY AUTOMATION AND CHECKLISTS FOR GOVERNMENT
SYSTEMS.
Section 8(c) of the Cyber Security Research and Development Act (15
U.S.C. 7406(c)) is amended to read as follows:
``(c) Security Automation and Checklists for Government Systems.--
``(1) In general.--The Director of the National Institute of
Standards and Technology shall develop, and revise as
necessary, security automation standards, associated reference
materials (including protocols), and checklists providing
settings and option selections that minimize the security risks
associated with each information technology hardware or
software system and security tool that is, or is likely to
become, widely used within the Federal Government in order to
enable standardized and interoperable technologies,
architectures, and frameworks for continuous monitoring of
information security within the Federal Government.
``(2) Priorities for development.--The Director of the
National Institute of Standards and Technology shall establish
priorities for the development of standards, reference
materials, and checklists under this subsection on the basis
of--
``(A) the security risks associated with the use of
the system;
``(B) the number of agencies that use a particular
system or security tool;
``(C) the usefulness of the standards, reference
materials, or checklists to Federal agencies that are
users or potential users of the system;
``(D) the effectiveness of the associated standard,
reference material, or checklist in creating or
enabling continuous monitoring of information security;
or
``(E) such other factors as the Director of the
National Institute of Standards and Technology
determines to be appropriate.
``(3) Excluded systems.--The Director of the National
Institute of Standards and Technology may exclude from the
application of paragraph (1) any information technology
hardware or software system or security tool for which such
Director determines that the development of a standard,
reference material, or checklist is inappropriate because of
the infrequency of use of the system, the obsolescence of the
system, or the inutility or impracticability of developing a
standard, reference material, or checklist for the system.
``(4) Dissemination of standards and related materials.--The
Director of the National Institute of Standards and Technology
shall ensure that Federal agencies are informed of the
availability of any standard, reference material, checklist, or
other item developed under this subsection.
``(5) Agency use requirements.--The development of standards,
reference materials, and checklists under paragraph (1) for an
information technology hardware or software system or tool does
not--
``(A) require any Federal agency to select the
specific settings or options recommended by the
standard, reference material, or checklist for the
system;
``(B) establish conditions or prerequisites for
Federal agency procurement or deployment of any such
system;
``(C) imply an endorsement of any such system by the
Director of the National Institute of Standards and
Technology; or
``(D) preclude any Federal agency from procuring or
deploying other information technology hardware or
software systems for which no such standard, reference
material, or checklist has been developed or identified
under paragraph (1).''.
SEC. 110. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CYBERSECURITY
RESEARCH AND DEVELOPMENT.
Section 20 of the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3) is amended by redesignating subsection (e) as
subsection (f), and by inserting after subsection (d) the following:
``(e) Intramural Security Research.--As part of the research
activities conducted in accordance with subsection (d)(3), the
Institute shall--
``(1) conduct a research program to develop a unifying and
standardized identity, privilege, and access control management
framework for the execution of a wide variety of resource
protection policies and that is amenable to implementation
within a wide variety of existing and emerging computing
environments;
``(2) carry out research associated with improving the
security of information systems and networks;
``(3) carry out research associated with improving the
testing, measurement, usability, and assurance of information
systems and networks;
``(4) carry out research associated with improving security
of industrial control systems; and
``(5) carry out research associated with improving the
security and integrity of the information technology supply
chain.''.
SEC. 111. RESEARCH ON THE SCIENCE OF CYBERSECURITY.
The Director of the National Science Foundation and the Director of
the National Institute of Standards and Technology shall, through
existing programs and activities, support research that will lead to
the development of a scientific foundation for the field of
cybersecurity, including research that increases understanding of the
underlying principles of securing complex networked systems, enables
repeatable experimentation, and creates quantifiable security metrics.
TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS
SEC. 201. DEFINITIONS.
In this title:
(1) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(2) Institute.--The term ``Institute'' means the National
Institute of Standards and Technology.
SEC. 202. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS.
(a) In General.--The Director, in coordination with appropriate
Federal authorities, shall--
(1) as appropriate, ensure coordination of Federal agencies
engaged in the development of international technical standards
related to information system security; and
(2) not later than 1 year after the date of enactment of this
Act, develop and transmit to the Congress a plan for ensuring
such Federal agency coordination.
(b) Consultation With the Private Sector.--In carrying out the
activities specified in subsection (a)(1), the Director shall ensure
consultation with appropriate private sector stakeholders.
SEC. 203. CLOUD COMPUTING STRATEGY.
(a) In General.--The Director, in collaboration with the Federal CIO
Council, and in consultation with other relevant Federal agencies and
stakeholders from the private sector, shall continue to develop and
encourage the implementation of a comprehensive strategy for the use
and adoption of cloud computing services by the Federal Government.
(b) Activities.--In carrying out the strategy developed under
subsection (a), the Director shall give consideration to activities
that--
(1) accelerate the development, in collaboration with the
private sector, of standards that address interoperability and
portability of cloud computing services;
(2) advance the development of conformance testing performed
by the private sector in support of cloud computing
standardization; and
(3) support, in consultation with the private sector, the
development of appropriate security frameworks and reference
materials, and the identification of best practices, for use by
Federal agencies to address security and privacy requirements
to enable the use and adoption of cloud computing services,
including activities--
(A) to ensure the physical security of cloud
computing data centers and the data stored in such
centers;
(B) to ensure secure access to the data stored in
cloud computing data centers;
(C) to develop security standards as required under
section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3); and
(D) to support the development of the automation of
continuous monitoring systems.
SEC. 204. PROMOTING CYBERSECURITY AWARENESS AND EDUCATION.
(a) Program.--The Director, in collaboration with relevant Federal
agencies, industry, educational institutions, National Laboratories,
the National Coordination Office of the Networking and Information
Technology Research and Development program, and other organizations,
shall continue to coordinate a cybersecurity awareness and education
program to increase knowledge, skills, and awareness of cybersecurity
risks, consequences, and best practices through--
(1) the widespread dissemination of cybersecurity technical
standards and best practices identified by the Institute;
(2) efforts to make cybersecurity best practices usable by
individuals, small to medium-sized businesses, State, local,
and tribal governments, and educational institutions;
(3) improving the state of cybersecurity education at all
educational levels;
(4) efforts to attract, recruit, and retain qualified
professionals to the Federal cybersecurity workforce; and
(5) improving the skills, training, and professional
development of the Federal cybersecurity workforce.
(b) Strategic Plan.--The Director shall, in cooperation with relevant
Federal agencies and other stakeholders, develop and implement a
strategic plan to guide Federal programs and activities in support of a
comprehensive cybersecurity awareness and education program as
described under subsection (a).
(c) Report to Congress.--Not later than 1 year after the date of
enactment of this Act and every 5 years thereafter, the Director shall
transmit the strategic plan required under subsection (b) to the
Committee on Science, Space, and Technology of the House of
Representatives and the Committee on Commerce, Science, and
Transportation of the Senate.
SEC. 205. IDENTITY MANAGEMENT RESEARCH AND DEVELOPMENT.
The Director shall continue a program to support the development of
technical standards, metrology, testbeds, and conformance criteria,
taking into account appropriate user concerns, to--
(1) improve interoperability among identity management
technologies;
(2) strengthen authentication methods of identity management
systems;
(3) improve privacy protection in identity management
systems, including health information technology systems,
through authentication and security protocols; and
(4) improve the usability of identity management systems.
SEC. 206. AUTHORIZATIONS.
No additional funds are authorized to carry out this Act, and the
amendments made by this Act. This Act, and the amendments made by this
Act, shall be carried out using amounts otherwise authorized or
appropriated.
II. Purpose and Summary
The purpose of H.R. 756 is to improve cybersecurity in the
Federal, private, and public sectors through: coordination and
prioritization of federal cybersecurity research and
development activities; strengthening of the cybersecurity
workforce; coordination of Federal agency engagement in
international cybersecurity technical standards development;
and the reauthorization of cybersecurity related programs at
the National Science Foundation (NSF) and the National
Institute of Standards and Technology (NIST).
III. Background and Need for the Legislation
Information technology (IT) has evolved rapidly over the
last decade, leading to markedly increased connectivity and
productivity. The benefits provided by these advancements have
led to the widespread use and incorporation of information
technologies across major sectors of the economy. This level of
connectivity and the dependence of our critical infrastructures
on IT have also increased the vulnerability of these systems.
Recent reports of cyber criminals and nation-states accessing
sensitive information and disrupting services in both the
public and private domains have risen steadily, heightening
concerns over the adequacy of our cybersecurity measures. GAO
found that the number of incidents reported by federal agencies
has increased 782 percent from 2006 to 2012.\1\ This dramatic
increase is attributed in part to the proliferation and
increased sophistication of hacking and cyber attack
technology.
---------------------------------------------------------------------------
\1\GAO-13-187, Cybersecurity, National Strategy, Roles, and
Responsibilities Need to Be Better Defined and More Effectively
Implemented; http://www.gao.gov/assets/660/652170.pdf, February 2013.
---------------------------------------------------------------------------
According to the Office of Management and Budget, Federal
agencies spent $8.6 billion in fiscal year 2010 on
cybersecurity and the Federal government has spent more than
$600 billion on information technology in the last decade. In
addition, the Federal government funds more than $400 million
in cybersecurity research and development each year.
In January 2008, the Bush Administration established,
through a series of classified executive directives, the
Comprehensive National Cybersecurity Initiative (CNCI). The
Obama Administration has continued this initiative, with the
goal of securing Federal systems and fostering public-private
cooperation.
On May 29, 2009, the Obama Administration released its
Cyberspace Policy Review. The Review recommended an increased
level of interagency cooperation among all departments and
agencies, highlighted the need for information sharing
concerning attacks and vulnerabilities, and highlighted the
need for an exchange of research and security strategies
essential to the efficient and effective defense of Federal
computer systems. Furthermore, it stressed the importance of
advancing cybersecurity research and development, and the need
for the Federal Government to partner with the private sector
to guarantee a secure and reliable infrastructure. The Review
also called for increased public awareness, improved education
and expansion of the number of information technology
professionals.
In June 2009, GAO found that the Federal agencies
responsible for protecting the U.S. information technology (IT)
infrastructure were not satisfying their responsibilities,
leaving the Nation's IT infrastructure vulnerable to attack. In
an effort to strengthen the work of those Federal agencies, the
U.S. House of Representatives passed the Cybersecurity
Enhancement Act of 2010 (H.R. 4061) in the 111th Congress by a
vote of 422-5. H.R. 4061 required increased coordination and
prioritization of Federal cybersecurity research and
development activities, and the development and advancement of
cybersecurity technical standards. It also strengthened
cybersecurity education and talent development and industry
partnership initiatives. Similar legislation (H.R. 2096) was
considered by the House in the 112th Congress and passed by a
vote of 395-10. The Senate did not act on the legislation in
the 111th or 112th Congress.
The task of coordinating unclassified cybersecurity
research and development (R&D) lies with the Networking and
Information Technology Research and Development (NITRD)
program, which was originally authorized in statute by the
High-Performance Computing Act of 1991 (P.L. 102-194). The
NITRD program, which consists of 15 Federal agencies,
coordinates a broad spectrum of R&D activities related to
information technology. It also includes an interagency working
group and program component area focused specifically on
cybersecurity and information R&D. However, many expert panels,
including the President's Council of Advisors on Science and
Technology, have argued that the portfolio of Federal
investments in cybersecurity R&D is not properly balanced and
is focused on short-term reactive technologies at the expense
of long-term, fundamental R&D.
NSF is the principal agency supporting unclassified
cybersecurity R&D and education. NSF's cybersecurity research
activities are primarily funded through the Directorate for
Computer & Information Science & Engineering (CISE), although
the effort is increasingly interdisciplinary. CISE supports
cybersecurity R&D through a targeted program, Secure and
Trustworthy Cyberspace, as well as through a number of its core
activities in Computer Systems Research, Computing Research
Infrastructure, and Network and Science Engineering. In
addition to its basic research activities, NSF's Directorate
for Education & Human Resources (EHR) manages the Scholarship
for Service program which provides funding to colleges and
universities for the award of scholarships in information
assurance and computer security fields.
NIST is tasked with protecting the federal information
technology network by developing and promulgating cybersecurity
standards for Federal non-classified network systems (Federal
Information Processing Standards [FIPS]), identifying methods
for assessing effectiveness of security requirements,
conducting tests to validate security in information systems,
and conducting outreach exercises. NIST's technical standards
and best practices are sometimes too highly technical for
general public use, and making this information more usable to
average computer users with less technical expertise will help
raise the base level of cybersecurity knowledge among
individuals, business, education, and government.
Currently, the United States is represented on
international bodies dealing with cybersecurity by an array of
organizations, including the Department of State, Department of
Commerce, Federal Communications Commission, and the United
States Trade Representative without a coordinated and
comprehensive strategy or plan. The Cyberspace Policy Review
called for a comprehensive international cybersecurity strategy
that defines what cybersecurity standards we need, where they
are being developed, and ensures that the United States federal
government has agency representation for each. Recognizing that
private sector standards development organizations also are
engaged in international standards work, in some scenarios a
nonfederal entity may be best equipped to represent United
States interests, and coordination is necessary.
Experts have also noted that the identification of grand
challenges for cybersecurity R&D could help prioritize
activities across the federal government.
In the 107th Congress, the Science and Technology Committee
developed the Cyber Security Research and Development Act (P.L.
107-305). The bill created new programs and expanded existing
programs at NSF and NIST for computer and network security. The
authorizations established under the Cyber Security Research
and Development Act expired in fiscal year 2007.
IV. Hearing Summary
In the 111th Congress, the House Committee on Science and
Technology held four subcommittee hearings to explore the state
of Federal cybersecurity research and development, education,
and workforce training programs; to review the findings and
recommendations included in the Administration's Cyberspace
Policy Review; to examine ways Federal cybersecurity efforts
could enhance privately-owned critical infrastructure, better
monitor Federal networks, and more clearly define performance
metrics and success criteria; and to review the findings and
recommendations of a report from the Government Accountability
Office (GAO).\2\ Both the review and the report called for an
increase in effective public/private partnerships, and for
clarification of agency roles and responsibilities. As a result
of information gathered from the hearings, H.R. 4061, the
Cybersecurity Enhancement Act, was introduced on a bipartisan
basis on November 7, 2009. The Science and Technology Committee
favorably reported the bill on January 27, 2010, and the House
passed the measure on February 4, 2010 by a vote of 422-5. The
Senate did not act on this measure prior to the adjournment of
the 111th Congress.
---------------------------------------------------------------------------
\2\National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture, Government Accountability Office,
http://www.gao.gov/new.items/d09432t.pdf.
---------------------------------------------------------------------------
In the 112th Congress, the Subcommittee on Technology and
Innovation and the Subcommittee on Research and Science
Education held a joint hearing on May 25, 2011, to examine
Federal agency efforts to improve our national cybersecurity
and prepare the future cybersecurity talent needed for national
security. The hearing included updates from the agencies on how
they are responding to and addressing objectives of the 2009
Cyberspace Policy Review, their efforts to educate and develop
the necessary cybersecurity personnel, and how standards
development is coordinated with other relevant agencies.
In the 113th Congress, the Subcommittee on Technology and
the Subcommittee on Research held a joint hearing on February
26, 2013, to hear from industry and academic stakeholders about
the R&D needs for cybersecurity and to receive comments on H.R.
756, the Cybersecurity Enhancement Act of 2013.
V. Committee Consideration
On February 15, 2013, Representative Mike McCaul (R-TX),
for himself, and Representative Daniel Lipinski (D-IL),
introduced H.R. 756, the Cybersecurity Enhancement Act of 2013,
a bill to advance cybersecurity research, development, and
technical standards, and for other purposes. H.R. 756 was
referred to the Committee on Science, Space, and Technology.
On March 14, 2013, the Committee on Science, Space, and
Technology met in open markup session and ordered H.R. 756
favorably reported to the House, as amended, by voice vote.
VI. Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the record votes
on the motion to report legislation and amendments thereto. A
motion to order H.R. 756 favorably reported to the House, as
amended, was agreed to by voice vote.
During Full Committee consideration of H.R. 756, the
following amendments were considered:
VII. Summary of Major Provisions of the Bill
H.R. 756, the Cybersecurity Enhancement Act of 2013,
coordinates research and related activities conducted across
the Federal agencies to better address evolving cyber threats.
By strengthening agency coordination and cooperation on
cybersecurity research and development efforts, the legislation
addresses certain critical aspects of our nation's overall
cybersecurity needs.
In addition to providing coordination of cybersecurity
research across the federal government, the bill strengthens
the efforts of the NSF and the NIST in the areas of
cybersecurity technical standards and cybersecurity awareness,
education, and workforce development.
The bill is identical to legislation in the 112th Congress,
H.R. 2096, which passed the House by a vote of 395-10.
The bill requires that the agencies participating in the
National Information Technology Research and Development
(NITRD) program develop a strategic plan to guide the overall
direction of Federal cybersecurity and information assurance
R&D. It requires the agencies to solicit recommendations and
advice from the advisory committee and a wide range of
stakeholders and that they develop an implementation roadmap
for the strategic plan.
The bill reauthorizes cybersecurity workforce and
traineeship programs at NSF, including through the Advanced
Technological Education program, the Integrative Graduate
Education and Research traineeship program and the Graduate
Research Fellowship program. It also requires the President to
conduct an assessment of cybersecurity workforce needs across
the Federal government and formally codifies NSF to carry out
the Scholarship for Service program.
Additionally, the bill reauthorizes cybersecurity research
at NSF and it requires that the Director of the Office of
Science and Technology Policy convene a university-industry
task force to identify grand challenges and explore mechanisms
for carrying out collaborative R&D.
The bill tasks both NSF and NIST with conducting research
to improve the scientific foundations of cybersecurity.
The bill amends section 8(c) of the Cybersecurity R&D Act
(15 U.S.C. 7406(c)) by requiring the Director of NIST to
develop and revise as necessary, security automation standards,
checklists, configuration profiles, and deployment
recommendations for products and protocols that minimize the
security risks associated with each information technology
hardware or software system used by the Federal government. The
bill also amends section 20 of the NIST Act (15 U.S.C. 278g-3),
by directing NIST to conduct a research program aimed at
creating a standardized identity, privilege, and access control
management framework that can be used to enforce a wide variety
of resource protection policies. The framework should be usable
in a wide variety of existing and emerging computing
environments. The bill also directs NIST to conduct research on
how to improve the security of information systems, networks,
supply chains, and industrial control systems.
The bill directs NIST to coordinate with other Federal
agencies and private sector stakeholders involved in
international cybersecurity technical standards development and
to report to Congress on a plan to conduct this coordination
within one year of enactment.
NIST is also required to deliver a plan to Congress, within
one year of enactment, describing how it will continue to
coordinate a cybersecurity awareness and education program.
NIST is to collaborate with relevant Federal agencies, National
Laboratories, industry and educational institutions in
developing this program. The purpose of the program is to
disseminate cybersecurity best practices and standards and
improve cybersecurity education and federal workforce
recruitment and retention. NIST is also directed to develop a
strategic plan to implement the program.
The bill directs NIST to engage in research and development
programs to improve identity management systems. The programs
have the goals of improving interoperability among identity
management technologies, strengthening authentication methods,
and improving privacy protection.
The bill clarifies that no additional funds are authorized
for programs in the bill.
VIII. Committee Views
Cybersecurity strategic R&D plan and implementation roadmap
The Committee expects the strategic plan to be a useful
guide for setting program priorities and estimating time scales
for reaching program objectives. The strategic plan should not
be limited to time scales of 2-3 years, but should include mid-
term and long-term research objectives based on known research
gaps and an assessment of cybersecurity risks to ensure that
R&D objectives are informed and prioritized by the Nation's
needs. Furthermore, the Committee intends for the development
of the plan to be informed by the research needs of industry
and academia and expects the National Coordination Office to
actively solicit stakeholder input through meetings, requests
for information and other appropriate means.
The Committee believes the development of an implementation
roadmap is essential to the furtherance of cybersecurity and
information assurance R&D. The roadmap should be aligned with
the program's strategic plan and overall objectives, and should
be detailed enough to clearly define the roles and
responsibilities of individual Federal agencies in the
achievement of the overall R&D objectives. While each Federal
agency has its own mission and objectives in the area of
cybersecurity and information assurance, the Committee
considers the development of an implementation roadmap
essential to comprehensively addressing our cybersecurity
challenges.
Cybersecurity education and workforce
Over the next several years, the Bureau of Labor Statistics
estimates that the number of jobs requiring a background in
computer science or mathematics will average approximately
150,000 annually. However, the number of computer science
undergraduate degrees granted dropped 35 percent from 2004 to
2008. Additionally, according to the report entitled, ``Cyber
In-Security: Strengthening the Federal Cybersecurity
Workforce,'' there is a shortfall of between 500 and 1000
cybersecurity professionals each year across the Federal
government. The Committee believes that the required assessment
of Federal cybersecurity workforce needs, necessary skills, and
the capacity of our colleges and universities, including
community colleges, to produce cybersecurity professionals is
an essential first step in ensuring an adequate, well-trained
workforce.
As part of the Workforce Training Assessment, the Committee
expects that any assessment of education and training
activities also include activities considered to be outside the
scope of a classroom such as simulations and competitions. When
promoting cybersecurity awareness and education for the public,
NIST should fully utilize existing resources within the Federal
government, private industry, academia, and independent
organizations to minimize duplicative effort.
Cybersecurity University--Industry task force
In considering options for a collaborative model for
carrying out cybersecurity research and development, it is the
Committee's intention that the objective of such a potential
entity would be to supplement, not supplant, the traditional
functions and activities of the individual participating
entities. Therefore, in developing guidelines in accordance
with subsection (b)(3) of this section, it is the Committee's
expectation that the task force work to identify activities
that (1) would address nationally significant challenges that
advance common objectives; and (2) require collaboration that
could not otherwise be reasonably addressed by individual
entities acting independently.
The Committee recognizes that in order for the United
States to adequately protect itself from cybersecurity threats
a strong partnership between the Federal government and the
private sector must be built and maintained. In particular, the
Committee believes active and lasting engagement between the
federal science agencies, academia, and the private sector will
ensure that cybersecurity research and development, education,
and training activities are relevant not only for the current
cybersecurity landscape, but will ultimately result in a more
secure future environment. The Committee expects that the
university-industry taskforce will develop a model that that
will allow for such long-term collaboration.
NIST's security automation and checklist development and dissemination
The Committee believes that advancements of technology have
presented an opportunity to evolve security checklists into
automated auditing programs capable of verifying information
security policy compliance, as well as the measurement and
management of vulnerabilities. NIST's Security Content
Automation Protocol program is an excellent example of a
public-private partnership developing interoperable security
specifications to automate the assessment, documentation, and
reporting of information security requirements. The Committee
also believes that NIST should be more proactive in
disseminating checklists to other Federal agencies.
International cybersecurity technical standards
The Committee intends for NIST to coordinate Federal agency
engagement in international cybersecurity technical standards
development, in partnership with relevant Federal agencies.
This provision is meant to recognize that coordinating
cybersecurity standards efforts across different Federal
agencies will ensure appropriate governmental representation at
international standard dialogues. Furthermore, in some
instances it may not be appropriate for Federal agencies to be
directly involved in the development of international
cybersecurity technical standards. Therefore, consultation with
private stakeholders is also required to determine the
appropriate level of engagement, if any, by Federal agencies in
specific international cybersecurity technical standards
matters. Given the global nature of networked systems, it is
imperative that the Federal government has a coordinated,
comprehensive strategy to address international cybersecurity
technical standards needs.
Cloud computing strategy
The Committee recognizes the economic potential of the
public and private sector's utilization of cloud computing.
However, stakeholders must be certain their information will be
secure in the cloud. NIST, working in close conjunction with
industry, is well-positioned to provide standards and protocols
to ensure that the cloud is a safe system for the Federal
government to utilize.
IX. Committee Oversight Findings
Pursuant to clause 3(c)(1) of rule XIII of the Rules of the
House of Representatives, the Committee held an oversight
hearing and made findings that are reflected in the descriptive
portions of this report.
X. Statement on General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the performance goals and
objectives of the Committee are reflected in the descriptive
portions of this report, including the goal to improve
cybersecurity in the Federal, private, and public sectors and
to protect the Nation's critical infrastructure.
XI. New Budget Authority, Entitlement Authority, and Tax Expenditures
In compliance with clause 3(c)(2) of rule XIII of the Rules
of the House of Representatives, the Committee adopts as its
own the estimate of new budget authority, entitlement
authority, or tax expenditures or revenues contained in the
cost estimate prepared by the Director of the Congressional
Budget Office pursuant to section 402 of the Congressional
Budget Act of 1974.
XII. Advisory on Earmarks
In compliance with clause 9(e), 9(f), and 9(g) of rule XXI,
the Committee finds that H.R. 756, the Cybersecurity
Enhancement Act of 2013, contains no earmarks.
XIII. Committee Cost Estimate
The Committee adopts as its own the cost estimate prepared
by the Director of the Congressional Budget Office pursuant to
section 402 of the Congressional Budget Act of 1974.
XIV. Congressional Budget Office Cost Estimate
Pursuant to clause 3(c)(3) of rule XIII of the Rules of the
House of Representatives, the following is the cost estimate
provided by the Congressional Budget Office pursuant to section
402 of the Congressional Budget Act of 1974.
U.S. Congress,
Congressional Budget Office,
Washington, DC, April 1, 2013.
Hon. Lamar Smith,
Chairman, Committee on Science, Space, and Technology,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 756, the
Cybersecurity Enhancement Act of 2013.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Martin von
Gnechten.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 756--Cybersecurity Enhancement Act of 2013
Summary: H.R. 756 would reauthorize several National
Science Foundation (NSF) programs that aim to enhance
cybersecurity (the protection of computers and computer
networks from unauthorized access). The bill also would require
the National Institute of Standards and Technology (NIST) to
continue a cybersecurity awareness program and to develop
standards for managing personal identifying information stored
on computer systems. Finally, the bill would establish a task
force to recommend actions to the Congress for improving
research and development activities related to cybersecurity.
Based on information from NSF and NIST and assuming
appropriation of the necessary amounts, CBO estimates that
implementing H.R. 756 would cost $504 million over the 2014-
2018 period and $52 million after 2018. Enacting the
legislation would not affect direct spending or revenues;
therefore, pay-as-you-go procedures do not apply.
H.R. 756 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act (UMRA)
and would impose no costs on state, local, or tribal
governments.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 756 is shown in the following table.
The costs of this legislation fall within budget function 250
(general science, space, and technology).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-------------------------------------------------------
2014 2015 2016 2017 2018 2014-2018
----------------------------------------------------------------------------------------------------------------
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
NSF Cybersecurity Research Grants:
Authorization Level................................. 119 119 119 0 0 357
Estimated Outlays................................... 15 63 94 96 55 324
NSF Cybersecurity Research Centers:
Authorization Level................................. 5 5 5 0 0 15
Estimated Outlays................................... 1 3 4 4 2 14
NSF Cybersecurity Capacity Building Grants:
Authorization Level................................. 25 25 25 0 0 75
Estimated Outlays................................... 3 13 20 20 12 68
NSF Science and Advanced Technology Grants:
Authorization Level................................. 4 4 4 0 0 12
Estimated Outlays................................... 1 2 3 3 2 11
NSF Cybersecurity Graduate Traineeships:
Authorization Level................................. 32 32 32 0 0 96
Estimated Outlays................................... 4 17 25 26 15 87
Cybersecurity Task Force:
Estimated Authorization Level....................... 1 0 0 0 0 I
Estimated Outlays................................... 1 0 0 0 0 1
Total Changes under H.R. 756:
Estimated Authorization Level....................... 186 185 185 0 0 556
Estimated Outlays................................... 25 98 146 150 85 504
----------------------------------------------------------------------------------------------------------------
Notes: NSF = National Science Foundation.
Amounts may not sum to totals because of rounding.
Basis of estimate: For this estimate, CBO assumes that H.R.
756 will be enacted in fiscal year 2013 and that the authorized
and necessary amounts will be appropriated each fiscal year
beginning in 2014. Estimated outlays are based on historical
spending patterns for NSF programs.
H.R. 756 would authorize appropriations for several NSF
grant programs aimed at enhancing cybersecurity. The bill would
authorize appropriations totaling $357 million over the 2014-
2016 period to improve research on cybersecurity. In addition,
H.R. 756 would authorize the appropriation of:
$15 million for grants to establish centers
of cybersecurity research;
$75 million for grants to universities to
improve cybersecurity programs and increase the number
of students in fields related to cybersecurity. This
includes a program to offer scholarships to students
who pursue higher education related to cybersecurity
and commit to public service after graduating;
$12 million for grants to institutions that
grant associate degrees to develop cybersecurity
programs and establish centers of excellence; and
$96 million for grants to higher education
institutions to establish cybersecurity traineeship
programs for graduate students.
H.R. 756 would establish a task force of academic and
industry experts to advise the Office of Science and Technology
Policy on issues related to cybersecurity. Based on information
regarding the cost of similar activities, CBO estimates that
carrying out this provision would cost $1 million in 2014.
H.R. 756 also would direct NIST to establish standards and
protocols to enhance cybersecurity, develop a strategy for the
government to adopt cloud computing services (the use of
servers and network storage to provide remote, on-demand access
to shared computer applications and services), and promote
cybersecurity awareness and education. Based on information
from NIST, CBO estimates that these activities would have no
significant impact on the federal budget because NIST currently
performs similar activities under its existing authority.
Pay-As-You-Go consideration: None.
Intergovernmental and private-sector impact: H.R. 756
contains no intergovernmental or private-sector mandates as
defined in UMRA and would impose no costs on state, local, or
tribal governments. Institutions of higher education, including
those that are publicly owned, may benefit from grants that
help expand the professional development of faculty in
cybersecurity-related courses and curricula.
Estimate prepared by: Federal costs: Martin von Gnechten;
Impact on state, local, and tribal governments: J'nell Blanco;
Impact on the private sector: Amy Petz.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
XV. Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
XVI. Compliance with H. Res. 5
A. Directed Rule Making. The Committee does not believe
that this bill directs any executive branch official to conduct
any specific rule-making proceedings.
B. Duplication of Existing Programs. The Committee is not
aware of another established or authorized program of the
Federal government which duplicates the program in the bill.
H.R. 756 coordinates cyber security programs and eliminates
duplications as recommended by the Government Accountability
Office (GAO) in its report to Congress pursuant to section 21
of Public Law 111-139. Because of the interdisciplinary nature
of NSF, the Catalog of Federal Domestic Assistance identifies
all programs at NSF at the directorate level and views such
programs as related; however, specific activities at NSF, such
as those included in H.R. 756, are not identified in the CFDA.
H.R. 756 directs certain organizational units of NSF listed in
the CFDA to make grants for specific purposes, but does not
create new units or duplicate the activities.
XVII. Federal Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
XVIII. Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
XIX. Section-by-Section Analysis
TITLE I--RESEARCH AND DEVELOPMENT
Sec. 101. Definitions
Defines the terms National Coordination Office and Program
in the title.
Sec. 102. Findings
Describes the findings of this title.
Sec. 103. Cybersecurity strategic R&D plan
Requires the agencies to develop, update and implement a
strategic plan for cybersecurity research and development
(R&D). Requires that the strategic plan be based on an
assessment of cybersecurity risk, that it specify and
prioritize near-term, mid-term and long-term research
objectives and that it describe how the near-term objectives
complement R&D occurring in the private sector.
Requires the agencies to solicit input from an advisory
committee and outside stakeholders in the development of the
strategic plan. Additionally, requires the agencies to describe
how they will promote innovation, foster technology transfer,
and maintain a national infrastructure for the development of
secure, reliable, and resilient networking and information
technology systems.
Requires the development of an implementation roadmap that
specifies the role of each agency and the level of funding
needed to meet each of the research objectives outlined in the
strategic plan.
Also requires agencies involved in the strategic plan to
establish a mechanism to track ongoing and completed R&D
projects and make that information available to the public.
Sec. 104. Social and behavioral research in cybersecurity
Adds research on the social and behavioral aspects of
cybersecurity to the list of cybersecurity research areas that
the National Science Foundation may support as part of its
total cybersecurity research portfolio.
Sec. 105. NSF cybersecurity R&D programs
Reauthorizes the cybersecurity research program at the NSF
and includes identity management as one of the research areas
supported.
Reauthorizes programs at NSF that provide funding for
capacity building grants, graduate student fellowships,
graduate student traineeships and research centers in
cybersecurity.
Repeals NSF cybersecurity faculty development traineeship
program.
Sec. 106. Federal cybersecurity scholarship for service program
Authorizes the cybersecurity scholarship for service
program at NSF. The program provides grants to institutions of
higher education for the award of scholarships to students
pursuing undergraduate and graduate degrees in cybersecurity
fields and requires an additional year of service over the
number of years for which the scholarship was received.
The program also provides capacity building grants to
institutions of higher education, supporting such activities as
faculty professional development, the development and
evaluation of cybersecurity-related curricula and courses, and
public-private partnerships.
Sec. 107. Cybersecurity workforce assessment
Requires the President to issue a report assessing the
current and future cybersecurity workforce needs of the federal
government, including a comparison of the skills sought by
Federal agencies and the private sector; an examination of the
supply of cybersecurity talent and the capacity of institutions
of higher education to produce cybersecruity professionals; and
the identification of any barriers to the recruitment and
hiring of cybersecurity professionals.
Sec. 108. Cybersecurity university-industry task force
Establishes a university-industry task force to explore
mechanisms and models for carrying out public-private research
partnerships focused on grand challenges for cybersecurity.
Sec. 109. Cybersecurity checklist and dissemination
Updates NIST's authority for the National Checklist Program
(NCP) which provides detailed guidance on setting the security
configuration of operating systems and applications for the
federal government, and requires NIST to develop automated
security specifications with respect to checklist content.
Sec. 110. NIST cybersecurity R&D
Amends the National Institute of Standards and Technology
Act to codify NIST cybersecurity research and development
activities; NIST is authorized to conduct research on the
development of a unifying and standardized identity, privilege,
and access control management framework and to conduct research
related to improving the security of information and networked
systems, including the security of industrial control systems.
Sec. 111. Research on the science of cybersecurity
Requires NSF and NIST to support research to develop
scientific foundations for cybersecurity leading to better
metrics and definitions.
TITLE II--ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS
Sec. 201. Definitions
Defines the terms Director and Institute in the title.
Sec. 202. International cybersecurity technical standards
Requires NIST to consult with the private sector and others
to develop and implement a plan to ensure a coordinated United
States Government representation in international cybersecurity
technical standards development. This plan is due to Congress
no later than one year after enactment.
Sec. 203. Cloud computing strategy
Directs NIST, in collaboration with Federal agencies and
other stakeholders, to continue to develop and implement a
comprehensive strategy for the use and adoption of cloud
computing services by the Federal government. The strategy
should consider activities that accelerate standards
development, the development of processes to test standards
conformance, and the security of data stored in the cloud.
Sec. 204. Promoting cybersecurity awareness and education
Requires NIST to continue a cybersecurity awareness and
education program and to deliver a strategic plan to Congress
within 1 year describing the implementation of this program.
Requires the program to be aimed at disseminating cybersecurity
best practices and standards and improving cybersecurity
education and federal workforce recruitment and retention.
Sec. 205. Identity management research and development
Requires NIST to continue research and development programs
to improve identity management systems.
Sec. 206. Authorizations
States that no additional funds are authorized for the
activities in the bill.
XX. Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
* * * * * * *
SEC. 2. FINDINGS.
The Congress finds the following:
[(1) Revolutionary advancements in computing and
communications technology have interconnected
government, commercial, scientific, and educational
infrastructures--including critical infrastructures for
electric power, natural gas and petroleum production
and distribution, telecommunications, transportation,
water supply, banking and finance, and emergency and
government services--in a vast, interdependent physical
and electronic network.]
(1) Advancements in information and communications
technology have resulted in a globally interconnected
network of government, commercial, scientific, and
education infrastructures, including critical
infrastructures for electric power, natural gas and
petroleum production and distribution,
telecommunications, transportation, water supply,
banking and finance, and emergency and government
services.
(2) [Exponential increases in interconnectivity have
facilitated enhanced communications, economic growth,]
These advancements have significantly contributed to
the growth of the United States economy, and the
delivery of services critical to the public welfare,
but have also increased the consequences of temporary
or prolonged failure.
[(3) A Department of Defense Joint Task Force
concluded after a 1997 United States information
warfare exercise that the results ``clearly
demonstrated our lack of preparation for a coordinated
cyber and physical attack on our critical military and
civilian infrastructure''.]
(3) The Cyberspace Policy Review published by the
President in May, 2009, concluded that our information
technology and communications infrastructure is
vulnerable and has ``suffered intrusions that have
allowed criminals to steal hundreds of millions of
dollars and nation-states and other entities to steal
intellectual property and sensitive military
information''.
* * * * * * *
[(6) While African-Americans, Hispanics, and Native
Americans constitute 25 percent of the total United
States workforce and 30 percent of the college-age
population, members of these minorities comprise less
than 7 percent of the United States computer and
information science workforce.]
(6) While African-Americans, Hispanics, and Native
Americans constitute 33 percent of the college-age
population, members of these minorities comprise less
than 20 percent of bachelor degree recipients in the
field of computer sciences.
* * * * * * *
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.
(a) Computer and Network Security Research Grants.--
(1) In general.--The Director shall award grants for
basic research on innovative approaches to the
structure and usability of computer and network
hardware and software that are aimed at enhancing
computer security. Research areas may include--
(A) authentication, cryptography, identity
management, and other secure data
communications technology;
* * * * * * *
(H) remote access and wireless security;
[and]
(I) enhancement of law enforcement ability to
detect, investigate, and prosecute cyber-
crimes, including those that involve piracy of
intellectual property, crimes against children,
and organized crime[.]; and
(J) social and behavioral factors, including
human-computer interactions, usability, and
user motivations.
* * * * * * *
(3) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this subsection--
[(A) $35,000,000 for fiscal year 2003;
[(B) $40,000,000 for fiscal year 2004;
[(C) $46,000,000 for fiscal year 2005;
[(D) $52,000,000 for fiscal year 2006; and
[(E) $60,000,000 for fiscal year 2007.]
(A) $119,000,000 for fiscal year 2014;
(B) $119,000,000 for fiscal year 2015; and
(C) $119,000,000 for fiscal year 2016.
(b) Computer and Network Security Research Centers.--
(1) * * *
* * * * * * *
(4) Applications.--An institution of higher
education, nonprofit research institution, or consortia
thereof seeking funding under this subsection shall
submit an application to the Director at such time, in
such manner, and containing such information as the
Director may require. The application shall include, at
a minimum, a description of--
(A) * * *
* * * * * * *
(C) how the Center will contribute to
increasing the number and quality of computer
and network security researchers and other
professionals, including individuals from
groups historically underrepresented in these
fields; [and]
(D) how the center will disseminate research
results quickly and widely to improve cyber
security in information technology networks,
products, and services[.]; and
(E) how the center will partner with
government laboratories, for-profit entities,
other institutions of higher education, or
nonprofit research institutions.
* * * * * * *
(7) Authorization of appropriations.--There are
authorized to be appropriated for the National Science
Foundation to carry out this subsection--
[(A) $12,000,000 for fiscal year 2003;
[(B) $24,000,000 for fiscal year 2004;
[(C) $36,000,000 for fiscal year 2005;
[(D) $36,000,000 for fiscal year 2006; and
[(E) $36,000,000 for fiscal year 2007.]
(A) $5,000,000 for fiscal year 2014;
(B) $5,000,000 for fiscal year 2015; and
(C) $5,000,000 for fiscal year 2016.
SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY
PROGRAMS.
(a) Computer and Network Security Capacity Building Grants.--
(1) * * *
* * * * * * *
(6) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this subsection--
[(A) $15,000,000 for fiscal year 2003;
[(B) $20,000,000 for fiscal year 2004;
[(C) $20,000,000 for fiscal year 2005;
[(D) $20,000,000 for fiscal year 2006; and
[(E) $20,000,000 for fiscal year 2007.]
(A) $25,000,000 for fiscal year 2014;
(B) $25,000,000 for fiscal year 2015; and
(C) $25,000,000 for fiscal year 2016.
(b) Scientific and Advanced Technology Act of 1992.--
(1) * * *
(2) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this subsection--
[(A) $1,000,000 for fiscal year 2003;
[(B) $1,250,000 for fiscal year 2004;
[(C) $1,250,000 for fiscal year 2005;
[(D) $1,250,000 for fiscal year 2006; and
[(E) $1,250,000 for fiscal year 2007.]
(A) $4,000,000 for fiscal year 2014;
(B) $4,000,000 for fiscal year 2015; and
(C) $4,000,000 for fiscal year 2016.
(c) Graduate Traineeships in Computer and Network Security
Research.--
(1) * * *
* * * * * * *
(7) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this subsection--
[(A) $10,000,000 for fiscal year 2003;
[(B) $20,000,000 for fiscal year 2004;
[(C) $20,000,000 for fiscal year 2005;
[(D) $20,000,000 for fiscal year 2006; and
[(E) $20,000,000 for fiscal year 2007.]
(A) $32,000,000 for fiscal year 2014;
(B) $32,000,000 for fiscal year 2015; and
(C) $32,000,000 for fiscal year 2016.
* * * * * * *
[(e) Cyber Security Faculty Development Traineeship
Program.--
[(1) In general.--The Director shall establish a
program to award grants to institutions of higher
education to establish traineeship programs to enable
graduate students to pursue academic careers in cyber
security upon completion of doctoral degrees.
[(2) Merit review; competition.--Grants shall be
awarded under this section on a merit-reviewed
competitive basis.
[(3) Application.--Each institution of higher
education desiring to receive a grant under this
subsection shall submit an application to the Director
at such time, in such manner, and containing such
information as the Director shall require.
[(4) Use of funds.--Funds received by an institution
of higher education under this paragraph shall--
[(A) be made available to individuals on a
merit-reviewed competitive basis and in
accordance with the requirements established in
paragraph (7);
[(B) be in an amount that is sufficient to
cover annual tuition and fees for doctoral
study at an institution of higher education for
the duration of the graduate traineeship, and
shall include, in addition, an annual living
stipend of $25,000; and
[(C) be provided to individuals for a
duration of no more than 5 years, the specific
duration of each graduate traineeship to be
determined by the institution of higher
education, on a case-by-case basis.
[(5) Repayment.--Each graduate traineeship shall--
[(A) subject to paragraph (5)(B), be subject
to full repayment upon completion of the
doctoral degree according to a repayment
schedule established and administered by the
institution of higher education;
[(B) be forgiven at the rate of 20 percent of
the total amount of the graduate traineeship
assistance received under this section for each
academic year that a recipient is employed as a
full-time faculty member at an institution of
higher education for a period not to exceed 5
years; and
[(C) be monitored by the institution of
higher education receiving a grant under this
subsection to ensure compliance with this
subsection.
[(6) Exceptions.--The Director may provide for the
partial or total waiver or suspension of any service
obligation or payment by an individual under this
section whenever compliance by the individual is
impossible or would involve extreme hardship to the
individual, or if enforcement of such obligation with
respect to the individual would be unconscionable.
[(7) Eligibility.--To be eligible to receive a
graduate traineeship under this section, an individual
shall--
[(A) be a citizen, national, or lawfully
admitted permanent resident alien of the United
States; and
[(B) demonstrate a commitment to a career in
higher education.
[(8) Consideration.--In making selections for
graduate traineeships under this paragraph, an
institution receiving a grant under this subsection
shall consider, to the extent possible, a diverse pool
of applicants whose interests are of an
interdisciplinary nature, encompassing the social
scientific as well as the technical dimensions of cyber
security.
[(9) Authorization of appropriations.--There are
authorized to be appropriated to the National Science
Foundation to carry out this paragraph $5,000,000 for
each of fiscal years 2003 through 2007.]
* * * * * * *
SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS.
(a) * * *
* * * * * * *
[(c) Checklists for Government Systems.--
[(1) In general.--The Director of the National
Institute of Standards and Technology shall develop,
and revise as necessary, a checklist setting forth
settings and option selections that minimize the
security risks associated with each computer hardware
or software system that is, or is likely to become,
widely used within the Federal Government.
[(2) Priorities for development; excluded systems.--
The Director of the National Institute of Standards and
Technology may establish priorities for the development
of checklists under this paragraph on the basis of the
security risks associated with the use of the system,
the number of agencies that use a particular system,
the usefulness of the checklist to Federal agencies
that are users or potential users of the system, or
such other factors as the Director determines to be
appropriate. The Director of the National Institute of
Standards and Technology may exclude from the
application of paragraph (1) any computer hardware or
software system for which the Director of the National
Institute of Standards and Technology determines that
the development of a checklist is inappropriate because
of the infrequency of use of the system, the
obsolescence of the system, or the inutility or
impracticability of developing a checklist for the
system.
[(3) Dissemination of checklists.--The Director of
the National Institute of Standards and Technology
shall make any checklist developed under this paragraph
for any computer hardware or software system available
to each Federal agency that is a user or potential user
of the system.
[(4) Agency use requirements.--The development of a
checklist under paragraph (1) for a computer hardware
or software system does not--
[(A) require any Federal agency to select the
specific settings or options recommended by the
checklist for the system;
[(B) establish conditions or prerequisites
for Federal agency procurement or deployment of
any such system;
[(C) represent an endorsement of any such
system by the Director of the National
Institute of Standards and Technology; nor
[(D) preclude any Federal agency from
procuring or deploying other computer hardware
or software systems for which no such checklist
has been developed.]
(c) Security Automation and Checklists for Government
Systems.--
(1) In general.--The Director of the National
Institute of Standards and Technology shall develop,
and revise as necessary, security automation standards,
associated reference materials (including protocols),
and checklists providing settings and option selections
that minimize the security risks associated with each
information technology hardware or software system and
security tool that is, or is likely to become, widely
used within the Federal Government in order to enable
standardized and interoperable technologies,
architectures, and frameworks for continuous monitoring
of information security within the Federal Government.
(2) Priorities for development.--The Director of the
National Institute of Standards and Technology shall
establish priorities for the development of standards,
reference materials, and checklists under this
subsection on the basis of--
(A) the security risks associated with the
use of the system;
(B) the number of agencies that use a
particular system or security tool;
(C) the usefulness of the standards,
reference materials, or checklists to Federal
agencies that are users or potential users of
the system;
(D) the effectiveness of the associated
standard, reference material, or checklist in
creating or enabling continuous monitoring of
information security; or
(E) such other factors as the Director of the
National Institute of Standards and Technology
determines to be appropriate.
(3) Excluded systems.--The Director of the National
Institute of Standards and Technology may exclude from
the application of paragraph (1) any information
technology hardware or software system or security tool
for which such Director determines that the development
of a standard, reference material, or checklist is
inappropriate because of the infrequency of use of the
system, the obsolescence of the system, or the
inutility or impracticability of developing a standard,
reference material, or checklist for the system.
(4) Dissemination of standards and related
materials.--The Director of the National Institute of
Standards and Technology shall ensure that Federal
agencies are informed of the availability of any
standard, reference material, checklist, or other item
developed under this subsection.
(5) Agency use requirements.--The development of
standards, reference materials, and checklists under
paragraph (1) for an information technology hardware or
software system or tool does not--
(A) require any Federal agency to select the
specific settings or options recommended by the
standard, reference material, or checklist for
the system;
(B) establish conditions or prerequisites for
Federal agency procurement or deployment of any
such system;
(C) imply an endorsement of any such system
by the Director of the National Institute of
Standards and Technology; or
(D) preclude any Federal agency from
procuring or deploying other information
technology hardware or software systems for
which no such standard, reference material, or
checklist has been developed or identified
under paragraph (1).
* * * * * * *
----------
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
* * * * * * *
Sec. 20. (a) * * *
* * * * * * *
(e) Intramural Security Research.--As part of the research
activities conducted in accordance with subsection (d)(3), the
Institute shall--
(1) conduct a research program to develop a unifying
and standardized identity, privilege, and access
control management framework for the execution of a
wide variety of resource protection policies and that
is amenable to implementation within a wide variety of
existing and emerging computing environments;
(2) carry out research associated with improving the
security of information systems and networks;
(3) carry out research associated with improving the
testing, measurement, usability, and assurance of
information systems and networks;
(4) carry out research associated with improving
security of industrial control systems; and
(5) carry out research associated with improving the
security and integrity of the information technology
supply chain.
[(e)] (f) As used in this section--
(1) * * *
* * * * * * *
XXI. PROCEEDINGS OF THE FULL COMMITTEE MARKUP ON H.R. 756,
CYBERSECURITY ENHANCEMENT ACT OF 2013
----------
THURSDAY, MARCH 14, 2012
House of Representatives,
Committee on Science, Space, and Technology,
Washington, D.C.
The Committee met, pursuant to call, at 10:01 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Lamar Smith
[Chairman of the Committee] presiding.
Chairman Smith. The Science, Space, and Technology
Committee will come to order. Without objection, the Chair is
authorized to declare recesses of the Committee at any time.
Before we start today, I would like to recognize our Clerk,
Deborah Samantar. After 30 years of service in the House of
Representatives, Deborah will retire at the end of this month.
She has been a valuable member--and she is sitting in front of
us in pink if you needed to be reminded. She has been a
valuable member of the Science Committee staff for many years
and has clerked under three different Science Committee
chairmen beginning with Representative Bart Gordon in 2007.
Deborah started her career in the House working for her home
Representative from Pennsylvania, Congressman Joe Kolter. After
a few years, she became an intern and fellowship coordinator
for the Committee on Education and the Workforce. I think that
was under John Boehner, wasn't it? She held many positions
during her 20 years with the Education and Workforce Committee
and worked under five different chairmen. This is an impressive
record by anyone's standards, and not many people can claim
such an achievement. Deborah's ability to communicate, her
attention to detail and dedication to the Science Committee and
the House of Representatives will be missed. We thank her for
her contributions to this Committee and to our country.
Deborah, we will miss you, and we wish you the best on your
well-deserved retirement.
I will now recognize the Ranking Member, Ms. Johnson, for
her comments.
I am glad this is a bipartisan effort, and look forward to
this bill becoming law.
Ms. Johnson. Thank you very much, Mr. Chairman. I would
like also to wholeheartedly congratulate Deborah for her 30
years of service in the House. I first met her seven years ago
when she became the Clerk of the Committee under Chairman
Gordon. I have always known her to be a consummate professional
and dedicated staff person to the Committee. Thirty years is
quite some time. I would point out that Deborah has been
working in the House longer than both myself or Chairman Smith
have been here, and I hope that in retirement Deborah will be
able to spend more time with her mother in Pennsylvania and
traveling to her favorite vacation spots in the Bahamas. After
30 years of service to the House, I think you deserve a little
fun in the sun. Thank you for all that you have done for the
Committee and for the Nation.
Chairman Smith. Thank you, Ms. Johnson.
We will now move on to the Committee's official business of
the day, and the Clerk, Deborah, will call the roll to
establish a quorum.
The Clerk. Good morning. Thank you all very much.
Chairman Smith?
Chairman Smith. Present.
The Clerk. Chairman Smith is present.
Mr. Sensenbrenner?
Mr. Hall? Mr. Hall?
Mr. Hall. Present.
The Clerk. Mr. Hall is present.
Mr. Rohrabacher?
Mr. Rohrabacher. Present.
The Clerk. Mr. Rohrabacher is present.
Mr. Lucas?
Mr. Neugebauer?
Mr. McCaul?
Mr. McCaul. Present.
The Clerk. Mr. McCaul is present.
Mr. Broun?
Mr. Broun. Here.
The Clerk. Mr. Broun is present.
Mr. Palazzo?
Mr. Brooks?
Mr. Brooks. Here.
The Clerk. Mr. Brooks is present.
Mr. Hultgren?
Mr. Bucshon?
Mr. Bucshon. Here.
The Clerk. Mr. Bucshon is present.
Mr. Stockman?
Mr. Stockman. Here.
The Clerk. Mr. Stockman is present.
Mr. Posey?
Mr. Posey. Present.
The Clerk. Mr. Posey is present.
Ms. Lummis?
Mr. Schweikert?
Mr. Massie?
Mr. Massie. Present.
The Clerk. Mr. Massie is present.
Mr. Cramer?
Mr. Bridenstine?
Mr. Bridenstine. Present.
The Clerk. Mr. Bridenstine is present.
Mr. Weber?
Mr. Stewart?
Ms. Johnson?
Ms. Johnson. Present.
The Clerk. Ms. Johnson is present.
Ms. Lofgren?
Ms. Lofgren. Here.
The Clerk. Ms. Lofgren is present.
Mr. Lipinski?
Mr. Lipinski. Present.
The Clerk. Mr. Lipinski is present.
Ms. Edwards?
Ms. Edwards. Present.
The Clerk. Ms. Edwards is present.
Ms. Wilson?
Ms. Wilson. Present.
The Clerk. Ms. Wilson is present.
Ms. Bonamici?
Ms. Bonamici. Present.
The Clerk. Ms. Bonamici is present.
Mr. Swalwell?
Mr. Swalwell. Present.
The Clerk. Mr. Swalwell is present.
Mr. Maffei?
Mr. Maffei. Here, present.
The Clerk. Mr. Maffei is present.
Mr. Grayson?
Mr. Grayson. Present.
The Clerk. Mr. Grayson is present.
The Clerk. Mr. Kennedy?
Mr. Kennedy. Present.
The Clerk. Mr. Kennedy is present.
Mr. Peters?
Mr. Peters. Here.
The Clerk. Mr. Peters is present.
Mr. Kilmer?
Mr. Kilmer. Present.
The Clerk. Mr. Kilmer is present.
Mr. Bera?
Mr. Bera. Present.
The Clerk. Mr. Bera is present.
Ms. Esty?
Ms. Esty. Present.
The Clerk. Ms. Esty is present.
Mr. Veasey?
Mr. Veasey. Present.
The Clerk. Mr. Veasey is present.
Ms. Brownley?
Ms. Brownley. Present.
The Clerk. Ms. Brownley is present.
Mr. Takano?
Chairman Smith. Are there any other Members who wish to
record their presence? If not, the Clerk will report. The
gentleman from Mississippi is----
The Clerk. Mr. Palazzo?
Mr. Palazzo. Here.
The Clerk. Mr. Palazzo is present.
Mr. Chairman, there is 28 Members present.
Chairman Smith. A working quorum is more than present, and
pursuant to Committee Rule 2(f) and House Rule 11284, the Chair
announces that he may postpone roll call votes on matters in
which the yeas and nays are ordered until the end of the
markup.
Pursuant to notice, I now call up H.R. 756, the
Cybersecurity Enhancement Act of 2013 for markup, and the Clerk
will report the bill.
The Clerk. H.R. 756, a bill to advance cybersecurity
research, development and technical standards, and for other
purposes.
Chairman Smith. Without objection, the bill will be
considered as read.
Chairman Smith. I will recognize myself for an opening
statement and then the Ranking Member.
The first bill for today's markup is H.R. 756, the
Cybersecurity Enhancement Act of 2013. I thank Representatives
McCaul and Lipinski for introducing this bill, and I am pleased
to be a cosponsor.
As our reliance on information technology expands, so do
our vulnerabilities. Cyber attacks against U.S. government and
private sector networks are on the rise. Protecting America's
cyber systems is critical to our economic and national
security. Keeping our cyber infrastructure secure is a
responsibility shared by different federal agencies, including
the National Science Foundation and the National Institute of
Standards and Technology.
The Cybersecurity Enhancement Act coordinates research and
development activities to better address evolving cyber
threats. The legislation promotes much-needed research and
development to help create new technologies and standards that
better protect America's information technology systems.
To improve America's cybersecurity abilities, this bill
strengthens activities in four areas: one, strategic planning
for cybersecurity research and development needs across the
federal government; two, basic research at NSF, which we know
is important to increasing security over the long-term; three,
NSF scholarships to improve the quality of the cybersecurity
workforce; and four, improved research, development and public
outreach organized by NIST related to cybersecurity.
These are modest but important changes that will help us
better protect our cyber networks. Cyber attacks threaten our
national and economic security. To solve this problem, America
needs a solution that involves the cooperation of many public
and private sector entities. This legislation helps foster such
an effort, which will make our computer systems more secure.
Many industry partners and stakeholders have written
letters in support of this bill. They include the U.S. Chamber
of Commerce, National Association of Manufacturers,
TechAmerica, Computing Research Association, Institute of
Electrical and Electronic Engineers-USA, Society for Industrial
and Applied Mathematics; Financial Services Roundtable, and the
U.S. Public Policy Council of the Association for Computing
Machinery.
I am glad this is a bipartisan effort, and look forward to
this bill becoming law.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Chairman Lamar Smith
The first bill for today's markup is H.R. 756, the ``Cybersecurity
Enhancement Act of 2013.'' I thank Representatives McCaul and Lipinski
for introducing this bill. And I am pleased to be a cosponsor.
As our reliance on information technology expands, so do our
vulnerabilities. Cyber attacks against U.S. government and private
sector networks are on the rise. Protecting America's cyber systems is
critical to our economic and national security.
Keeping our cyber infrastructure secure is a responsibility shared
by different Federal agencies, including the National Science
Foundation (NSF) and the National Institute of Standards and Technology
(NIST).
The ``Cybersecurity Enhancement Act,'' coordinates research and
development activities to better address evolving cyber threats. The
legislation promotes much-needed research and development to help
create new technologies and standards that better protect America's
information technology systems.
To improve America's cybersecurity abilities, this bill strengthens
activities in four areas:
(1) strategic planning for cybersecurity research and development
needs across the federal government;
(2) basic research at NSF, which we know is important to
increasing security over the long-term;
(3) NSF scholarships to improve the quality of the cybersecurity
workforce; and
(5) improved research, development and public outreach organized
by NIST related to cybersecurity.
These are modest but important changes that will help us better
protect our cyber networks.Cyber attacks threaten our national and
economic security. To solve this problem, America needs a solution that
involves the cooperation of many public and private sector entities.
This legislation helps foster such an effort, which will make our
computer systems more secure.
Many industry partners and stakeholders have written letters in
support of this bill. They include: The U.S. Chamber of Commerce;
National Association of Manufacturers; TechAmerica; Computing Research
Association; Institute of Electrical and Electronic Engineers-USA;
Society for Industrial and Applied Mathematics; Financial Services
Roundtable; and the U.S. Public Policy Council of the Association for
Computing Machinery.
Chairman Smith. I will yield the remainder of my time to
the gentleman from Texas, Mr. McCaul, the author of the bill
along with Mr. Lipinski.
Mr. McCaul. I thank the Chairman and Ranking Member for
allowing me to proceed with this bill one more time. Mr.
Lipinski, I believe this is the third time we have introduced
this legislation. I hope the third time is the charm.
But I do think it is important, and I appreciate how
seriously the Committee is taking this issue. It is of
paramount importance for our country and our Congress right
now.
Earlier this week, our country's top intelligence official
told a Senate panel that the United States is vulnerable to
espionage, cyber crime and outright destruction of computer
networks both from sophisticated and state-sponsored attacks as
well as criminal hacker groups and cyber terrorists. Many of
these attacks emanate out of China, Russia, and Iran. Yesterday
in the Homeland Security Committee, which I chair, the DHS
Deputy Secretary, Jane Lute, again affirmed the need for
Congress to develop legislation to address this critical issue.
We know that foreign nations are conducting reconnaissance
on our critical infrastructures and utilities including our gas
lines and water systems and energy grids, and if the ability to
send silent attacks through our digital networks falls into our
enemies' hands, this country could be the victim of a
devastating attack.
Last December, Iranians attacked the state-owned Saudi
Aramco with the goal of stopping Saudi Arabia's oil production.
Additionally this year, Iran conducted multiple denial-of-
service attacks on major U.S. banks in the United States.
Hackers have also attacked the servers of our air traffic
control system. And just last year, an al-Qaeda operative
issued a call for an electronic jihad against the United
States, comparing our technological vulnerabilities to that of
our security before 9/11.
Yet while threats are imminent, no major cybersecurity
legislation that would help protect us has been enacted since
2002. Simply put, we are not prepared to meet the threats of
the 21st century. Last month, the President issued an Executive
Order with the intention of bolstering our cyber defenses
because Congress has failed to take action. That is why
Congressman Lipinski and I introduced the Cybersecurity
Enhancement Act of 2013 before this Committee today.
This Act improves coordination in the government, providing
for a strategic plan to assess the cybersecurity risk and guide
the overall direction of federal cyber research and
development. Our federal networks are under cyber attack every
day. This bill updates the National Institute of Standards and
Technology's responsibilities to develop security and
procurement standards for the .gov computer systems to harden
these federal networks against attack. Our bill also
establishes a federal university-private sector task force to
coordinate research and development. It improves the training
of cyber professionals and continues much-needed cybersecurity
research and development programs at the National Science
Foundation and the National Institute of Standards and
Technology.
Additionally, this bill promotes cybersecurity awareness
and education throughout the country, and when you talk to
agencies like the NSA, they tell you that perhaps 80 percent of
this could be prevented by proper computer hygiene.
Through a bipartisan effort, this bill passed last Congress
395 to 10. Most importantly, H.R. 756 is fiscally responsible.
It is not being paid with any new money since it is intended to
work within the boundaries of funds authorized and appropriated
to NSF and NIST. This bill has been endorsed by leading
industry groups including the U.S. Chamber of Commerce and the
Computing Research Association.
We have also been working closely with NSF and NIST to
ensure this bill suits their needs. I am confident this
legislation will advance the work these agencies are doing to
bolster our domestic cybersecurity, and I urge my colleagues to
support the legislation. And with that, Mr. Chairman, I yield
back.
Chairman Smith. Thank you, Mr. McCaul. The gentlewoman from
Texas, Ms. Johnson, the Ranking Member, is recognized for her
opening statement.
Ms. Johnson. Thank you very much, Chairman Smith.
Today we are marking up two bipartisan pieces of
legislation, H.R. 756, the Cybersecurity Enhancement Act of
2013, and H.R. 967, Advancing America's Networking and
Information Technology R&D Act.
Advances in network and information technology, or NIT, are
a key driver of our economy, increasing productivity and
existing industries and opening the door for the formation of
new ones. Small businesses use NIT to connect a wider consumer
base, allowing them to grow. The military uses NIT to improve
intelligence gathering and sharing as well to support many of
its worldwide operations. NIT is improving health care by
creating better treatment options through electronic health
record keeping, advanced surgical tools, and the facilitation
of medical research. And of course, Internet companies such as
Google and Facebook are now worth billions of dollars and show
how quickly NIT R&D can translate into real-world products.
NIT has truly revolutionized our modern way of life.
However, our growing reliance on NIT to fuel our society leaves
us vulnerable to cyber attacks. As the stakes have grown
higher, individual hackers have given way to organized criminal
groups and even foreign governments. It is not an overstatement
to say that the increasing threat of cyber attack puts both our
NIT-based economy and our national security at risk.
Today we consider bills to address both those good and bad
aspects of our high-tech society's growing reliance on
information technology. The first bill, H.R. 756, addresses the
growing threat of cyber attack. I want to commend Mr. Lipinski
and Mr. McCaul for their longstanding bipartisan leadership on
this critical topic of cybersecurity research and development.
The bill they have reintroduced is identical to the
legislation we moved through this Committee and passed
overwhelmingly on the House Floor last Congress. This
bipartisan bill is overall a very good bill that contributes in
essential ways to any comprehensive effort to keep our Nation,
our businesses and our citizens safe from malicious cyber
attacks.
While H.R. 756 is a good bill, I think it is important that
we consider the fact that the research accounts of both NSF and
NIST would be flat-funded under this proposal and were cut
under sequestration. The Federal Government is already
suffering from a lack of adequately trained cybersecurity
professionals, and the impact of sequestration on these key
agencies will further erode the human capital we need to build
up our cybersecurity capabilities. It will also slow down much-
needed advances in research and development on potentially
game-changing technologies.
Next, we will consider H.R. 967, which is another good
bipartisan bill. It continues to strengthen and build upon the
interagency initiative launched more than 20 years ago with the
High Performance Computing Act of 1991. H.R. 967 is an updated
version of a bipartisan bill that former Chairman Bart Gordon
first introduced and the House passed in 2009. The bill was
developed by Chairman Gordon to ensure that the Federal
Government creates a coherent vision and strategy for federal
investments in NIT R&D including all of the applications made
possible by NIT. The bill also contains provisions that would
help facilitate and strengthen public-private partnerships for
the benefit of our economy, national security and overall
quality of life.
I am proud to work closely with Chairman Hall--I was proud
to work closely with Chairman Hall last year to update that
legislation to appropriately reflect changes both to the NITRD
program and to the network and information technology landscape
since 2009. While it was not possible to get the NITRD
legislation enacted into law in the 112th Congress, I want to
thank Ms. Lummis for reintroducing our bipartisan bill once
again in this new Congress, and I am happy again to be an
original cosponsor for this measure.
With that, I will close by saying that I am looking forward
to a productive markup today, and I yield back.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Representative Eddie Bernice Johnson
Thank you Chairman Smith.
Today, we are marking up two bipartisan pieces of legislation:
H.R. 756, the Cybersecurity Enhancement Act of 2013, and
H.R. 967, Advancing America's Networking and Information
Technology R&D Act.
Advances in networking and information technology, or NIT, are a
key driver of our economy, increasing productivity in existing
industries and opening the door for the formation of new ones. Small
businesses use NIT to connect to a wider consumer base, allowing them
to grow. The military uses NIT to improve intelligence gathering and
sharing as well as well as to support many of its worldwide operations.
NIT is improving health care by creating better treatment options
through electronic health recordkeeping, advanced surgical tools, and
the facilitation of medical research.
And of course, internet companies such as Google and Facebook are
now worth billions of dollars and show how quickly NIT R&D can
translate into real world products. NIT has truly revolutionized our
modern way of life.
However, our growing reliance on NIT to fuel our society leaves us
vulnerable to cyber attacks. As the stakes have grown higher,
individual hackers have given way to organized criminal groups and even
foreign governments.
It is not an overstatement to say that the increasing threat of
cyber attack puts both our NIT-based economy and our national security
at risk.
Today we consider bills to address both the good and bad aspects of
our hi-tech society's growing reliance on information technology.
The first bill, H.R. 756, addresses the growing threat of cyber
attack. I want to commend Mr. Lipinski and Mr. McCaul for their
longstanding, bipartisan leadership on this critical topic of
cybersecurity research and development.
The bill they have reintroduced is identical to legislation we
moved through this Committee and passed overwhelmingly on the House
floor last Congress.
This bipartisan bill is overall a very good bill that contributes
in essential ways to any comprehensive effort to keep our nation, our
businesses, and our citizens safe from malicious cyber attacks.
While H.R. 756 is a good bill, I think it is important that we
consider the fact that the research accounts of both NSF and NIST would
be flat-funded under this proposal, and were cut under sequestration.
The federal government is already suffering from a lack of adequately
trained cybersecurity professionals and the impact of sequestration on
these key agencies will further erode the human capital we need to
build up our cybersecurity capabilities.It will also slow down much
needed advances in research and development on potentially game-
changing technologies.
Next we will consider H.R. 967, which is another good bipartisan
bill. It continues to strengthen and build upon the interagency
initiative launched more than 20 years ago with the High Performance
Computing Act of 1991.
H.R. 967 is an updated version of a bipartisan bill that former
Chairman Bart Gordon first introduced and the House passed in 2009.
The bill was developed by Chairman Gordon to ensure that the
federal government creates a coherent vision and strategy for federal
investments in NIT R&D, including all of the applications made possible
by NIT. The bill also contained provisions that would help facilitate
and strengthen public-private partnerships for the benefit of our
economy, national security, and overall quality of life.
I was proud to work closely with Chairman Hall last year to update
that legislation to appropriately reflect changes both to the NITR-D
program and to the networking and information technology landscape
since 2009.
While it was not possible to get the NITR-D legislation enacted
into law in the 112th Congress, I want to thank Mrs. Lummis for re-
introducing our bipartisan bill once again in the new Congress, and I'm
happy to again be an original cosponsor of this measure. With that, I
will close by saying that I'm looking forward to a productive markup
today, and I yield back.
Chairman Smith. Thank you, Ms. Johnson.
If there is no further discussion on the bill, I will
recognize myself to offer a Manager's Amendment, and the Clerk
will report the amendment.
The Clerk. Amendment number 009, amendment to H.R. 756,
offered by Mr. Smith of Texas.
[The amendment of Mr. Smith appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and I will recognize myself and then the
Ranking Member.
This Manager's Amendment makes a number of modest changes
to the programs authorized in H.R. 756. First, the amendment
supports coordination of cybersecurity research and
development. It assigns the university-industry task force the
responsibility of identifying and prioritizing grand challenges
for cybersecurity R&D. This will help the public sector become
more aware of long-term industry needs and give more focus to
public-private R&D efforts.
The amendment also requires the cybersecurity R&D agencies
to track ongoing and completed federal cybersecurity R&D
projects and make that information publicly available. For the
last several years, the Government Accountability Office has
recommended this requirement in order to make federal cyber R&D
more transparent and ensure we do not duplicate efforts. The
amendment also improves NIST's Cybersecurity Awareness and
Education program. It directs NIST to include cybersecurity
educational programs and federal workforce professional
development in its activities, and I thank Ranking Member
Johnson for her ideas that were included in this section.
In addition, the amendment helps graduates with the
Scholarship for Service program. It modifies the federal hiring
authority available to these graduates to allow for expedited
hiring and improved retention of these individuals in the
federal workforce.
Finally, the Manager's Amendment updates the authorization
levels providing to the National Science Foundation
cybersecurity research and education grants. These programs
have not been authorized since 2007. Since that time, the NSF
has increased its activities to address cybersecurity. The
authorizations proposed in this amendment are approximately
equal to what NSF currently spends on these activities and sets
that level for the next three years. The amendment also
clarifies that this funding does not increase the total
authorization for NSF research activities. These authorizations
demonstrate strong Congressional support for prioritizing
cybersecurity R&D activities that are important for America's
security and competitiveness. This amendment improves an
already strong bill, and I urge my colleagues to support it,
and the Ranking Member, Ms. Johnson, is recognized for her
comments.
Ms. Johnson. Thank you, Mr. Chairman, and thanks to Mr.
McCaul for working with me to update and improve Section 204 to
better reflect the goals and status of federal cybersecurity
education and dissemination activities. The federal science
agencies support important education and training efforts such
as the Scholarship for Service program at NSF that are helping
to create a cadre of skilled cybersecurity professionals for
both federal workforce needs and critical sectors of our
economy including energy and financial systems. The agencies
also have a role to play in increasing the public's awareness
of risk they may face in their everyday online activities and
to help disseminate best practices for managing these risks.
The language in the Manager's Amendment appropriately
reflects the full scope of these critical activities, and once
again, I thank my colleagues for working with me on this
language.
I do want to take a moment to express one concern that I
have. Almost everyone in this room supports these programs. For
the reasons that I outlined in my opening statement, I strongly
support these programs. I think these programs are absolutely
vital for our Nation's future prosperity, and I think many, if
not most, of my colleagues on both sides of the aisle would
agree with that. But I am very concerned that we are moving
forward on this bill without recognizing the funding situation
facing the agencies we are tasking to address this issue. NSF
and NIST and all the agencies tasked with responsibilities in
this bill were hit with sequester, and those cuts will affect
the ability of these agencies to implement the very
responsibilities we are assigning them in this legislation.
Cybersecurity is a critical issue, and it becomes more
important by the day. Addressing this issue will not be easy
and it will not be cheap, but it is absolutely necessary. We
need to recognize that and work towards finding resources to
fix this problem.
Chairman Smith and Chairman McCaul have both worked with us
in an amicable way on this bill, and I will not offer any
amendments to address this. But I do think we need to
acknowledge that we can't continually tell our agencies to do
important work like this on the one hand and deprive them of
the resources they need to do the job with the other hand.
I yield back. Thank you very much.
Chairman Smith. Thank you, Ms. Johnson.
Is there any further discussion on this amendment?
Mr. Lipinski. Mr. Chairman.
Chairman Smith. The gentleman from Illinois, Mr. Lipinski,
is recognized.
Mr. Lipinski. Thank you, Mr. Chairman. I want to express my
appreciation to you and to Mr. McCaul for your willingness to
work with me on this legislation. I thank Ranking Member
Johnson for working to bring this up. I think this Manager's
Amendment incorporates a lot of feedback from both sides of the
aisle, and I wholeheartedly support the amendment. I think this
is the way that we should be working. I know that the House
passed the legislation twice, once in the Democrat majority
111th Congress and once in the Republican majority 112th
Congress, both times with broad bipartisan support. When we had
a Democratic majority, this was the Lipinski-McCaul bill and it
is now the McCaul-Lipinski bill, and I think that is the way
this incredibly vital issue of cybersecurity should be handled,
and I hope that this continues here today in the markup.
As Mr. McCaul stated, he did a good job of going through
what this bill does. I think we should all take note, and it
certainly bears repeating that the Director of National
Intelligence this week said the danger of cyber attacks and
cyber espionage on crucial infrastructure tops the list of
global threats, and I believe that we face the possibility of a
cyber Pearl Harbor that could destroy America's military and
economic security. I mean, we have already seen the loss of
countless jobs in this country through cyber espionage, and we
have thankfully so far repelled much worse attacks that are
happening every day. So I think it is now more important than
ever that we get this legislation across the finish line and on
to the President's desk.
I just want to echo one of the points that Ranking Member
Johnson mentioned. I would like to see higher authorization
levels and recognition of the consequences if we fail in
protecting our critical infrastructure. I understand what we
have before us now is what we can do today but I think it is
important that we make sure we keep our eyes on that and we do
have enough support given to what is needed to protect our
country.
Of course, cybersecurity research standards and education
are only part of the solution. I look forward to working with
my colleagues to make sure this bill is included in any
comprehensive cybersecurity legislation passed by Congress.
So again, I want to thank Chairman Smith and Chairman
McCaul for working with me on this legislation. I urge the
adoption of the Manager's Amendment and adoption of the bill.
Chairman Smith. Thank you, Mr. Lipinski, and appreciate
your work on this bill, this being the third Congress you have
done so.
Are there any other Members who wish to be recognized? The
gentleman from California, Mr. Swalwell--I am sorry. The
gentleman from New York, Mr. Maffei, then.
Mr. Maffei. Mr. Chairman, shouldn't it be done by
seniority? That is the only question. Okay. All right.
Mr. Chairman, I move to strike the last word. I just--I
totally agree and want to associate myself with the comments of
Mr. Lipinski and the Ranking Member, and I also want to thank
the Chairman, the Chairman Emeritus and Mr. McCaul, the
Chairman of the Subcommittee.
As a new member of this Committee, this is one of the most
important things that we can work on at all, and in both my
Committee work here and on the Armed Services Committee, I will
be trying to do that. There is broad bipartisan support. In
fact, it was in October 2011 that then-presidential candidate
Mitt Romney underlined the importance of cybersecurity when he
made it one of the top eight actions that he would have dealt
with in the first 100 days, and his plan was ``a full
interagency initiative to form a unified national strategy to
deter and defend against the growing threats of these various
cyber attacks.''
Mr. Lipinski mentioned the testimony of the intelligence--
our top intelligence personnel in saying that the cyber attacks
pose a greater risk potential to the United States national
security than al-Qaeda or other militants that we have focused
on since 9/11, and of course, the President made news the other
day when he mentioned that we have seen a steady ramping up of
cybersecurity threats. Some are state sponsored and some are
just sponsored by criminals.
I do also, though, believe that we might be being pennywise
but pound foolish not to invest more in our cybersecurity.
Normally, I would be the first person to say that this needs to
be a very fiscally responsible bill, and of course, I do
support it for being fiscally responsible, but there are some
areas, and this is one of them, this poses extreme threats to
our national security and our economy, and the threat, as
Ranking Member Johnson said, to our future prosperity. So we
should not be pennywise and pound foolish.
That said, I will not offer an amendment today and will
fully support the bill and the Manager's Amendment because the
most important thing is that we do move forward, and I am
hoping that Mr. Swalwell, myself and the other new Members who
certainly support this legislation will work to try to get
through the logjams that you faced in the past couple of
Congresses, because this is just so vital to everything that we
do.
So again, I just want to thank the Chairman and the Ranking
Member for working in a bipartisan way on this. This is the way
we should be doing all these issues, and I appreciate the time.
Chairman Smith. Thank you, Mr. Maffei, and thanks for
reminding us about the President's and Governor Romney's
support for this concept as well.
The gentleman from California, Mr. Rohrabacher, is
recognized.
Mr. Rohrabacher. Mr. Chairman, number one, I want to thank
you for your leadership in this issue as well as the leadership
that has been provided by several of the former chairmen,
Chairman Hall and others in this room that are joining us
today.
I have been trying to figure out what is being said here in
the opening statements because we all seem to agree that this
is vital--this is an issue that is vital to our national
security and we all seem to agree on that, but what we don't
seem to agree on, it seems this is quite often, is whether we
need to--how much money we need to spend or whether we need to
spend more money on it, and it sort of dawned on me that what
we are really talking about now is whether or not we need to
borrow more money from China in order to protect us from China,
because every cent more than we spend now in increasing our
deficit means we are going to have to borrow it from someone
and the people who are out giving us those loans happen to be
the Chinese government.
I would suggest that the threat that is posed to us by
China will not be enhanced by us becoming even more indebted to
China and that we should also, when we are looking at trying to
find solutions, we should go beyond trying to give scholarships
to our people to defend ourselves against the Chinese students
that we are educating in our universities and providing them
insights into our most secret information, which then they go
back to China and utilize to develop these cyber attack
threats. I would think that maybe that plus maybe the fact that
we have permitted tech transfer and trade policies and
investment policies that have built this enemy. So while I am
totally supportive of this bill, I think we should start
thinking about the fundamentals of how we get ourselves out of
a predicament where we are actually in great debt now to a
threat that we have created through our own policies in dealing
with the world's worst human rights abuser, and that is the
government of China.
Thank you very much, Mr. Chairman.
Chairman Smith. Thank you, Mr. Rohrabacher.
The gentlewoman from Maryland, Ms. Edwards, is recognized.
Ms. Edwards. Thank you, Mr. Chairman, and thank you to my
good friends, Mr. McCaul and Mr. Lipinski, for bringing this
forward. I do believe that this is one of the single-most
important things that we will do during this Congress. Although
I support our Ranking Member's concerns about the authorization
levels because I do think that the security threat is just that
great. But nonetheless, I plan to support the bill but I wanted
to take a moment to acknowledge the efforts, Mr. McCaul and Mr.
Lipinski, that you are doing to encourage cybersecurity
education at all levels. It is vitally important that our
universities and community colleges have the resources and
expertise, and it is critical that we engage students at an
earlier age to create the pipeline that we will need to develop
a competent cybersecurity workforce in the decades to come,
particularly as Mr. Rohrabacher has just expressed. The
National Initiative for Cybersecurity Education plays an
instrumental role in this, and I am glad that the Committee
will be supporting NIST in its efforts to coordinate this
cybersecurity education.
I also want to highlight the Maryland Cybersecurity Center,
MC2, for a unique approach to educating the future generation
of cybersecurity workforce to serve industry and government
needs in Maryland and in the Washington metropolitan area. MC2
offers innovative, hands-on educational programs to pre-college
students, undergraduates and graduate students. And I believe
that by targeting as early as middle school and high school and
not just waiting until the university level, that we can
stimulate early interest in the field of cybersecurity and
provide students with a knowledge base in preparation to be
successful in their future post-secondary studies and eventual
career, and I look forward to continuing to work with our
Chairman and our Ranking Member on those issues. Thank you.
Chairman Smith. Thank you, Ms. Edwards.
The gentleman from California, Mr. Swalwell, is recognized.
Mr. Swalwell. Thank you, Mr. Chairman. I appreciate you
holding this markup and I am also pleased that on the agenda of
my first markup as a Member of Congress, as a startup Member of
Congress, is a bill to address the critical issue of
cybersecurity. I am proud and feel fortunate to represent
northern Silicon Valley in California, the heart of innovation,
technology, computers and the Internet for the Nation and the
world.
Needless to say, protecting the integrity of computer
systems and securing the information they contain is absolutely
critical for our area. If we were to sneeze, the rest of the
country could catch a cold. That is why it is so important to
protect the infrastructure in Silicon Valley.
An attack against companies in Silicon Valley will ripple
across the country and the globe. As we know, this threat is
very real. Networks are being attacked constantly by a variety
of different actors and for different reasons. For example,
there is evidence that Iran has targeted our financial
institutions, and China is out to steal one of the best drivers
we have of economic growth, our intellectual property, and I
would dispute that this is just one country acting. I believe
the evidence is clear, there are a number of countries, there
are a number of nation-states and there are a number of
individual criminal organizations from all over the globe who
are seeking to attack our networks.
Yesterday in the other committee on which I sit, the
Committee on Homeland Security, we discussed these and other
issues at a hearing with Department of Homeland Security Deputy
Secretary Janet Lute and other interested stakeholders. DHS
acknowledges the need for federal legislation to enhance
cybersecurity capabilities while still protecting privacy, and
I am looking forward to passing legislation to do that out of
the Homeland Security Committee.
Today, we are considering a piece of the cybersecurity
puzzle, H.R. 756, the Cybersecurity Enhancement Act of 2013.
This bill would help develop our capabilities for cyber defense
by among other elements developing security standards and
improving the collaboration among federal agencies for relevant
research and development. I support this bill, and I encourage
my colleagues to do so as well.
I want to make two quick points. First, Section 107
requires a report from the President relating to the needs of
our federal cybersecurity workforce. Among other items, the
bill requires that the report include an analysis of any
barriers to the Federal Government recruiting and hiring
cybersecurity talent including barriers relating to the
compensation, hiring process, job classification and hiring
flexibilities. I want to be clear that any such discussion
should encompass and explain the effects of the ongoing federal
pay freeze and the sequester. Federal employee pay has been
frozen since 2011, and that freeze is expected to continue this
year.
This sequester, as has been alluded to by the Ranking
Member and others, threatens to hurt our capabilities in
fighting cybersecurity. I believe the problem with the
sequester is that when it is so indiscriminate and across the
board, you target and cut--you do not target but rather you cut
some services that are very critical and in many cases there
are services that should be cut more than what we are cutting
them, for example, agricultural subsidies. If I had to weigh
agricultural subsidies against protecting our cyber networks, I
think it is clear based on what the national security threat is
where we should be putting our money.
Second, I strongly believe that our best solutions come
from collaboration between all interested stakeholders--
government, industry, academia and so on. I ran for Congress
with a deep desire to encourage public-private partnerships and
collaboration, and I hope that we can do that with this bill.
Section 103 requires a plan on how the networking and
information technology research and development programs should
best guide federal cybersecurity research and development. The
plan already must include a variety of items like goals for
federal research and a description of how the program will
establish a research infrastructure. As part of this process,
the agencies involved should also be required to consider and
include in the report how the program will foster the
establishment of public-private partnerships that will result
in research, technologies and applications that will help us
improve our cybersecurity defense. With such an important issue
and in an era of tight budgets, we need to make the best and
most effective use of our taxpayer dollars. This can be
accomplished in part by combining the talents of the private
sector like the many technology companies in my district and
the government.
Mr. Chairman, I hope you and the Ranking Member will
consider adding such a provision to the bill when it passes the
Committee today. I look forward to working with you both on
strengthening this bill before it makes its way to the House
Floor, and thank you again for holding this markup.
Chairman Smith. Thank you, Mr. Swalwell.
Is there any further discussion? The gentleman from
Georgia, Mr. Broun, is recognized.
Mr. Broun. Thank you, Mr. Chairman, and I keep hearing my
Democratic colleagues talking about the sequester and how
devastating it is going to be, and I had a question for any one
of you all, well, actually two questions. Number one is, who
gave us the sequester, and number two is why? Can any of my
colleagues--I will be glad to yield a moment to answer that
question. Ms. Johnson? She is sitting there not paying any
attention. You talked about the sequester. Who gave us that
sequester? I will be glad to----
Ms. Johnson. You were one of them that gave it.
Mr. Broun. No, ma'am, I did not vote for it. The sequester
was given to us by our President, President Obama. He is the
one who suggested it. He is the one who promoted it. And I
keeping hearing from my Democratic colleagues blame placed on
the Republican side, but the long and short of it is that we
are spending money that we cannot afford. As Mr. Rohrabacher
said, I keep hearing about wanting to plus up spending on many
areas, and cybersecurity has been a big concern of mine for a
long period of time, both in this Committee as well as in the
Homeland Security Committee, where I serve under the able
Chairmanship of my good friend, Mr. McCaul from Texas. And we
need to be spending money on national defense. I agree with
that. But to continue to harp about the sequester that you
all's President that gave us the----
Ms. Edwards. Will the gentleman yield?
Mr. Broun. Let me finish my point. To continue to hear my
colleagues harp about the sequester when it was proposed by the
President, it was promoted by the President. Nobody in the
press seems to ask the President why he wanted to give us the
sequester, and I think it was all about trying to raise taxes
and it wasn't to solve the economic problems that we face. We
have got to spend money on what it is important, and that is
national security and things that the Constitution gives us
authority to spend money on instead of spending money on things
that we shouldn't be.
Cybersecurity is certainly something that we should be
spending money on just because it is a national defense,
national security issue. But I am just getting tired of hearing
colleagues on the other side of the aisle continue to squawk
about the sequester when it was our President, President Obama,
who gave us the sequester and for whatever reason he has
promoted that, for whatever reason that he suggested that, but
it was his suggestion. Congress voted on approving the
sequester. I did not. I voted against it because I thought it
was terrible policy, and we have the sequester, so let us just
put our big boy pants on and go forward and do what we can to
try to keep this country economically safe as well as
militarily safe. Mr. Chairman, I yield back.
Ms. Edwards. Would the gentleman yield?
Mr. Broun. Certainly.
Ms. Edwards. Thank you. I just want to just clarify,
because in the interest of bipartisanship, and I think that the
Chairman has really conducted this Committee and this markup in
that way and I know the gentleman from Georgia, and I know that
he actually did not mean to refer in that kind of disparaging
way to the gentlewoman from Texas, the Ranking Member, and it
would be great if you would on the record, you know, just make
sure that we continue to express our points but not do it in a
way that disparages our Committee leadership, either the
Chairman or the Ranking Member, and I would appreciate it if
you could just put that on the record.
Mr. Broun. Well, I was not disparaging Ms. Johnson by any
means. I asked her a question and she didn't answer it, and I
just was trying to get her to pay attention. I know she was
deep in thought, and if I offended her, I apologize, but the
point is, continuing to harp about a sequester that is in
place, it was given to us by the President, we have got to stop
spending money we don't have, we have got to be financially
responsible as a Congress, and we are not being, and I just
wanted to make my point.
Thank you, Mr. Chairman. I yield back.
Ms. Johnson. Could the gentleman yield?
Chairman Smith. Would the gentleman yield to the Ranking
Member?
Mr. Broun. Certainly. I would be glad to yield.
Ms. Johnson. Thank you, Mr. Chairman. I think that due to a
personal relationship, I just really didn't pay Mr. Broun much
attention. However, regardless of how we got here, we are here
and I think we have to keep it before us. At the same time, I
think that we should put our Nation's security ahead of that
and continue to fund the areas that we need to fund for
security and to make sure that the agencies we are giving this
responsibility to have some way to carry out the
responsibility.
Thank you, and I yield back.
Chairman Smith. Thank you, Mr. Broun. Thank you, Ms.
Johnson.
If there is no further discussion, the vote is on the
Manager's Amendment.
All in favor, say aye.
All opposed, no.
The ayes have it and the Manager's Amendment is agreed to.
We will now go to other amendments, and does the gentleman
from California, Mr. Bera, seek recognition?
Mr. Bera. Mr. Chairman, I have an amendment at the desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number 003, amendment to H.R. 756,
offered by Mr. Bera of California.
[The amendment of Mr. Bera appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman from California is
recognized to explain his amendment.
Mr. Bera. My amendment today is simple. It asks that we
maximize the talent of our military veterans to continue to
serve our country by recruiting and prepping veterans for the
cybersecurity workforce.
Our military men and women are heroes at home and abroad,
bravely defending our country overseas and in our backyard. We
trust our veterans with our lives every day, and I applaud and
thank them for their service and duty to America. When they
retire or leave the service, some of our best network
specialists can help us continue to keep our Nation secure. Who
better than these men and women to protect our cyber and
networking infrastructure? By finding ways to recruit and
prepare veterans for the cybersecurity workforce, we can both
protect ourselves and help our returning heroes.
I urge my colleagues to adopt my amendment, which adds
preparing veterans for the cybersecurity workforce to the
Networking and Information Technology Research and Development
program. I yield back my time.
Chairman Smith. Thank you, Mr. Bera. I will recognize
myself in support of the amendment, and thank the gentleman for
his addition to the Strategic Plan for the NITRD program. I do
support this amendment.
Is there anyone else who wants to be recognized?
If not, all in favor of the amendment, say aye.
Opposed, nay.
The ayes have it and the amendment is agreed to.
Does the gentleman from Florida, Mr. Grayson, seek
recognition?
Mr. Grayson. Yes, Mr. Chairman. I have an amendment at the
desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number 057, amendment to H.R. 756,
offered by Mr. Grayson of Florida.
[The amendment of Mr. Grayson appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman from Florida, Mr.
Grayson, is recognized to explain his amendment.
Mr. Grayson. Thank you, Mr. Chairman.
This amendment explicitly adds community colleges to the
list of qualified institutions for the cyber scholarship
program. There are two other parts of the bill that explicitly
mention community colleges as part of academia and institutions
of higher education. This is a conforming amendment to make
this other section conform. I yield back.
Chairman Smith. Thank you, Mr. Grayson.
I will recognize myself in support of the amendment, and I
do want to thank the gentleman for the inclusion of community
colleges in the Scholarship for Service program. As I say, I
support the amendment.
Is there anyone else who seeks recognition?
If not, all in favor of the amendment, say aye.
Opposed, nay.
The ayes have it and the amendment is agreed to.
Does the gentleman from Washington, Mr. Kilmer, have an
amendment?
Mr. Kilmer. Yes. Thank you, Mr. Chairman. I have an
amendment at the desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number 002, amendment to H.R. 756,
offered by Mr. Kilmer of Washington.
[The amendment of Mr. Kilmer appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman from Washington is
recognized to explain his amendment.
Mr. Kilmer. Thank you, Mr. Chairman.
To recruit and train the next generation of federal and
private sector cybersecurity professionals, we need to leverage
capabilities within higher education and create a pipeline that
will produce the IT workforce that can help and enhance our
Nation's communications and information infrastructure. We need
to ensure that the cybersecurity courses and degree programs
being developed are effective and that they are producing
individuals with the skills necessary for employment as
cybersecurity professionals.
To make sure that this is happening, my amendment calls for
the NSF to support activities that evaluate the effectiveness
of cybersecurity courses and degree programs. Additionally, it
calls on NSF to support the establishment of public-private
partnerships that will allow students to gain critical research
experience on real-world problems as a component of their
degree programs. Collaboration between academia, industry and
our students will help ensure our future workforce has the
qualifications and skills necessary to strengthen America's
national security and economic prosperity. I believe this
amendment would further encourage students to seek a
cybersecurity education and will strengthen the ability of the
institutions to produce highly effective cyber professionals to
join America's future workforce.
Thank you for consideration of this amendment, and I yield
back. Thank you.
Chairman Smith. Thank you, Mr. Kilmer.
I will recognize myself in support of the amendment, and I
thank the gentleman for offering it. It improves the ability of
universities to produce cybersecurity professionals so I think
it is a good amendment. Are there any others who wish to be
recognized?
If not, all in favor of the amendment, say aye.
Opposed, nay.
The ayes have it. The amendment is agreed to.
The gentleman from Florida, Mr. Grayson, is recognized.
Mr. Grayson. Thank you, Mr. Chairman. I have an amendment
at the desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number----
Chairman Smith. Is this amendment number 56 or----
Mr. Grayson. Yeah.
Chairman Smith. --54.
The Clerk. It should be 056.
Chairman Smith. Okay.
The Clerk. Is that correct?
Chairman Smith. Correct.
Mr. Grayson. Yes.
The Clerk. Okay. Amendment 056, amendment to H.R. 756,
offered by Mr. Grayson of Florida.
[The amendment of Mr. Grayson appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman is recognized to explain
his amendment.
Mr. Grayson. Mr. Chairman, this amendment like the earlier
amendment is meant to harmonize different sections of the bill.
This amendment clarifies language in the bill to ensure that
the participation of women is encouraged in the Federal Cyber
Scholarship for Service portion of the bill. Women are called
out specifically on page 5 of the bill and on page 20 of the
bill, but not on page 12 of the bill. This corrects that
dilemma. I yield back.
Chairman Smith. Thank you, Mr. Kilmer--I mean Mr. Grayson.
Sorry. I am one behind here.
I recognize myself in support of the amendment. I too would
like to see more women pursue cybersecurity degrees so I
support the gentleman's amendment.
Are there any other Members who wish to be recognized?
If not, all in favor of the amendment, say aye.
Opposed, nay.
The ayes have it and the amendment is agreed to.
Does the gentleman have another amendment?
Mr. Grayson. Yes, Mr. Chairman, I have another amendment at
the desk.
Chairman Smith. The Clerk will report the amendment. And
what number is this, Mr. Grayson?
Mr. Grayson. I believe this is 58 or 54. There appears to
be a discrepancy. On the list of amendments that I see, Mr.
Chairman, I see the next one being 058. That is an amendment--
well, in any event, not the amendment that you and I discussed
but a different one.
Chairman Smith. Okay. The Clerk will report amendment 54.
Is that correct, Mr. Grayson?
Mr. Grayson. If we are talking about amendment 54, Mr.
Chairman, I am going to withdraw that amendment. No, sorry. It
is the other way around. Yes, Mr. Chairman, I have an amendment
at the desk.
Chairman Smith. The Clerk will report the amendment, and it
is number 54.
Mr. Grayson. Thank you. This amendment adds language to
require--sorry.
The Clerk. Amendment number 054, amendment to H.R. 756,
offered by Mr. Grayson of Florida.
[The amendment of Mr. Grayson appears in the Appendix]
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman from Florida is
recognized to explain the amendment.
Mr. Grayson. Thank you very much, Mr. Chairman. Sorry for
the confusion on my part.
What this amendment does is to add language to require NIST
to carry out research associated with improving the security
and integrity of the information technology supply chain as
part of its intramural security research program on
cybersecurity.
Just by way of background, former U.S. counterterrorism
Chief Richard Clark has said that all electronics made in China
may have built-in trapdoors allowing Chinese malware to infect
American systems on demand. The Fukushima experience has
demonstrated to us the fragility of our supply chains, both
technological and otherwise. It is an obvious potential target
for cyber terrorism. Therefore, I respectfully ask that NIST be
engaged in this regard and charged with the responsibility to
carry out research to improve the security and integrity of the
information technology supply chain. I yield back.
Chairman Smith. Thank you, Mr. Grayson.
I will recognize myself in support of the amendment, and I
appreciate the gentleman's addition of supply chain security
and integrity management to NIST research activities.
Is there anyone else who seeks recognition on this
amendment?
If not, all in favor, say aye.
Opposed, nay.
In the opinion of the Chair, the ayes have it and the
amendment is agreed to.
We will now go to the gentlewoman from Florida, Ms. Wilson,
for her amendment.
Ms. Wilson. Mr. Chairman, I have an amendment at the desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number 002, amendment to H.R. 756,
offered by Ms. Wilson of Florida.
[The amendment of Ms. Wilson appears in the Appendix]
Chairman Smith. And without objection, the amendment will
be considered as read, and the gentlewoman from Florida is
recognized to explain her amendment.
Ms. Wilson. Mr. Chairman, this amendment will do exactly
what the bipartisan witnesses at our recent cybersecurity
hearing argued is necessary for our Nation's cyber defense. It
will advance scientific understanding of emerging threats to
ensure that American businesses, government agencies and
citizens can take action for their own protection.
As Dr. Frederick Chang argued before the Subcommittees on
Technology and Research, the discipline of cybersecurity today
is too reactive and after the fact. To detect new attacks and
vulnerabilities and develop solutions to defend against the
identified risk, we need to develop what Dr. Chang and the
other esteemed witness, Ms. Terry Benzel, have termed ``the
science of technology.''
The amendment at the desk calls on the Director of the
National Science Foundation and the Director of the National
Institute of Standards and Technology to support research that
will lead to the development of a scientific foundation for the
field of cybersecurity. This includes research to increase
understanding of the underlying principles of securing complex
network systems, to enable repeatable experimentation and to
create quantifiable security metrics. This research, which will
draw on existing programs and activities, will go a long way
toward developing a science of cybersecurity. This in turn will
do a great deal to keep our businesses profitable and our
citizens safe.
I yield back the balance of my time.
Chairman Smith. Thank you, Ms. Wilson. I will recognize
myself in support of the amendment.
The gentlewoman's amendment supports research at NSF and
NIST that establishes a stronger scientific foundation for
cybersecurity. A firm science and engineering foundation
providing metrics and repeatable testing methods, for example,
will improve confidence in cybersecurity technologies and
promote innovation. I support the amendment and encourage my
colleagues to do the same.
Is there any other member who seeks recognition?
If not, all in favor of the amendment, say aye.
Opposed, nay.
The ayes have it and the amendment is agreed to.
I believe now we will go to our last amendment, and that is
being offered by the gentleman from California, Mr. Peters.
Mr. Peters. Thank you very much, Mr. Chairman. I have an
amendment at the desk.
Chairman Smith. The Clerk will report the amendment.
The Clerk. Amendment number 003, amendment to H.R. 756,
offered by Mr. Peters of California.
Chairman Smith. Without objection, the amendment will be
considered as read, and the gentleman from California is
recognized to explain his amendment.
Mr. Peters. Thank you very much, Mr. Chairman.
The economic and national security of the United States
depend on the reliable functioning of our critical
infrastructure in the face of ever-changing cybersecurity
threats. I am offering an amendment today that takes steps to
protect this infrastructure by creating a critical
infrastructure cybersecurity framework, and I thank the
Chairman for bringing this bill and my colleagues from Texas
and Illinois for leading this legislation.
It is important that we work to enhance the Nation's
cybersecurity and improve our critical infrastructure. If our
communications systems or power grid were to be hijacked and
controlled by an enemy, it would be debilitating to our
national security, our government and the people we serve.
This amendment directs the Director of NIST to collaborate
with the private sector to develop a voluntary framework that
includes standards, guidelines and best practices for reducing
cybersecurity risk to critical infrastructure. The Director
would solicit input from not only the private sector but also
the federal agencies, state, local and tribal governments and
the Director of NIST would publish the framework 18 months
after the enactment of the legislation.
I want to emphasize that this framework is non-binding and
not prescriptive. In fact, it is an opportunity not only to
highlight and learn from the best practices of the private
sector but also for government information to augment the
ability of private sector to defend its own networks.
Cybersecurity and protecting our infrastructure is not a
Democratic or Republican issue, it is a national one, so I am
approaching this need for such a framework with viewpoints from
both sides of the aisle.
In October 2011, the House Republican Cybersecurity Task
Force put forth recommendations, which I have here, one of
which was to create this voluntary critical infrastructure
cybersecurity network framework led by NIST. The President's
recent Executive Order on Cybersecurity also directs the
development of a cybersecurity framework. The framework is
something therefore that both sides agree on and both sides
agree needs to be done, and I want to emphasize that it needs
to be done here in Congress too so that we have oversight
through this committee, particularly through the Oversight
Committee chaired by Mr. Broun from Georgia.
There is an urgency to seek such a framework, to see such a
framework is accomplished, and I agree with the majority task
force that NIST is the ideal federal agency to carry out such
an important task. It is a non-regulatory agency and it is well
respected in the private sector. We can't make progress on
cybersecurity without the vital input of the private sector,
which is integral to our critical infrastructure.
Mr. Chairman, I urge my colleagues to adopt this amendment
to improve our cybersecurity and protect our assets, and I
yield back my remaining time.
Chairman Smith. Thank you, Mr. Peters.
The gentleman from Texas, Mr. McCaul, is recognized in
opposition to the amendment.
Mr. McCaul. Thank you, Mr. Chairman.
While I am sure Mr. Peters' intentions are good, this
amendment directs NIST to seek input from the private sector
when developing the critical infrastructure framework without
ensuring that the director will use this input wisely. This has
been a bipartisan process over the last several Congresses, but
I am concerned this amendment lacks specificity, which is why
the U.S. Chamber of Commerce opposes this amendment, and they
represent the private sector. Inclusion of this amendment would
hurt the progress that has already been made and reduce the
likelihood of finally getting this bill through the Senate and
signed into law by the President. I think the private sector is
dealing with this issue every day and has a great stake in the
development of any guidelines or framework. Its role must be
clearly defined so we do not risk losing the knowledge that
these experts would bring to the table. We are currently
exploring this also in the Homeland Security Committee in terms
of voluntary standards being produced by the private sector
with respect to critical infrastructures, and with that, Mr.
Chairman, I stand in opposition and I yield back.
Chairman Smith. Okay. Thank you, Mr. McCaul.
Are there any other Members who wish to be heard on this
amendment? The gentlewoman from Maryland, Ms. Edwards, is
recognized.
Ms. Edwards. Thank you, Mr. Chairman.
I just want to express my support for the amendment. It
requires NIST to develop, in collaboration with the private
sector, including the owners and operators of our critical
infrastructure, a framework that will promote the adoption of
voluntary standards and best practices to lower cybersecurity
risks across all sectors and industries. The amendment
implements Section 7 of the President's Executive Order on
Cybersecurity. I know there are concerns that have been
expressed that the framework will open the door for regulatory
action by sector-specific agencies but I want to reiterate that
NIST does not intend to do so. Rather, this amendment would
allow NIST to continue promoting the wide adoption of practices
to increase cybersecurity across all sectors and industry
types. The framework will seek to provide owners and operators
a flexible, repeatable and cost-effective risk-based approach
to implementing security practices while allowing organizations
to express requirements to multiple authorities and regulators.
And with that, I yield and express support for the
amendment.
Chairman Smith. Thank you, Ms. Edwards.
Does anyone else seek recognition? The Ranking Member, the
gentlewoman from Texas, Ms. Johnson, is recognized.
Ms. Johnson. Thank you very much, Mr. Chairman, and I want
to thank the gentleman from California for this amendment.
The national and economic security of the United States
depends on a reliably functioning critical infrastructure.
Tasking NIST with accelerating development of voluntary
consensus-based standards through a public-private partnership
is a common sense approach to increasing the security and
reliability of our critical infrastructure. In fact, the
Republican Cybersecurity Task Force Report stated that Congress
should encourage participation in the development of voluntary
cybersecurity standards and guidance through non-regulatory
agencies such as the National Institute of Standards and
Technology to help the private sector improve security.
The common sense amendment implements the task force
recommendation by requiring NIST to establish a public-private
partnership that will bring all of the stakeholders together in
the development of best practices and standards. This amendment
will accelerate the adoption of voluntary cybersecurity
practices, and I urge its adoption.
Chairman Smith. Thank you, Ms. Johnson.
The question is on the Peters--the gentleman from Florida,
Mr. Grayson, is recognized.
Mr. Grayson. Thank you, Mr. Chairman.
I am reading the amendment, and I heard what the gentleman
from Texas said, and I just don't see anything in this
amendment that seems to require anybody to do anything or to
impose any burden on the private sector. I don't mean to impose
on the gentleman from Texas, but if the gentleman would be so
kind, I will yield the time to you. Can you point to anything
in the amendment that actually does what was described?
Mr. McCaul. I believe that--I would be happy to take that.
I believe that it lacks specificity in terms of what
collaboration is supposed to take place, how the Director is to
use this input, and again, I think this poses a problem for the
private sector. They do view this as a slope down the road to
regulatory standards, which is why the U.S. Chamber of Commerce
opposes this amendment.
Having said that, I would be happy to work with the
gentleman, Mr. Peters, on language if he would be willing to
withdraw the amendment.
Mr. Grayson. I yield to Mr. Peters.
Mr. Peters. You know, I had not intended to do that, but I
am going to accept the gentleman's offer in the interest of
bipartisanship. Mr. Chairman, if I might just add----
Chairman Smith. Without objection, the amendment will be
withdrawn. Thank you, Mr. Peters, and I know you and Mr. McCaul
will be able to try to work something out in that regard.
Mr. Grayson. Mr. Chairman, I am so happy that I could bring
the two parties together. It is something I am famous for.
Chairman Smith. Thank you, Mr. Grayson.
Mr. McCaul. That could be a first.
Chairman Smith. But we hope not the last, Mr. Grayson.
Thank you.
Let us see. Are there any other amendments? The gentleman
from California, Mr. Rohrabacher.
Mr. Rohrabacher. I just would like to announce that I will
be offering the following amendment to the Rules Committee to
see if we can offer this on the Floor, mainly because I did not
offer this amendment 24 hours in advance of this hearing, which
I think is par for the course and I would need unanimous
consent, and I doubt if I would get unanimous consent, so I
will be offering this at the Rules Committee, the following
amendment: No money provided by this legislation shall be used
to finance scholarships to be used in education programs that
are open to foreign students who are citizens of a country that
is recognized as a base of cyber attacks on targets within the
United States. That will be an amendment that I will offer to
the Rules Committee for their consideration, and I thank you
very much for allowing me to suggest that today.
Chairman Smith. Thank you, Mr. Rohrabacher.
If there are no further amendments, a reporting quorum
being present, the question is on reporting the bill as amended
favorably to the House.
Those in favor, say aye.
Opposed, no.
The ayes have it, and the bill is amended is ordered
reported favorably.
Without objection, the motion to reconsider is laid on the
table, and we will now go to our second bill of the day--H.R.
967
Chairman Smith. Pursuant to notice, I now call up H.R.
756--I am sorry--967, the Advancing America's Networking and
Information Technology Research and Development Act of 2013,
and the Clerk will report the bill.
The Clerk. H.R. 967, a bill to amend the High Performance
Computing Act of 1991 to authorize activities for support of
networking and information technology research, and for other
purposes.
Chairman Smith. Without objection, the bill is considered
as read.
Appendix:
----------
H.R. 756, CYBERSECURITY ENHANCEMENT ACT OF 2013,
Section-by-Section Analysis, Amendments,
Amendment Roster
Section-by-Section Analysis of
H.R. 756, CYBERSECURITY ENHANCEMENT ACT OF 2013
TITLE I - RESEARCH AND DEVELOPMENT
SECTION101. DEFINITIONS
Defines the terms National Coordination Office and Program in the
title.
SECTION102. FINDINGS
Describes the findings of this title.
SECTION 103. CYBERSECURITY STRATEGIC R&D PLAN
Requires the agencies to develop, update and implement a strategic
plan for cybersecurity research and development (R&D). Requires that
the strategic plan be based on an assessment of cybersecurity risk,
that it specify and prioritize near-term, mid-term and long-term
research objectives and that it describe how the near-term objectives
complement R&D occurring in the private sector.
Requires the agencies to solicit input from an advisory committee
and outside stakeholders in the development of the strategic plan.
Additionally, requires the agencies to describe how they will promote
innovation, foster technology transfer, and maintain a national
infrastructure for the development of secure, reliable, and resilient
networking and information technology systems.
Requires the development of an implementation roadmap that
specifies the role of each agency and the level of funding needed to
meet each of the research objectives outlined in the strategic plan.
SECTION 104. SOCIAL AND BEHAVIORAL RESEARCH IN
CYBERSECURITY
Adds research on the social and behavioral aspects of cybersecurity
to the list of cybersecurity research areas that the National Science
Foundation may support as part of its total cybersecurity research
portfolio.
SECTION 105. NSF CYBERSECURITY R&D PROGRAMS
Reauthorizes the cybersecurity research program at the NSF and
includes identity management as one of the research areas supported.
Reauthorizes programs at NSF that provide funding for capacity
building grants, graduate student fellowships, graduate student
traineeships and research centers in cybersecurity.
Repeals NSF cybersecurity faculty development traineeship program.
SECTION 106. FEDERAL CYBER SCHOLARSHIP FOR
SERVICE PROGRAM
Authorizes the cybersecurity scholarship for service program at
NSF. The program provides grants to institutions of higher education
for the award of scholarships to students pursuing undergraduate and
graduate degrees in cybersecurity fields and requires an additional
year of service over the number of years for which the scholarship was
received.
The program also provides capacity building grants to institutions
of higher education, supporting such activities as faculty professional
development and the development of cybersecurity-related curricula and
courses.
SECTION 107. CYBERSCURITY WORKFORCE ASSESSMENT
Requires the President to issue a report assessing the current and
future cybersecurity workforce needs of the federal government,
including a comparison of the skills sought by Federal agencies and the
private sector; an examination of the supply of cybersecurity talent
and the capacity of institutions of higher education to produce
cybersecruity professionals; and the identification of any barriers to
the recruitment and hiring of cybersecurity professionals.
SECTION 108. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE
Establishes a university-industry task force to explore mechanisms
and models for carrying out public-private research partnerships in the
area of cybersecurity.
SECTION 109. CYBERSECURITY CHECKLIST AND DISSEMINATION
Updates NIST's authority for the National Checklist Program (NCP)
which provides detailed guidance on setting the security configuration
of operating systems and applications for the federal government, and
requires NIST to develop automated security specifications with respect
to checklist content.
SECTION 110. NIST CYBERSECURITY R&D
Amends the National Institute of Standards and Technology Act to
codify NIST cybersecurity research and development activities; NIST is
authorized to conduct research on the development of a unifying and
standardized identity, privilege, and access control management
framework and to conduct research related to improving the security of
information and networked systems, including the security of industrial
control systems.
TITLE II ? ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS
SECTION 201. DEFINITIONS
Defines the terms Director and Institute in the title.
SECTION 202. INTERNATIONAL CYBERSECURITY TECHNICAL
STANDARDS
Requires NIST to consult with the private sector and others to
develop and implement a plan to ensure a coordinated United States
Government representation in international cybersecurity technical
standards development. This plan is due to Congress no later than one
year after enactment.
SECTION 203. CLOUD COMPUTING STRATEGY
Directs NIST, in collaboration with Federal agencies and other
stakeholders, to continue to develop and implement a comprehensive
strategy for the use and adoption of cloud computing services by the
Federal government. The strategy should consider activities that
accelerate standards development, the development of processes to test
standards conformance, and the security of data stored in the cloud.
SECTION 204. PROMOTING CYBERSECURITY AWARENESS
AND EDUCATION
Requires NIST to maintain a cybersecurity awareness and education
program and to deliver a strategic plan to Congress within 1 year
describing the implementation of this program. Requires the program to
be aimed at disseminating cybersecurity best practices and standards
and include how NIST will make these usable by individuals, small
business, state and local governments, and educational institutions.
SECTION 205. IDENTITY MANAGEMENT RESEARCH
AND DEVELOPMENT
Requires NIST to continue research and development programs to
improve identity management systems.
SECTION 206.
States that no additional funds are authorized for the NIST
activities in the bill.
Amendments
Amendment Roster