Cybersecurity R&D in review

Now that it’s August and Members of Congress have, for the most part, gone home to their districts or states for some much-needed campaigning (though they may be coming back early), we thought we’d take the opportunity to take a look at one particularly key area of interest to the computing research community that’s generated much attention this session: cyber security. Recent months have seen a number of well-publicized cyber security proposals emerge, both in Congress and in the Administration – comprehensive bills introduced by Sens. Rockefeller (D-WV) and Snowe (R-ME), and Sen. Lieberman (I-CT); more focused bills in the House, and a variety of reports and proposals from GAO, the White House and federal agencies. In this post, we’ll try to bring you up to speed on the legislative proposals that impact cyber security research – what’s in them, who’s behind them, and where they’re headed. For a broader look at some of these bills (i.e., a look beyond the research provisions), others have done some great analysis. In particular the folks at USACM and Bruce Schneier have some very thoughtful commentary.

In this 111th session of Congress, there have been a number of bills introduced that would impact cyber security research specifically in a meaningful way, including two passed by the House Science and Technology Committee that were ultimately folded in one bill –the “Cyber Security Enhancement Act of 2010”. But three bills – all in play in the Senate – have really garnered the most attention and are worth a closer look: A bill introduced by Lieberman (S. 3480), who is Chair of the Senate Homeland Security and Governmental Affairs Committee, the Senate version of the America COMPETES Reauthorization (S. 3605) introduced by Sen. Rockefeller, Chair of the Senate Commerce, Science and Transportation Committee, and another, more comprehensive bill introduced by Sen. Rockefeller and Republican Sen. Olympia Snowe, (S. 773). Of these, COMPETES would seem the most likely to pass – but with appropriations looking like it will end in one giant omnibus bill, any of these proposals might sneak to passage tucked in between the pages of the 1000-page+ must-pass bill.

The Lieberman bill has gained some notoriety in the popular press because it would grant the president a so-called ‘kill switch’ to the Internet. Besides the power to bring us back to the Stone Age, this bill has a number of provisions for computing research. Firstly, the bill creates a National Center for Cybersecurity (NCC) within the Department of Homeland Security (DHS). The bill also initializes a plan for the NCC to develop age-appropriate curriculums in cyber safety, security, and ethics for k-university students. The NCC would be in charge of all cybersecurity research DHS, with specific projects in a variety of areas ranging from secure domain name addressing to the protection of privacy and civil liberties in cybersecurity technology. The bill would authorize research at the agency, but assigns no specific dollar amounts.

The Lieberman bill seems to have a benign impact on computing research. While the bill will focus DHS’s cybersecurity research efforts, the changes made are operational, not pedagogical. Both the type of R&D supported by DHS, and the amount of money for it will likely remain constant. It is neither clear what age-appropriate cybersecurity education is nor clear if this provision will affect this community.

The America COMPETES Reauthorization act of 2010, introduced by Senator Rockefeller, is also getting a lot of attention. The bill’s main goal is to reauthorize an increase in funding for three key science agencies – the National Science Foundation, National Institute of Standards and Technology, and Department of Energy’s Office of Science – and programs aimed at increase U.S. student participation in science and engineering disciplines. For a variety of reasons, the bill’s path to passage was more than a little rocky. The Senate bill includes some additional language focused on cyber security research at NSF – language that’s identical to the research-oriented portions contained in Rockefeller’s comprehensive cyber security bill, S. 773 (baring the omission of some legislation on federally funded cybersecurity competitions).

Both COMPETES and Rockefeller-Snowe describe the focus areas of future cybersecurity research, and the need for secure coding instruction. Universities receiving over one million dollars in grant funding from the NSF will be audited, a year after either bills enactment, on their secure coding education practices. Each bill calls for ‘cybersecurity testbeds capable of realistic modeling of real-time cyber attacks and defenses’, and appends a sentence to the NITRD act on developing standards and guidelines for cybersecurity. Both bills provide some specific reauthorizations for cyber security research at NSF over the next five years, including:

-$800 million for NSF Computer And Network Security Grants

-$270 million for Computer and Network Security centers

-$200 million for Computing and Network Security Capacity Building Grants

-$35 million for Scientific and Advanced Technology Act Grants

-$120 million for Traineeships in Graduate Computer and Network Security Research

There is both “good” and “worrisome” in both bills. On the “good” side, the funding authorizations demonstrate a significant commitment to cyber security research over the next five years. On the “worrisome” front, the secure coding language has raised concerns in the computing research community and is sufficiently vague to be scary. It is not obvious which ‘graduates have a substantial probability of developing software after graduation’. Does this legislation apply to entire computer science departments? Does it apply specifically to software engineers? The proposals don’t specify the punishment for not teaching secure coding. All told, the impact of this proposal on departments is not clear, and will depend largely on either bills implementation.

Given that both the Senate and the House have versions of the COMPETES Reauthorization, it’s a good bet that some version of the bill will see passage before the end of the session. The House included no specific cyber security language in its version of the bill, so it will be up to the Senate conferees to insist on inclusion of their cyber security language for it to make it in the final package. We’ll keep you up to date on all the developments there, and we’ll also keep you up to date on other developments in the cyber security research scene.

Cybersecurity R&D in review