CYBER SECURITY RESEARCH AND DEVELOPMENT ACT AN ACT To authorize funding for computer and network security research and development and research fellowship programs, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. [15 U.S.C. 7401 note] SHORT TITLE. This Act may be cited as the "Cyber Security Research and Development Act". SEC. 2. [15 U.S.C. 7401] FINDINGS. The Congress finds the following: (1) Revolutionary advancements in computing and communications technology have interconnected government, commercial, scientific, and educational infrastructures-including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services-in a vast, interdependent physical and electronic network. (2) Exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure. (3) A Department of Defense Joint Task Force concluded after a 1997 United States information warfare exercise that the results "clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure". (4) Computer security technology and systems implementation lack (A) sufficient long term research funding; (B) adequate coordination across Federal and State government agencies and among government, academia, and industry; and (C) sufficient numbers of outstanding researchers in the field. (5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to— (A) improve vulnerability assessment and technological and systems solutions; (B) expand and improve the pool of information security professionals, including researchers, in the United States workforce; and (C) better coordinate information sharing and collaboration among industry, government, and academic research projects. (6) While African-Americans, Hispanics, and Native Americans constitute 25 percent of the total United States workforce and 30 percent of the college-age population, members of these minorities comprise less than 7 percent of the United States computer and information science workforce. SEC. 3. [15 U.S.C. 7402] DEFINITIONS. In this Act: (1) DIRECTOR.-The term "Director" means the Director of the National Science Foundation. (2) INSTITUTION OF HIGHER EDUCATION.-The term “institution of higher education" has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)). SEC. 4. [15 U.S.C. 7403] NATIONAL SCIENCE FOUNDATION RESEARCH. (a) COMPUTER AND NETWORK SECURITY RESEARCH GRANTS.— (1) IN GENERAL.-The Director shall award grants for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Research areas may include (A) authentication, cryptography, and other secure data communications technology; (B) computer forensics and intrusion detection; (C) reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure; (D) privacy and confidentiality; (E) network security architecture, including tools for security administration and analysis; (F) emerging threats; (G) vulnerability assessments and techniques for quantifying risk; (H) remote access and wireless security; and (I) enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property. (2) MERIT REVIEW; COMPETITION. Grants shall be awarded under this section on a merit-reviewed competitive basis. (3) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated to the National Science Foundation to carry out this subsection (A) $35,000,000 for fiscal year 2003; (D) $52,000,000 for fiscal year 2006; and (b) COMPUTER AND NETWORK SECURITY RESEARCH CENTERS.- tions of higher education, nonprofit research institutions, or consortia thereof to establish multidisciplinary Centers for Computer and Network Security Research. Institutions of higher education, nonprofit research institutions, or consortia thereof receiving such grants may partner with 1 or more government laboratories or for-profit institutions, or other institutions of higher education or nonprofit research institutions. (2) MERIT REVIEW; COMPETITION.-Grants shall be awarded under this subsection on a merit-reviewed competitive basis. (3) PURPOSE. The purpose of the Centers shall be to generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research in computer and network security, including the research areas described in subsection (a)(1). (4) APPLICATIONS.-An institution of higher education, nonprofit research institution, or consortia thereof seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of— (A) the research projects that will be undertaken by the Center and the contributions of each of the participating entities; (B) how the Center will promote active collaboration among scientists and engineers from different disciplines, such as computer scientists, engineers, mathematicians, and social science researchers; (C) how the Center will contribute to increasing the number and quality of computer and network security researchers and other professionals, including individuals from groups historically underrepresented in these fields; and (D) how the center will disseminate research results quickly and widely to improve cyber security in information technology networks, products, and services. (5) CRITERIA. In evaluating the applications submitted under paragraph (4), the Director shall consider, at a minimum (A) the ability of the applicant to generate innovative approaches to computer and network security and effectively carry out the research program; (B) the experience of the applicant in conducting research on computer and network security and the capacity of the applicant to foster new multidisciplinary collaborations; (C) the capacity of the applicant to attract and provide adequate support for a diverse group of undergraduate and graduate students and postdoctoral fellows to pursue computer and network security research; and (D) the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center. (6) ANNUAL MEETING.-The Director shall convene an annual meeting of the Centers in order to foster collaboration and communication between Center participants. (7) AUTHORIZATION OF APPROPRIATIONS.-There are authorized to be appropriated for the National Science Foundation to carry out this subsection— (A) $12,000,000 for fiscal year 2003; (D) $36,000,000 for fiscal year 2006; and SEC. 5. [15 U.S.C. 7404] NATIONAL SCIENCE FOUNDATION COMPUTER (a) COMPUTER AND NETWORK SECURITY CAPACITY BUILDING GRANTS. (1) IN GENERAL.-The Director shall establish a program to award grants to institutions of higher education (or consortia thereof) to establish or improve undergraduate and master's degree programs in computer and network security, to increase the number of students, including the number of students from groups historically underrepresented in these fields, who pursue undergraduate or master's degrees in fields related to computer and network security, and to provide students with experience in government or industry related to their computer and network security studies. (2) MERIT REVIEW.-Grants shall be awarded under this subsection on a merit-reviewed competitive basis. (3) USE OF FUNDS.-Grants awarded under this subsection shall be used for activities that enhance the ability of an institution of higher education (or consortium thereof) to provide high-quality undergraduate and master's degree programs in computer and network security and to recruit and retain increased numbers of students to such programs. Activities may include (A) revising curriculum to better prepare undergraduate and master's degree students for careers in computer and network security; (B) establishing degree and certificate programs in computer and network security; (C) creating opportunities for undergraduate students to participate in computer and network security research projects; (D) acquiring equipment necessary for student instruction in computer and network security, including the installation of testbed networks for student use; (E) providing opportunities for faculty to work with local or Federal Government agencies, private industry, nonprofit research institutions, or other academic institutions to develop new expertise or to formulate new research directions in computer and network security; (F) establishing collaborations with other academic institutions or academic departments that seek to establish, expand, or enhance programs in computer and network security; (G) establishing student internships in computer and network security at government agencies or in private industry; (H) establishing collaborations with other academic institutions to establish or enhance a web-based collection of computer and network security courseware and laboratory exercises for sharing with other institutions of higher education, including community colleges; (I) establishing or enhancing bridge programs in computer and network security between community colleges and universities; and (J) any other activities the Director determines will accomplish the goals of this subsection. (4) SELECTION PROCESS. (A) APPLICATION.-An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum— (i) a description of the applicant's computer and network security research and instructional capacity, and in the case of an application from a consortium of institutions of higher education, a description of the role that each member will play in implementing the proposal; (ii) a comprehensive plan by which the institution or consortium will build instructional capacity in computer and information security; (iii) a description of relevant collaborations with government agencies or private industry that inform the instructional program in computer and network security; (iv) a survey of the applicant's historic student enrollment and placement data in fields related to computer and network security and a study of potential enrollment and placement for students enrolled in the proposed computer and network security program; and (v) a plan to evaluate the success of the proposed computer and network security program, including post-graduation assessment of graduate school and job placement and retention rates as well as the relevance of the instructional program to graduate study and to the workplace. (B) AWARDS.—(i) The Director shall ensure, to the extent practicable, that grants are awarded under this subsection in a wide range of geographic areas and categories of institutions of higher education, including minority serving institutions. (ii) The Director shall award grants under this subsection for a period not to exceed 5 years. (5) ASSESSMENT REQUIRED.-The Director shall evaluate the program established under this subsection no later than 6 years after the establishment of the program. At a minimum, the Director shall evaluate the extent to which the program |