|
|
|
|
SUBSCRIBE
The leading Copyright |
[Congressional Record: November 12, 2002 (House)]
[Page H8067-H8079]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr12no02-63]
CYBER SECURITY RESEARCH AND DEVELOPMENT ACT
Mr. BOEHLERT. Mr. Speaker, I move to suspend the rules and concur in
the Senate amendment to the bill (H.R. 3394) an Act to authorize
funding for computer and network security research and development and
research fellowship programs, and for other purposes.
The Clerk read as follows:
Senate amendment:
Strike out all after the enacting clause and insert:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Security Research and
Development Act''.
SEC. 2. FINDINGS.
The Congress finds the following:
(1) Revolutionary advancements in computing and
communications technology have interconnected government,
commercial, scientific, and educational infrastructures--
including critical infrastructures for electric power,
natural gas and petroleum production and distribution,
telecommunications, transportation, water supply, banking and
finance, and emergency and government services--in a vast,
interdependent physical and electronic network.
(2) Exponential increases in interconnectivity have
facilitated enhanced communications, economic growth, and the
delivery of services critical to the public welfare, but have
also increased the consequences of temporary or prolonged
failure.
(3) A Department of Defense Joint Task Force concluded
after a 1997 United States information warfare exercise that
the results ``clearly demonstrated our lack of preparation
for a coordinated cyber and physical attack on our critical
military and civilian infrastructure''.
(4) Computer security technology and systems implementation
lack--
(A) sufficient long term research funding;
(B) adequate coordination across Federal and State
government agencies and among government, academia, and
industry; and
(C) sufficient numbers of outstanding researchers in the
field.
(5) Accordingly, Federal investment in computer and network
security research and development must be significantly
increased to--
(A) improve vulnerability assessment and technological and
systems solutions;
(B) expand and improve the pool of information security
professionals, including researchers, in the United States
workforce; and
(C) better coordinate information sharing and collaboration
among industry, government, and academic research projects.
(6) While African-Americans, Hispanics, and Native
Americans constitute 25 percent of the total United States
workforce and 30 percent of the college-age population,
members of these minorities comprise less than 7 percent of
the United States computer and information science workforce.
SEC. 3. DEFINITIONS.
In this Act:
(1) Director.--The term ``Director'' means the Director of
the National Science Foundation.
(2) Institution of higher education.--The term
``institution of higher education'' has the meaning given
that term in section 101(a) of the Higher Education Act of
1965 (20 U.S.C. 1001(a)).
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.
(a) Computer and Network Security Research Grants.--
(1) In general.--The Director shall award grants for basic
research on innovative approaches to the structure of
computer and network hardware and software that are aimed at
enhancing computer security. Research areas may include--
(A) authentication, cryptography, and other secure data
communications technology;
(B) computer forensics and intrusion detection;
(C) reliability of computer and network applications,
middleware, operating systems, control systems, and
communications infrastructure;
(D) privacy and confidentiality;
(E) network security architecture, including tools for
security administration and analysis;
(F) emerging threats;
(G) vulnerability assessments and techniques for
quantifying risk;
(H) remote access and wireless security; and
(I) enhancement of law enforcement ability to detect,
investigate, and prosecute cyber-crimes, including those that
involve piracy of intellectual property.
(2) Merit review; competition.--Grants shall be awarded
under this section on a merit-reviewed competitive basis.
(3) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to
carry out this subsection--
(A) $35,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $46,000,000 for fiscal year 2005;
(D) $52,000,000 for fiscal year 2006; and
(E) $60,000,000 for fiscal year 2007.
(b) Computer and Network Security Research Centers.--
(1) In general.--The Director shall award multiyear grants,
subject to the availability of appropriations, to
institutions of higher education, nonprofit research
institutions, or consortia thereof to establish
multidisciplinary Centers for Computer and Network Security
Research. Institutions of higher education, nonprofit
research institutions, or consortia thereof receiving such
grants may partner with 1 or more government laboratories or
for-profit institutions, or other institutions of higher
education or nonprofit research institutions.
(2) Merit review; competition.--Grants shall be awarded
under this subsection on a merit-reviewed competitive basis.
(3) Purpose.--The purpose of the Centers shall be to
generate innovative approaches to computer and network
security by conducting cutting-edge, multidisciplinary
research in computer and network security, including the
research areas described in subsection (a)(1).
(4) Applications.--An institution of higher education,
nonprofit research institution, or consortia thereof seeking
funding under this subsection shall submit an application to
the Director at such time, in such manner, and containing
such information as the Director may require. The application
shall include, at a minimum, a description of--
(A) the research projects that will be undertaken by the
Center and the contributions of each of the participating
entities;
(B) how the Center will promote active collaboration among
scientists and engineers from different disciplines, such as
computer scientists, engineers, mathematicians, and social
science researchers;
(C) how the Center will contribute to increasing the number
and quality of computer and network security researchers and
other professionals, including individuals from groups
historically underrepresented in these fields; and
(D) how the center will disseminate research results
quickly and widely to improve cyber security in information
technology networks, products, and services.
(5) Criteria.--In evaluating the applications submitted
under paragraph (4), the Director shall consider, at a
minimum--
(A) the ability of the applicant to generate innovative
approaches to computer and network security and effectively
carry out the research program;
(B) the experience of the applicant in conducting research
on computer and network security and the capacity of the
applicant to foster new multidisciplinary collaborations;
(C) the capacity of the applicant to attract and provide
adequate support for a diverse group of undergraduate and
graduate students and postdoctoral fellows to pursue computer
and network security research; and
(D) the extent to which the applicant will partner with
government laboratories, for-profit entities, other
institutions of higher education, or nonprofit research
institutions, and the role the partners will play in the
research undertaken by the Center.
(6) Annual meeting.--The Director shall convene an annual
meeting of the Centers in order to foster collaboration and
communication between Center participants.
(7) Authorization of appropriations.--There are authorized
to be appropriated for the National Science Foundation to
carry out this subsection--
(A) $12,000,000 for fiscal year 2003;
(B) $24,000,000 for fiscal year 2004;
(C) $36,000,000 for fiscal year 2005;
(D) $36,000,000 for fiscal year 2006; and
(E) $36,000,000 for fiscal year 2007.
SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK
SECURITY PROGRAMS.
(a) Computer and Network Security Capacity Building
Grants.--
(1) In general.--The Director shall establish a program to
award grants to institutions of higher education (or
consortia thereof) to establish or improve undergraduate and
master's degree programs in computer and network security, to
increase the number of students, including the number of
students from groups historically underrepresented in these
fields, who pursue undergraduate or master's degrees in
fields
[[Page H8068]]
related to computer and network security, and to provide
students with experience in government or industry related to
their computer and network security studies.
(2) Merit review.--Grants shall be awarded under this
subsection on a merit-reviewed competitive basis.
(3) Use of funds.--Grants awarded under this subsection
shall be used for activities that enhance the ability of an
institution of higher education (or consortium thereof) to
provide high-quality undergraduate and master's degree
programs in computer and network security and to recruit and
retain increased numbers of students to such programs.
Activities may include--
(A) revising curriculum to better prepare undergraduate and
master's degree students for careers in computer and network
security;
(B) establishing degree and certificate programs in
computer and network security;
(C) creating opportunities for undergraduate students to
participate in computer and network security research
projects;
(D) acquiring equipment necessary for student instruction
in computer and network security, including the installation
of testbed networks for student use;
(E) providing opportunities for faculty to work with local
or Federal Government agencies, private industry, nonprofit
research institutions, or other academic institutions to
develop new expertise or to formulate new research directions
in computer and network security;
(F) establishing collaborations with other academic
institutions or academic departments that seek to establish,
expand, or enhance programs in computer and network security;
(G) establishing student internships in computer and
network security at government agencies or in private
industry;
(H) establishing collaborations with other academic
institutions to establish or enhance a web-based collection
of computer and network security courseware and laboratory
exercises for sharing with other institutions of higher
education, including community colleges;
(I) establishing or enhancing bridge programs in computer
and network security between community colleges and
universities; and
(J) any other activities the Director determines will
accomplish the goals of this subsection.
(4) Selection process.--
(A) Application.--An institution of higher education (or a
consortium thereof) seeking funding under this subsection
shall submit an application to the Director at such time, in
such manner, and containing such information as the Director
may require. The application shall include, at a minimum--
(i) a description of the applicant's computer and network
security research and instructional capacity, and in the case
of an application from a consortium of institutions of higher
education, a description of the role that each member will
play in implementing the proposal;
(ii) a comprehensive plan by which the institution or
consortium will build instructional capacity in computer and
information security;
(iii) a description of relevant collaborations with
government agencies or private industry that inform the
instructional program in computer and network security;
(iv) a survey of the applicant's historic student
enrollment and placement data in fields related to computer
and network security and a study of potential enrollment and
placement for students enrolled in the proposed computer and
network security program; and
(v) a plan to evaluate the success of the proposed computer
and network security program, including post-graduation
assessment of graduate school and job placement and retention
rates as well as the relevance of the instructional program
to graduate study and to the workplace.
(B) Awards.--(i) The Director shall ensure, to the extent
practicable, that grants are awarded under this subsection in
a wide range of geographic areas and categories of
institutions of higher education, including minority serving
institutions.
(ii) The Director shall award grants under this subsection
for a period not to exceed 5 years.
(5) Assessment required.--The Director shall evaluate the
program established under this subsection no later than 6
years after the establishment of the program. At a minimum,
the Director shall evaluate the extent to which the program
achieved its objectives of increasing the quality and
quantity of students, including students from groups
historically underrepresented in computer and network
security related disciplines, pursuing undergraduate or
master's degrees in computer and network security.
(6) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to
carry out this subsection--
(A) $15,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(b) Scientific and Advanced Technology Act of 1992.--
(1) Grants.--The Director shall provide grants under the
Scientific and Advanced Technology Act of 1992 (42 U.S.C.
1862i) for the purposes of section 3(a) and (b) of that Act,
except that the activities supported pursuant to this
subsection shall be limited to improving education in fields
related to computer and network security.
(2) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to
carry out this subsection--
(A) $1,000,000 for fiscal year 2003;
(B) $1,250,000 for fiscal year 2004;
(C) $1,250,000 for fiscal year 2005;
(D) $1,250,000 for fiscal year 2006; and
(E) $1,250,000 for fiscal year 2007.
(c) Graduate Traineeships in Computer and Network Security
Research.--
(1) In general.--The Director shall establish a program to
award grants to institutions of higher education to establish
traineeship programs for graduate students who pursue
computer and network security research leading to a doctorate
degree by providing funding and other assistance, and by
providing graduate students with research experience in
government or industry related to the students' computer and
network security studies.
(2) Merit review.--Grants shall be provided under this
subsection on a merit-reviewed competitive basis.
(3) Use of funds.--An institution of higher education shall
use grant funds for the purposes of--
(A) providing traineeships to students who are citizens,
nationals, or lawfully admitted permanent resident aliens of
the United States and are pursuing research in computer or
network security leading to a doctorate degree;
(B) paying tuition and fees for students receiving
traineeships under subparagraph (A);
(C) establishing scientific internship programs for
students receiving traineeships under subparagraph (A) in
computer and network security at for-profit institutions,
nonprofit research institutions, or government laboratories;
and
(D) other costs associated with the administration of the
program.
(4) Traineeship amount.--Traineeships provided under
paragraph (3)(A) shall be in the amount of $25,000 per year,
or the level of the National Science Foundation Graduate
Research Fellowships, whichever is greater, for up to 3
years.
(5) Selection process.--An institution of higher education
seeking funding under this subsection shall submit an
application to the Director at such time, in such manner, and
containing such information as the Director may require. The
application shall include, at a minimum, a description of--
(A) the instructional program and research opportunities in
computer and network security available to graduate students
at the applicant's institution; and
(B) the internship program to be established, including the
opportunities that will be made available to students for
internships at for-profit institutions, nonprofit research
institutions, and government laboratories.
(6) Review of applications.--In evaluating the applications
submitted under paragraph (5), the Director shall consider--
(A) the ability of the applicant to effectively carry out
the proposed program;
(B) the quality of the applicant's existing research and
education programs;
(C) the likelihood that the program will recruit increased
numbers of students, including students from groups
historically underrepresented in computer and network
security related disciplines, to pursue and earn doctorate
degrees in computer and network security;
(D) the nature and quality of the internship program
established through collaborations with government
laboratories, nonprofit research institutions, and for-profit
institutions;
(E) the integration of internship opportunities into
graduate students' research; and
(F) the relevance of the proposed program to current and
future computer and network security needs.
(7) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to
carry out this subsection--
(A) $10,000,000 for fiscal year 2003;
(B) $20,000,000 for fiscal year 2004;
(C) $20,000,000 for fiscal year 2005;
(D) $20,000,000 for fiscal year 2006; and
(E) $20,000,000 for fiscal year 2007.
(d) Graduate Research Fellowships Program Support.--
Computer and network security shall be included among the
fields of specialization supported by the National Science
Foundation's Graduate Research Fellowships program under
section 10 of the National Science Foundation Act of 1950 (42
U.S.C. 1869).
(e) Cyber Security Faculty Development Traineeship
Program.--
(1) In general.--The Director shall establish a program to
award grants to institutions of higher education to establish
traineeship programs to enable graduate students to pursue
academic careers in cyber security upon completion of
doctoral degrees.
(2) Merit review; competition.--Grants shall be awarded
under this section on a merit-reviewed competitive basis.
(3) Application.--Each institution of higher education
desiring to receive a grant under this subsection shall
submit an application to the Director at such time, in such
manner, and containing such information as the Director shall
require.
(4) Use of funds.--Funds received by an institution of
higher education under this paragraph shall--
(A) be made available to individuals on a merit-reviewed
competitive basis and in accordance with the requirements
established in paragraph (7);
(B) be in an amount that is sufficient to cover annual
tuition and fees for doctoral study at an institution of
higher education for the duration of the graduate
traineeship, and shall include, in addition, an annual living
stipend of $25,000; and
(C) be provided to individuals for a duration of no more
than 5 years, the specific duration of each graduate
traineeship to be determined by the institution of higher
education, on a case-by-case basis.
(5) Repayment.--Each graduate traineeship shall--
(A) subject to paragraph (5)(B), be subject to full
repayment upon completion of the doctoral
[[Page H8069]]
degree according to a repayment schedule established and
administered by the institution of higher education;
(B) be forgiven at the rate of 20 percent of the total
amount of the graduate traineeship assistance received under
this section for each academic year that a recipient is
employed as a full-time faculty member at an institution of
higher education for a period not to exceed 5 years; and
(C) be monitored by the institution of higher education
receiving a grant under this subsection to ensure compliance
with this subsection.
(6) Exceptions.--The Director may provide for the partial
or total waiver or suspension of any service obligation or
payment by an individual under this section whenever
compliance by the individual is impossible or would involve
extreme hardship to the individual, or if enforcement of such
obligation with respect to the individual would be
unconscionable.
(7) Eligibility.--To be eligible to receive a graduate
traineeship under this section, an individual shall--
(A) be a citizen, national, or lawfully admitted permanent
resident alien of the United States;
(B) demonstrate a commitment to a career in higher
education.
(8) Consideration.--In making selections for graduate
traineeships under this paragraph, an institution receiving a
grant under this subsection shall consider, to the extent
possible, a diverse pool of applicants whose interests are of
an interdisciplinary nature, encompassing the social
scientific as well as the technical dimensions of cyber
security.
(9) Authorization of appropriations.--There are authorized
to be appropriated to the National Science Foundation to
carry out this paragraph $5,000,000 for each of fiscal years
2003 through 2007.
SEC. 6. CONSULTATION.
In carrying out sections 4 and 5, the Director shall
consult with other Federal agencies.
SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND
NETWORK SECURITY.
Section 3(a) of the National Science Foundation Act of 1950
(42 U.S.C. 1862(a)) is amended--
(1) by striking ``and'' at the end of paragraph (6);
(2) by striking ``Congress.'' in paragraph (7) and
inserting ``Congress ; and''; and
(3) by adding at the end the following:
``(8) to take a leading role in fostering and supporting
research and education activities to improve the security of
networked information systems.''.
SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
PROGRAMS.
(a) Research Program.--The National Institute of Standards
and Technology Act (15 U.S.C. 271 et seq.) is amended--
(1) by moving section 22 to the end of the Act and
redesignating it as section 32;
(2) by inserting after section 21 the following new
section:
``Sec. 22. research program on security of computer systems
``(a) Establishment.--The Director shall establish a
program of assistance to institutions of higher education
that enter into partnerships with for-profit entities to
support research to improve the security of computer systems.
The partnerships may also include government laboratories and
nonprofit research institutions. The program shall--
``(1) include multidisciplinary, long-term research;
``(2) include research directed toward addressing needs
identified through the activities of the Computer System
Security and Privacy Advisory Board under section 20(f); and
``(3) promote the development of a robust research
community working at the leading edge of knowledge in subject
areas relevant to the security of computer systems by
providing support for graduate students, post-doctoral
researchers, and senior researchers.
``(b) Fellowships.--
``(1) Post-doctoral research fellowships.--The Director is
authorized to establish a program to award post-doctoral
research fellowships to individuals who are citizens,
nationals, or lawfully admitted permanent resident aliens of
the United States and are seeking research positions at
institutions, including the Institute, engaged in research
activities related to the security of computer systems,
including the research areas described in section 4(a)(1) of
the Cyber Security Research and Development Act.
``(2) Senior research fellowships.--The Director is
authorized to establish a program to award senior research
fellowships to individuals seeking research positions at
institutions, including the Institute, engaged in research
activities related to the security of computer systems,
including the research areas described in section 4(a)(1) of
the Cyber Security Research and Development Act. Senior
research fellowships shall be made available for established
researchers at institutions of higher education who seek to
change research fields and pursue studies related to the
security of computer systems.
``(3) Eligibility.--
``(A) In general.--To be eligible for an award under this
subsection, an individual shall submit an application to the
Director at such time, in such manner, and containing such
information as the Director may require.
``(B) Stipends.--Under this subsection, the Director is
authorized to provide stipends for post-doctoral research
fellowships at the level of the Institute's Post Doctoral
Research Fellowship Program and senior research fellowships
at levels consistent with support for a faculty member in a
sabbatical position.
``(c) Awards; Applications.--
``(1) In general.--The Director is authorized to award
grants or cooperative agreements to institutions of higher
education to carry out the program established under
subsection (a). No funds made available under this section
shall be made available directly to any for-profit partners.
``(2) Eligibility.--To be eligible for an award under this
section, an institution of higher education shall submit an
application to the Director at such time, in such manner, and
containing such information as the Director may require. The
application shall include, at a minimum, a description of--
``(A) the number of graduate students anticipated to
participate in the research project and the level of support
to be provided to each;
``(B) the number of post-doctoral research positions
included under the research project and the level of support
to be provided to each;
``(C) the number of individuals, if any, intending to
change research fields and pursue studies related to the
security of computer systems to be included under the
research project and the level of support to be provided to
each; and
``(D) how the for-profit entities, nonprofit research
institutions, and any other partners will participate in
developing and carrying out the research and education agenda
of the partnership.
``(d) Program Operation.--
``(1) Management.--The program established under subsection
(a) shall be managed by individuals who shall have both
expertise in research related to the security of computer
systems and knowledge of the vulnerabilities of existing
computer systems. The Director shall designate such
individuals as program managers.
``(2) Managers may be employees.--Program managers
designated under paragraph (1) may be new or existing
employees of the Institute or individuals on assignment at
the Institute under the Intergovernmental Personnel Act of
1970, except that individuals on assignment at the Institute
under the Intergovernmental Personnel Act of 1970 shall not
directly manage such employees.
``(3) Manager responsibility.--Program managers designated
under paragraph (1) shall be responsible for--
``(A) establishing and publicizing the broad research goals
for the program;
``(B) soliciting applications for specific research
projects to address the goals developed under subparagraph
(A);
``(C) selecting research projects for support under the
program from among applications submitted to the Institute,
following consideration of--
``(i) the novelty and scientific and technical merit of the
proposed projects;
``(ii) the demonstrated capabilities of the individual or
individuals submitting the applications to successfully carry
out the proposed research;
``(iii) the impact the proposed projects will have on
increasing the number of computer security researchers;
``(iv) the nature of the participation by for-profit
entities and the extent to which the proposed projects
address the concerns of industry; and
``(v) other criteria determined by the Director, based on
information specified for inclusion in applications under
subsection (c); and
``(D) monitoring the progress of research projects
supported under the program.
``(4) Reports.--The Director shall report to the Senate
Committee on Commerce, Science, and Transportation and the
House of Representatives Committee on Science annually on the
use and responsibility of individuals on assignment at the
Institute under the Intergovernmental Personnel Act of 1970
who are performing duties under subsection (d).
``(e) Review of Program.--
``(1) Periodic review.--The Director shall periodically
review the portfolio of research awards monitored by each
program manager designated in accordance with subsection (d).
In conducting those reviews, the Director shall seek the
advice of the Computer System Security and Privacy Advisory
Board, established under section 21, on the appropriateness
of the research goals and on the quality and utility of
research projects managed by program managers in accordance
with subsection (d).
``(2) Comprehensive 5-year review.--The Director shall also
contract with the National Research Council for a
comprehensive review of the program established under
subsection (a) during the 5th year of the program. Such
review shall include an assessment of the scientific quality
of the research conducted, the relevance of the research
results obtained to the goals of the program established
under subsection (d)(3)(A), and the progress of the program
in promoting the development of a substantial academic
research community working at the leading edge of knowledge
in the field. The Director shall submit to Congress a report
on the results of the review under this paragraph no later
than 6 years after the initiation of the program.
``(f) Definitions.--In this section:
``(1) Computer system.--The term `computer system' has the
meaning given that term in section 20(d)(1).
``(2) Institution of higher education.--The term
`institution of higher education' has the meaning given that
term in section 101(a) of the Higher Education Act of 1965
(20 U.S.C. 1001(a)).''.
(b) Amendment of Computer System Definition.--Section
20(d)(1)(B)(i) of National Institute of Standards and
Technology Act (15 U.S.C. 278g-3(d)(1)(B)(i)) is amended to
read as follows:
``(i) computers and computer networks;''.
(c) Checklists for Government Systems.--
(1) In general.--The Director of the National Institute of
Standards and Technology shall develop, and revise as
necessary, a checklist setting forth settings and option
selections that
[[Page H8070]]
minimize the security risks associated with each computer
hardware or software system that is, or is likely to become,
widely used within the Federal government.
(2) Priorities for development; excluded systems.--The
Director of the National Institute of Standards and
Technology may establish priorities for the development of
checklists under this paragraph on the basis of the security
risks associated with the use of the system, the number of
agencies that use a particular system, the usefulness of the
checklist to Federal agencies that are users or potential
users of the system, or such other factors as the Director
determines to be appropriate. The Director of the National
Institute of Standards and Technology may exclude from the
application of paragraph (1) any computer hardware or
software system for which the Director of the National
Institute of Standards and Technology determines that the
development of a checklist is inappropriate because of the
infrequency of use of the system, the obsolescence of the
system, or the inutility or impracticability of developing a
checklist for the system.
(3) Dissemination of checklists.--The Director of the
National Institute of Standards and Technology shall make any
checklist developed under this paragraph for any computer
hardware or software system available to each Federal agency
that is a user or potential user of the system.
(4) Agency use requirements.--The development of a
checklist under paragraph (1) for a computer hardware or
software system does not--
(A) require any Federal agency to select the specific
settings or options recommended by the checklist for the
system;
(B) establish conditions or prerequisites for Federal
agency procurement or deployment of any such system;
(C) represent an endorsement of any such system by the
Director of the National Institute of Standards and
Technology; nor
(D) preclude any Federal agency from procuring or deploying
other computer hardware or software systems for which no such
checklist has been developed.
(d) Federal Agency Information Security Programs.--
(1) In general.--In developing the agencywide information
security program required by section 3534(b) of title 44,
United States Code, an agency that deploys a computer
hardware or software system for which the Director of the
National Institute of Standards and Technology has developed
a checklist under subsection (c) of this section--
(A) shall include in that program an explanation of how the
agency has considered such checklist in deploying that
system; and
(B) may treat the explanation as if it were a portion of
the agency's annual performance plan properly classified
under criteria established by an Executive Order (within the
meaning of section 1115(d) of title 31, United States Code).
(2) Limitation.--Paragraph (1) does not apply to any
computer hardware or software system for which the National
Institute of Standards and Technology does not have
responsibility under section 20(a)(3) of the National
Institute of Standards and Technology Act (15 U.S.C.278g-
3(a)(3)).
SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND
INFORMATION.
Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3) is amended by adding at the
end the following new subsection:
``(e) Authorization of Appropriations.--There are
authorized to be appropriated to the Secretary $1,060,000 for
fiscal year 2003 and $1,090,000 for fiscal year 2004 to
enable the Computer System Security and Privacy Advisory
Board, established by section 21, to identify emerging
issues, including research needs, related to computer
security, privacy, and cryptography and, as appropriate, to
convene public meetings on those subjects, receive
presentations, and publish reports, digests, and summaries
for public distribution on those subjects.''.
SEC. 10. INTRAMURAL SECURITY RESEARCH.
Section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3), as amended by this Act, is
further amended by redesignating subsection (e) as subsection
(f), and by inserting after subsection (d) the following:
``(e) Intramural Security Research.--As part of the
research activities conducted in accordance with subsection
(b)(4), the Institute shall--
``(1) conduct a research program to address emerging
technologies associated with assembling a networked computer
system from components while ensuring it maintains desired
security properties;
``(2) carry out research associated with improving the
security of real-time computing and communications systems
for use in process control; and
``(3) carry out multidisciplinary, long-term, high-risk
research on ways to improve the security of computer
systems.''.
SEC. 11. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Secretary of
Commerce for the National Institute of Standards and
Technology--
(1) for activities under section 22 of the National
Institute of Standards and Technology Act, as added by
section 8 of this Act--
(A) $25,000,000 for fiscal year 2003;
(B) $40,000,000 for fiscal year 2004;
(C) $55,000,000 for fiscal year 2005;
(D) $70,000,000 for fiscal year 2006;
(E) $85,000,000 for fiscal year 2007; and
(2) for activities under section 20(f) of the National
Institute of Standards and Technology Act, as added by
section 10 of this Act--
(A) $6,000,000 for fiscal year 2003;
(B) $6,200,000 for fiscal year 2004;
(C) $6,400,000 for fiscal year 2005;
(D) $6,600,000 for fiscal year 2006; and
(E) $6,800,000 for fiscal year 2007.
SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND
NETWORK SECURITY IN CRITICAL INFRASTRUCTURES.
(a) Study.--Not later than 3 months after the date of the
enactment of this Act, the Director of the National Institute
of Standards and Technology shall enter into an arrangement
with the National Research Council of the National Academy of
Sciences to conduct a study of the vulnerabilities of the
Nation's network infrastructure and make recommendations for
appropriate improvements. The National Research Council
shall--
(1) review existing studies and associated data on the
architectural, hardware, and software vulnerabilities and
interdependencies in United States critical infrastructure
networks;
(2) identify and assess gaps in technical capability for
robust critical infrastructure network security and make
recommendations for research priorities and resource
requirements; and
(3) review any and all other essential elements of computer
and network security, including security of industrial
process controls, to be determined in the conduct of the
study.
(b) Report.--The Director of the National Institute of
Standards and Technology shall transmit a report containing
the results of the study and recommendations required by
subsection (a) to the Senate Committee on Commerce, Science,
and Transportation and the House of Representatives Committee
on Science not later than 21 months after the date of
enactment of this Act.
(c) Security.--The Director of the National Institute of
Standards and Technology shall ensure that no information
that is classified is included in any publicly released
version of the report required by this section.
(d) Authorization of Appropriations.--There are authorized
to be appropriated to the Secretary of Commerce for the
National Institute of Standards and Technology for the
purposes of carrying out this section, $700,000.
SEC. 13. COORDINATION OF FEDERAL CYBER SECURITY RESEARCH AND
DEVELOPMENT
The Director of the National Science Foundation and the
Director of the National Institute of Standards and
Technology shall coordinate the research programs authorized
by this Act or pursuant to amendments made by this Act. The
Director of the Office of Science and Technology Policy shall
work with the Director of the National Science Foundation and
the Director of the National Institute of Standards and
Technology to ensure that programs authorized by this Act or
pursuant to amendments made by this Act are taken into
account in any government-wide cyber security research
effort.
SEC. 14. OFFICE OF SPACE COMMERCIALIZATION.
Section 8(a) of the Technology Administration Act of 1998
(15 U.S.C. 1511e(a)) is amended by inserting ``the Technology
Administration of'' after ``within''.
SEC. 15. TECHNICAL CORRECTION OF NATIONAL CONSTRUCTION SAFETY
TEAM ACT.
Section 2(c)(1)(d) of the National Construction Safety Team
Act is amended by striking ``section 8;'' and inserting
``section 7;''.
SEC. 16. GRANT ELIGIBILITY REQUIREMENTS AND COMPLIANCE WITH
IMMIGRATION LAWS.
(a) Immigration Status.--No grant or fellowship may be
awarded under this Act, directly or indirectly, to any
individual who is in violation of the terms of his or her
status as a nonimmigrant under section 101(a)(15)(F), (M), or
(J) of the Immigration and Nationality Act (8 U.S.C.
1101(a)(15)(F), (M), or (J)).
(b) Aliens from Certain Countries.--No grant or fellowship
may be awarded under this Act, directly or indirectly, to any
alien from a country that is a state sponsor of international
terrorism, as defined under section 306(b) of the Enhanced
Border Security and VISA Entry Reform Act (8 U.S.C. 1735(b)),
unless the Secretary of State determines, in consultation
with the Attorney General and the heads of other appropriate
agencies, that such alien does not pose a threat to the
safety or national security of the United States.
(c) Non-complying Institutions.--No grant or fellowship may
be awarded under this Act, directly or indirectly, to any
institution of higher education or non-profit institution (or
consortia thereof) that has--
(1) materially failed to comply with the recordkeeping and
reporting requirements to receive nonimmigrant students or
exchange visitor program participants under section
101(a)(15)(F), (M), or (J) of the Immigration and Nationality
Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)), or section 641 of
the Illegal Immigration Reform and Responsibility Act of 1996
(8 U.S.C. 1372), as required by section 502 of the Enhanced
Border Security and VISA Entry Reform Act (8 U.S.C. 1762); or
(2) been suspended or terminated pursuant to section 502(c)
of the Enhanced Border Security and VISA Entry Reform Act (8
U.S.C 1762(c)).
SEC. 17. REPORT ON GRANT AND FELLOWSHIP PROGRAMS.
Within 24 months after the date of enactment of this Act,
the Director, in consultation with the Assistant to the
President for National Security Affairs, shall submit to
Congress a report reviewing this Act to ensure that the
programs and fellowships are being awarded under this Act to
individuals and institutions of higher education who are in
compliance with the Immigration and Nationality Act (8 U.S.C.
1101 et seq.) in order to protect our national security.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
[[Page H8071]]
New York (Mr. Boehlert) and the gentleman from Washington (Mr. Baird)
each will control 20 minutes.
The Chair recognizes the gentleman from New York (Mr. Boehlert).
General Leave
Mr. BOEHLERT. Mr. Speaker, I ask unanimous consent that all Members
may have 5 legislative days within which to revise and extend their
remarks and to include extraneous material on H.R. 3394.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from New York?
There was no objection.
Mr. BOEHLERT. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I am pleased to bring H.R. 3394, the Cyber Security
Research and Development Act, before the House again, this time for
final passage.
Back in February, the House passed the bill 400 to 12, a sign of the
widely recognized need for this legislation. The Senate, by unanimous
consent, has now returned the bill to us entirely intact, with a few
negotiated noncontroversial additions. These additions include an
additional fellowship program, greater efforts to approve the security
of Federal computers, language to ensure that existing rules concerning
foreign students are being enforced, and a technical correction to the
bill we passed in response to the collapse of the World Trade Center.
With this background, no one should be surprised that I expect this
bill to be signed shortly by the President. That is as it should be.
H.R. 3394 will provide a targeted solution to a serious but largely
overlooked problem: cyber security.
Cyber security is a problem that is even worse than it first appears.
That is because not only are our Nation's computers and networks
vulnerable to attack, and not only could a cyber attack disrupt our
economy and threaten public health and safety, but we simply do not
know enough about how to design computers and networks to make them
less vulnerable.
For too long, cyber security has just not been a research priority.
The private sector was much more focused on making computers cheaper,
faster, and easier to use. The market did not put a premium on
security. Government similarly turned its attention elsewhere.
As a result, computers have become omnipresent. We are more and more
at their mercy, without becoming any more secure. In an age of
terrorism, such willful ignorance about cyber security has got to come
to an end.
{time} 1430
We received yet another reminder of that monumental fact last month
when the servers that run the Internet in the United States were
subject to a concerted attack from overseas.
H.R. 3394 is designed quite simply, to usher in a new era in cyber
security research. Cyber security research will no longer be a
backwater, but rather will become a priority at two of our premier
research agencies, the National Science Foundation and the National
Institute of Standards and Technology, and through them, a priority in
academia and industry.
And the programs created by H.R. 3394 are designed not only to spur
new thinking about how to safeguard computers and networks in both the
short and long run, but to make sure that we have a cadre of experts
who will devote their careers to improving cyber security. The bill
includes incentives for researchers to turn their attention to cyber
security, and incentives to attract students to the field at the
undergraduate, graduate and post-doctoral levels.
In short, this bill is a targeted but comprehensive attempt to ensure
that the Nation's best minds are focused on improving cyber security.
That is what it will take to stave off a cyber attack.
I want to thank the many people inside and outside Congress who
helped us bring this bill to fruition. Bill Wulf, the president of the
National Academy of Engineering, is really the godfather of this bill,
bringing the problem and potential solutions to our attention, and he
has always been available to bounce ideas off of. Industry groups have
been enormously helpful and supportive, including the Information
Technology Association of America and the National Association of
Manufacturers.
This bill has been a bipartisan effort from its inception. I want to
thank the gentleman from Texas (Mr. Hall), the ranking member, and the
other Members of the minority, including the gentleman from Washington
(Mr. Baird), who have helped shape this bill. We have had similar
partnership in the other body led by Senators Wyden and Allen.
In short, H.R. 3394 is a bipartisan approach to a very real but very
solvable problem. I urge its final passage, not just because it is
needed, but because it will reflect the fine efforts of so many
dedicated people on the staff of both the Republican and Democrat side.
This bill has been bicameral, and has the private sector working in
partnership with government. That is the way it should be. We are
addressing a very serious problem, and trying to get ahold of it before
it gets out of hand, and I am optimistic we are moving in the right
direction.
Mr. Speaker, I urge final passage of this bill.
Mr. Speaker, I reserve the balance of my time.
Mr. BAIRD. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in strong support of H.R. 3394, the Cyber
Security Research and Development Act. I thank the gentleman from New
York (Chairman Boehlert) for his outstanding leadership on this bill,
and commend the gentleman from Texas (Mr. Hall) for his leadership as
well.
I am tremendously honored that H.R. 3316, a computer security bill
that I authored along with the gentleman from New York (Mr. Boehlert),
are included in today's bill.
Essentially, H.R. 3394 is the same as the version that was passed by
the House back in February. This legislation will address the long-term
needs to secure the Nation's information infrastructure, as well as
strengthening the security of the nonclassified computer systems of our
Federal agencies.
Since September 11, attention has been focused in an unprecedented
way on increasing our security against terrorism. Today, security has
to mean more than locking doors and installing metal detectors. In
addition to physical security, virtual information systems that are
vital to our Nation's security and economy must be protected.
Telecommunications and computer technologies are vulnerable to attack
from far away by enemies who can remain anonymous, hidden in the vast
maze of the Internet.
Examples of systems that rely on computer networks include our
electric power grid, rail networks and financial transaction networks.
The gentleman from New York (Mr. Boehlert) and the gentlewoman from
Maryland (Mrs. Morella), the former chairman of the subcommittee, have
had the foresight to begin hearings on this matter, even well before
September 11. It is that kind of forward thinking that we need to
protect our Nation's security and to secure our information
infrastructure from cyber attacks.
Our vulnerability to Internet-based computer viruses, denial of
service attacks, and defaced websites is well known to the general
public. Such widely reported and indeed widely experienced events have
increased in frequency over time. These attacks disrupt business and
government activities, sometimes resulting in significant recovery
costs.
While we have yet to face a catastrophic cyber attack thus far,
Richard Clarke, the chair of the President's Critical Infrastructure
Protection Board, has said that the government must make cyber security
a priority or we face the possibility of what he termed a digital Pearl
Harbor.
Potentially vulnerable computer systems are largely owned and
operated by the private sector, but the government has an important
role in supporting the research and development activities that provide
the tools for protecting information systems. An essential component
for ensuring improved information security is a vigorous and creative
basic research effort focused on the security of networked information
systems.
Witnesses at our Committee on Science hearings last year noted the
anemic level of funding for research on computer and network security.
Such lack of funding has resulted in the lack of a critical mass of
researchers in the field and has severely limited the focus
[[Page H8072]]
of research. The witnesses at the hearings advocated increased and
sustained research funding from the Federal Government to support both
expanded training and research on a long-term basis.
H.R. 3394 meets those needs. It authorizes $903 million over 5 years
to create new cyber security programs within the National Science
Foundation and the National Institute of Standards and Technology.
Under the bill, the NSF will create new cyber security research
centers, undergraduate grants, community college grants, and
fellowships.
The legislation also includes language I authored pertaining to NIST.
The bill requires NIST to create new program grants for partnerships
between academia and industry, new post-doctoral students, and a new
program to encourage senior researchers in other fields to work on
computer security.
I believe the legislation before us today will provide the resources
necessary to ensure the security of business networks and the safety of
America's computer infrastructure. I thank the staff of the Committee
on Science for their tireless work on H.R. 3394, and I urge all members
to support this important measure.
Mr. Speaker, I invite the chairman of the Committee on Science to
enter into a brief colloquy to ask for two brief points of
clarification.
Section 16(c) forbids the NSF from awarding grants or fellowships to
institutions of higher education or nonprofit institutions that
materially fail to comply with record-keeping requirements under
certain sections of the Immigration and Nationality Act and the Illegal
Immigration Reform and Responsibility Act. This section does not have
an effective date at present. Many of these record-keeping requirements
have yet to be written or promulgated. Therefore, the effective date
for this subsection cannot be the date of enactment. In bringing the
bill forward for consideration by the House, what is the gentleman's
intent concerning the effective date for this provision?
Mr. BOEHLERT. Mr. Speaker, will the gentleman yield?
Mr. BAIRD. I yield to the gentleman from New York.
Mr. BOEHLERT. Mr. Speaker, the gentleman from Washington makes a very
important point. Neither the Immigration and Naturalization Service nor
the Department of State have provided final guidance to enable
universities to participate in the new Student Exchange Visitor
Information System, which provides tracking, monitoring, and access to
accurate and current information on nonimmigration students and
exchange visas.
It is not possible to be materially out of compliance with these
requirements until the final guidance and an appropriate time for
implementation have been provided to the university research community.
Mr. BAIRD. Mr. Speaker, my second question deals with Section 17 that
requires the Director, 24 months after the date of enactment of this
act, to submit a report to Congress reviewing this act to ensure that
awards under the act are made to individuals and institutions that are
in compliance with the Immigration and Nationality Act. I assume this
is a simple reporting requirement similar to other reports to Congress
by the NSF and that it is not meant to require the Director to enforce
our Nation's immigration laws?
Mr. BOEHLERT. Mr. Speaker, if the gentleman would continue to yield,
the gentleman is correct. Enforcement of the immigration laws is the
responsibility of the INS and the State Department. Section 17 requires
that NSF report to Congress on information it obtains from institutions
of higher education, State and INS. This section does not require the
NSF Director to commission a duplicative study to secure information
that should be readily obtainable from the State Department and INS.
Mr. BAIRD. Mr. Speaker, I thank the gentleman for that clarification,
and thank the gentleman for his leadership on this legislation.
Mr. Speaker, I reserve the balance of my time.
Mr. BOEHLERT. Mr. Speaker, I ask unanimous consent to yield the
balance of my time to the gentleman from Michigan (Mr. Ehlers) for
purposes of control.
The SPEAKER pro tempore (Mr. Culberson). Is there objection to the
request of the gentleman from New York?
There was no objection.
Mr. BAIRD. Mr. Speaker, I yield 5 minutes to the gentleman from
Oregon (Mr. Wu).
Mr. WU. Mr. Speaker, I rise in strong support of H.R. 3394, the Cyber
Security Research and Development Act. We have become increasingly
reliant on the Internet and computer technology. And unfortunately,
with this reliance comes increased vulnerability to cyber attacks on
our network systems and infrastructure. America's network
infrastructure is increasingly exposed to both benign and destructive
disruptions, including defacement of web sites, denial of service,
virus infections throughout the computer networks, and unauthorized
intrusions and sabotage of systems and networks.
Past attacks show the types of danger and potential disruption cyber
attacks can have on our Nation's infrastructure. The cyber threats to
this country are significant and getting more sophisticated as time
goes by.
A recent survey found that 85 percent of respondents experienced
computer intrusions. Moreover, Carnegie Mellon University's CERT
Coordination Center, which serves as a reporting center for Internet
security problems, received almost six times the number of
vulnerability reports in 2001 as it did just 2 years earlier.
Similarly, the number of specific incidents reported to CERT exploded
from 9.589 in 1999 to 52,658 in 2001. Even more alarming is CERT's
estimates that these statistics may only represent 20 percent of the
incidents that actually occurred.
The Cyber Security Research and Development Act will play a major
role in fostering greater research in methods to prevent future cyber
attacks and design more secure networks. This legislation will harness
and link the intellectual power of the National Science Foundation, the
National Institute of Science and Technology, universities, and private
industry to develop new computer cryptography authentication,
firewalls, forensics, intrusion detection, wireless security and
systems management.
In addition, this bill is designed to draw more college undergraduate
and graduate students into the field of cyber security. It establishes
programs to use internships, research opportunities and better
equipment to engage students in this field.
America is a leader in computer hardware and software development. In
order to preserve America's technologic edge and our security, we must
have a continuous pipeline of new students in computer science and
research.
I strongly support this legislation and I am proud to support this
important bill as it moved through the Committee on Science and again
as it passed the House earlier this February. I commend the leadership
of the gentleman from Washington (Mr. Baird), Senator Wyden from
Oregon, and the chairman of the Committee on Science, the gentleman
from New York (Mr. Boehlert), for their leadership in moving this bill.
I am confident that the Federal investment for long-term projects
outlined in this legislation will enhance the security of our cyber
homeland.
Mr. EHLERS. Mr. Speaker, I yield 4 minutes to the gentleman from
Michigan (Mr. Smith).
Mr. SMITH of Michigan. Mr. Speaker, I thank all Members who worked on
this, but certainly commend the gentleman from Texas (Mr. Hall), the
ranking member, and the gentleman from New York (Chairman Boehlert) for
having the foresight and commitment to initiate and advance this
legislation that I would suggest is very important.
As chairman of the Subcommittee on Research, I am proud to have
worked on this bill and to be a prime sponsor. This act establishes
programs at both the National Science Foundation and NIST, the National
Institute for Standards and Technology, to advance research and,
perhaps most importantly, develop a talented workforce of cyber
security researchers and professionals.
While the focus in information technology has largely been to build
it faster, build it smaller, and build it less expensive, perhaps now
more than ever we need to know how to build it safer and more secure.
[[Page H8073]]
The programs authorized by this act provide much needed support for
the research that will help us understand just how to do that. By
supporting undergraduate and graduate post-doctoral students, as well
as senior researchers who wish to focus some of their research efforts
on cyber security, we will train the experts who make sure the
appropriate safeguards are in place to protect us from malicious cyber
attacks.
{time} 1445
It is a huge challenge. It is not going to come cheaply and it is not
going to come easily.
There are some unique features of this bill that will make it
particularly effective in fostering innovative research and education
in cyber security. For example, this act will establish a program at
the National Science Foundation to help institutions of higher
education purchase the equipment that they need so that students can
learn how to prevent cyber attacks without risking the integrity of the
college's own computer network. Another program established by this act
at the National Institute of Standards and Technology will support the
kind of high-risk, high-payoff research that is necessary to make great
advances in cyber security but that is unlikely to get funded under the
traditional peer-review process that tends to favor more conservative
approaches to research questions. In addition, in recognition of the
fact that effective cyber security will rely largely on the expertise
of computer technicians, this bill amends the Scientific and Advanced
Technology Act of 1992 to provide the National Science Foundation
funding to 2-year colleges to make sure that graduates of technical
programs are properly trained in cyber security.
Just a few weeks ago, an electronic attack crippled 13 computer
servers that manage Internet traffic. While this hour-long attack went
nearly unnoticed by routine computer users, a longer attack could
cripple communication, infrastructure operations and even national
security efforts. This country more than any other country in the world
has come to depend on our software and our computer technology, from
how we run our financial services to how we move our railroads to
certainly our airlines and transportation down to how we transfer
electrical power throughout the United States, not to mention our
national security and our military efforts. We cannot allow these kinds
of attacks to happen.
In conclusion, as we move forward in our war against terrorism, it is
going to be as important for us to secure cyber space as it will be for
us to secure homeland security against malicious attack. I look forward
to working with the National Science Foundation as they implement the
programs authorized by this act.
Mr. EHLERS. Mr. Speaker, I am pleased to yield 3 minutes to the
gentleman from Texas (Mr. Smith).
Mr. SMITH of Texas. I thank the gentleman from Michigan for yielding
me this time.
Mr. Speaker, I support the Senate amendment to H.R. 3394, the Cyber
Security Research and Development Act. Earlier this year, a federally
funded research center operated by Carnegie Mellon University reported
that breaches in security of computer systems more than doubled from
2000 to 2001. More than 52,000 incidents were reported in 2001, up from
22,000 in 2000.
Last spring the Committee on the Judiciary's Subcommittee on Crime,
Terrorism and Homeland Security that I chair held a series of hearings
on cyber crime. We heard testimony from local, State and Federal
officials and also from the private sector. A common observation
emerged: The demand for highly trained and skilled personnel to
investigate computer crimes is tremendous. This problem is compounded
by the rapid advances in technology which make continued training an
absolute necessity. We must have training both for a new generation of
cyber warriors whose most important weapon is not a gun but a laptop
and for private sector companies that must protect their Internet
presence.
This bill seeks to expand what many States and cities are already
doing, investing in cyber security training activities. In my hometown,
the University of Texas at San Antonio has established the Center for
Information Assurance and Security, known as CIAS. The CIAS will be the
hub of a city initiative to research, develop and address computer
protection mechanisms to prevent and detect intrusions on computer
networks. With funding provided in this bill, UTSA and dozens of other
universities will be able to train the next generation of cyber
warriors, cyber defenders and ``white hat netizens.'' This legislation
supports the work at UTSA and other universities for students who want
to pursue computer security studies.
While the benefits of the digital age are obvious, the Internet also
has fostered an environment where hackers retrieve private data for
amusement, individuals distribute software illegally, and viruses
circulate with the sole purpose of debilitating computers. A well-
trained and highly skilled force of cyber protectors is urgently needed
in America today.
Mr. Speaker, I urge my colleagues to support this legislation.
Mr. EHLERS. Mr. Speaker, I yield myself such time as I may consume.
It is my pleasure to see this bill reach the floor for final passage
and on its way to the President. I certainly agree with all the
comments that have been made and I will not repeat them, but I did want
to point out that in passing this legislation, both the House and the
Senate have recognized the important role that the National Institute
of Standards and Technology plays in cyber security. This is very
important to note, because in the original proposal for the homeland
security bill that particular activity would have been transferred out
of the National Institute of Standards and Technology and placed in the
Department of Homeland Security. I think that would have been very
disruptive to the activity, but the important thing to recognize is
that this group at the National Institute of Standards and Technology
is the leading group in doing the basic research necessary to solve our
cyber security problems. Members of the House and of the Senate working
on the homeland security legislation should embrace this role as well.
While there have been proposals to transfer NIST's cyber security
division into the new department, this legislation clearly identifies
the role that NIST should play in cyber security. As such, the
proposals to move this responsibility elsewhere do not meet the test.
Any conference agreement should recognize this as well by keeping
NIST's cyber security division within NIST.
Let me also add that to most individuals in this land, cyber security
means not having someone steal their credit card number. That is a very
important function. But there is much more at stake here, as we have
heard. That is the Nation's security. Two years ago, I wrote a report
for the NATO parliamentary assembly, which is the legislative body
relating to NATO, that discussed and studied information warfare. Much
of what I said in that report is pertinent to this discussion today.
Mr. Speaker, I include that report at this point in the proceedings.
Information Warfare and International Security
I. INTRODUCTION
1. The importance of Information Technology (IT) to the
functioning of our societies is evident in virtually every
human activity. Computers are involved in and often control
everything from government operations to transportation, from
energy to finance, from telecommunications to water
management. Every day an enormous amount of information is
exchanged or stored by electronic means and trillions of
dollars travel throughout the world electronically.
Information technology has become even more pervasive with
the widespread dispersion of personal computers. According to
projections of the US Computer Industry Almanac, by the year
2000 there will be more than 550 million PCs in the world,
230 million of which will be connected to the Internet (92
million in the United States alone).
2. The pace of technological change and our increasing
reliance on technology are even more impressive. Five years
ago, a computer chip could carry the equivalent of 1.1
million transistors. Now the number has increased to 120
million and engineers believe they can reach 400 million and
even 1 billion. Capable of 256 billion multiplications per
second, the latest desktop computers have acquired the speed
of yesterday's supercomputers. This has accelerated the
dispersion and use of the Internet. To achieve mass-user
status, it took radio 35 years, television 13 years and the
Internet only 4 years. Microsoft experts assert that Internet
traffic doubles every 100 days and, according to other
estimates, one billion people (one-sixth of humanity) will be
on-line by 2005.
[[Page H8074]]
3. The reliance of our societies on computers and the fact
that many critical infrastructures are electronically
interconnected poses evident security problems. Although
computer experts have been working on these problems for
years, only in the mid-1990s did Western defence analysts
begin to pay serious attention to them. In a variety of
studies and reports, a strategic catch phrase emerged to
define a new concept: Information Warfare. In a 1997 Report,
the NAA Science and Technology Committee provided a first
assessment of Information Warfare, analysing most of the
available sources on the subject. The threat of possible
attacks on information systems and the potential risks for
our military and civilian infrastructures were outlined in
that Report. (1)
4. In the last two years technological advances as well as
governmental and international actions have changed the world
of information security. As a consequence, the subject of
information warfare has been extensively discussed and
analysed, both within and outside the information technology
and defence communities. This report analyses these new
developments, starting with some new definitions of
information warfare, assesses the effective strategic
threats, and reports about the US and other governments'
initiatives to counter them. It is also our intention to
consider the concerns expressed by the science and technology
community about the possible overstatement of such threats,
especially with reference to some cases of media hyperbole.
II. WHAT IS INFORMATION WARFARE?
A. Definitions
5. The cited 1997 STC Report emphasised the distinction
between the use of information in warfare and the newer
concept of information warfare, the first being recognised
since ancient times and referring basically to tactical and
strategic deception, war propaganda, and destruction of
command and control systems. In the current
conceptualisation, information warfare ``extends far beyond
the traditional battlefield, and its possible perpetrators
and victims are by no means confined to the military''. A few
definitions were reported then, to which your Rapporteur
would like to add some new ones. The first is proposed by the
Institute for the Advanced Study of Information Warfare:
``Information warfare is the offensive and defensive use of
information and information systems to exploit, corrupt, or
destroy an adversary's information and information systems,
while protecting one's own. Such actions are designed to
achieve advantages over military or business adversaries.''
(2)
6. The International Centre for Security Analysis of King's
College, London suggests that information warfare ``is about
struggles for control over information activities'' and
distinguishes three levels or categories: ideational struggle
for the mind of an opponent, struggle for information
dominance, and attacks on, and defence of, information flows
and activities. The first, highest level ``encompasses the
whole range of psychological, media, diplomatic and military
techniques for influencing the mind of an opponent, whether
that opponent is a military commander or a whole
population''. The second level could be assimilated with the
Revolution in Military Affairs (RMA), whose theorists and
advocates see, as the future evolution of armed forces, the
goal of dominating the ``information spectrum''. The ultimate
objective of this level of information warfare would be to
render physical conflict ``either unnecessary or at worst
short, sharp and successful''. At the third level the focus
is on any kind of electronic attack upon military or civilian
information infrastructures, including criminal hacking (or
cracking), data disruption, illegal systems penetration, and
also physical destruction, deception and psychological
operations. (3)
7. The Washington based Center for Strategic and
International Studies (CSIS) recently published a
comprehensive study on these issues and admitted that so many
different activities have been classified under the label
``information warfare'' that it is now difficult to
understand exactly what it is. Nonetheless, this study
classifies information warfare activities according to the
source, the form, and the tactical objectives of the
attack. Thus, information warfare can be viewed as a
combination of these three dimensions.
8. First, an attack could originate either from outside or
from within the targeted organisation or system. Second, four
categories of attack can be identified:
Data attacks are conducted by inserting data into a system
to make it malfunction.
Software attacks, similar to data attacks, are conducted by
penetrating systems with software causing failure or making
them perform functions different from those intended.
Hacking or cracking is seizing or attempting to seize
control of an information system (or a vital part of it) to
disrupt, deny use, steal resources or data, or cause any
other kind of harm.
Physical attacks are the traditional form of attack
(bombing, assaulting, and destroying) directed against
information systems. An electromagnetic pulse (EMP) produced
by nuclear explosions can also be included in this kind of
attack.
9. All these different forms of information warfare attack
can be categorised by their goals or tactical objectives:
they could be aimed at exploitation, deception, disruption or
destruction of information systems. (4)
10. The French Ministry of Defence has also offered an
interesting definition of information warfare. It has singled
out three types:
War for information (guerre pour l'information): to obtain
information about the enemy's means, capabilities and
strategies in order to defend ourselves;
War against information (guerre contre l'information): at
the same time to protect our information systems and to
disrupt or destroy the enemy's.
War through information (guerre par l'information): to
conduct misinformation or deception operations against the
enemy in order to achieve ``information dominance''. (5)
11. All the above are accurate and acceptable definitions,
but for the sake of clarity we can try to summarise them into
a simpler and more limited formula. Information warfare could
be then defined as defensive and offensive operations,
conducted by individuals or structured organisations with
specific political and strategic goals, for the exploitation,
disruption or destruction of data contained in computers or
transmitted over the Internet and other networked information
systems. (6)
B. Assessing the Threat
12. In general terms, a threat can be defined as the
combination of a capability and a hostile intent. According
to many analysts, the reason for concern about attacks upon
information systems, or information warfare, is that the
means of offence are widely available, inexpensive and easy
to use. In a world where even governments and the military
tend to rely on computer hardware and software available
commercially off-the-shelf (COTS), virtually anybody with a
computer and the technical skills could become a cracker or a
cyberterrorist. Moreover, the progress in information
technology makes the electronic tools available to conduct
such attacks more sophisticated every day and, through the
Internet and the interlinked computer world, easier to
acquire. But the most potentially dangerous feature of
information warfare is that it can be conducted from anywhere
in the world and the possibilities of discovering the
attack's origin, or even its presence, are extremely
difficult.
13. Who can conduct such attacks? A recent analysis has
listed the potential ``enemies'' according to the levels of
threat. At the lower level are the crackers, or ``hackers
with malicious intentions'', sometimes highly knowledgeable
in technical matters and very determined, but often isolated
and without a clear political agenda. Then we have some
pressure groups, organisations that fight for specific
political causes and might decide to acquire the technology
in order to attack the information systems of other
organisations or even of states. Terrorists come next in the
scale: some groups are becoming increasingly sophisticated in
the use of technology and can conduct strategic offensive
information warfare. At the highest level are the states,
many of which now have access to extremely sophisticated
technology and can acquire the necessary organisational
infrastructure to conduct both offensive and defensive
information warfare. In fact, some experts doubt the
effectiveness, capability, or even willingness of the non-
state actors to conduct attacks that can seriously threaten
other nations' security. (7)
14. In the last fifteen years, both the private and public
sectors' information systems have been subjected to attacks
that have substantially increased with the growth of the
Internet. Computer viruses have been a primary concern of
information security experts. These are generally very small
programmes, often with destructive capabilities, designed to
invade computer systems or individual PCs by attaching
themselves to other bits of executable programme codes.
Created by hackers, computer science students or disgruntled
programmers, these viruses have been extremely destructive to
many computers and networks, but have not proved to be
particularly effective as weapons to date. Because of their
non-professional origins, the viruses often contain errors
and, moreover, their authors are often incapable of
envisioning the complexity and variety of the systems they
are attacking.
15. Of course, it is still possible that a state or a
terrorist group can assemble a team of experts capable of
creating malicious viruses and using them to conduct
information warfare attacks. But computer viruses are
extremely unpredictable and far from precise in their
behaviour, and they might eventually damage the attacker
as much as the victim. In addition, the international
anti-virus industry is mature and is well positioned to
create necessary antidotes to almost any new virus.
16. Other, more dangerous attacks on information systems
have been conducted by criminal hacking intruders. Private
corporations, particularly in the financial sector, are
regularly penetrated by cybercriminals: the FBI estimates
that these electronic intrusions cause yearly losses of about
$10 billion in the United States alone. This is probably only
the tip of the iceberg. In fact, concerns about protecting
shareholder value and customer confidence may keep many firms
from reporting all the attacks to law enforcement agencies.
17. Electronic intrusions into the military information
infrastructure cause deep concern in the United States.
According to the
[[Page H8075]]
CSIS, probe attacks against the Pentagon number in the tens
of thousands every year. John J. Hamre, Deputy Secretary of
Defense, recently stated that from January to mid-November
1998, the National Security Agency (NSA) recorded more than
3,800 incidents of intrusion attempts against the Defense
Department's unclassified computer systems and networks. Over
100 of these attacks reached root-level access and many were
even able to break down some kinds of service. This reflects
only what has been reported to NSA, but ``the actual number
of intrusions probably is considerably higher''. (8)
18. The literature and the chronicles are full of examples
of successful network intrusions at the US Department of
Defense (DoD) and other Western defence institutions. One of
the most interesting is the break-in at the Air Force's
Laboratories in the town of Rome, in New York State, when two
British boys hacked into the system with the help of what is
called a ``sniffer'' programme, able to capture passwords and
user log-ins to the network. The case served as a learning
experience for the Air Force Information Warfare Center,
which then developed the advanced technical skills to counter
these intrusions. Similar hacker intrusions are regularly
experienced by all other US military services and government
agencies.
19. While most of the attacks in the last few years were
generally conducted by individuals or by small groups of
intruders, with little or no political purpose, recently some
cases suggested the possibility of state-sponsored hacking or
cracking. Additionally, some anti-state, politically
motivated activity has occurred. In October 1998, China
launched a new website to publicise its efforts in human
rights. A few days later, hackers replaced the home page of
that site with a message condemning Beijing for its poor
record in human rights. (9)
20. Another, more revealing case occurred in Ireland, where
refugees from East Timor had set up a website to protest
against the occupation of their country by Indonesia. The
Irish Internet provider even created a new domain name
``.tp'', as if East Timor were an independent country. In
January 1999, a concerted attack against the East Timorese
server started, originating from 18 different places as far
apart as Australia, the United States, Japan, the Netherlands
and Canada. The attackers managed to render the web server
useless and forced the Irish provider to disconnect its
entire system. Clearly, this was not an ordinary cracker
intrusion, though many doubt that the Indonesian government
had the capability to conduct such a concerted information
warfare action. The most probable culprit is a group of
politicised hackers sympathetic with the Indonesian position.
(10)
21. The NATO information system was also indirectly
threatened in October 1998, when a Serbian group of hackers
known as Black Hand penetrated a Kosovo Albanian web server
and threatened to sabotage the Alliance's information system.
The organisation temporarily closed all foreign access to its
web server and its web site was down for two days. Realising
that the electronic defences of the NATO web server were
extremely weak, experts took some countermeasures, which
proved to be insufficient in the light of subsequent events.
(11)
22. During the Kosovo crisis, hackers attacked the NATO web
site, causing a line saturation of the server by using a
``bombardment strategy''. The organisation had to defend
itself from macro viruses from FRY trying to corrupt its e-
mail system, which was also being saturated by one individual
sending 2,000 messages a day. These attacks were possible
because NATO was using the same server for the e-mail system
and its web-pages. When these tasks are done by separate
servers, as is now the case at NATO, the threat is reduced.
Allied governments' web sites have also been targeted during
the war, and according to US Air Force sources the attacks
came not only from FRY, but also from Russia and China. It is
unclear, however, whether these attacks were state-sponsored
or the work of groups of hackers. Conversely, FRY's
information systems were severely damaged by NATO bombings
and electronic operations--although Belgrade itself
dismantled communication systems to deprive its people of
outside information. In addition, thousands of Western
civilian hackers conducted online attacks against the FRY
government's web servers. (12)
23. Such cases might not prove the existence of state-
sponsored information warfare or cyberterrorism, but they
offer good examples of what could happen if the capability is
coupled with a hostile intent. The subsequent question is:
could a group of state-sponsored terrorists or individual
crackers damage the information infrastructure of another
nation so as to cause a major strategic disruption? The US
Department of Defense seems to think so.
24. In the summer of 1997, a simulation exercise called
``Eligible Receiver'' was conducted at the Pentagon, ordered
by the Joint Chiefs of Staff, to test the ability of the
nation's military and civilian infrastructure to resist
a concerted information warfare attack. A team of
fictional hackers, the Red Team, was allowed to use only
COTS materiel and information available on the Web and had
to act within the US law. So far, the results of this
exercise remain strictly ``top secret''. Nonetheless, many
officials have referred to it in public declarations and
some have partially revealed the outcome. James Adams, a
journalist based in Washington DC, claimed in a book to
have interviewed senior officials about ``Eligible
Receiver'': ``The [simulated] attacks focused on three
main areas: the national information infrastructure, the
military leadership and the political leadership. In each
of these three areas, the hackers found it exceptionally
easy to penetrate apparently well-defended systems. Air
traffic control systems were taken down, power grids made
to fail, oil refineries stopped pumping--all initially
apparent incidents. At the same time, in response to a
hypothetical international crisis, the Defense department
was moving to deploy forces overseas and the logistics
network was swinging into action. It proved remarkably
easy to disrupt that network by changing orders and
interrupt[ing] the logistics flow. The hackers began to
feed false news reports into the decision-making process
so that the politicians faced a lack of public will about
prosecuting a potential conflict and lacked detailed and
accurate information.'' (13)
25. In conclusion, according to Adams' sources, a team of
skilled hackers, using standard equipment and publicly
available information and playing by the rules, was able to
cause a ``serious degradation of the Pentagon's ability to
deploy and to fight''. In other words, they demonstrated that
an ``electronic Pearl Harbor'' was possible.
26. Many things have changed in the last two years due to
the fast pace of progress in information technology.
Moreover, the policies and actions taken by the US government
may have reduced the vulnerability of the nation's
infrastructure. Nonetheless, if technology is helping Western
governments establish better defences, it also helps
potential enemies improve their capabilities to attack. A
recently announced new breed of hacker software, that can
learn and adapt to the network environment it attacks, may
represent a new threat. According to information technology
experts, the new programmes can change their mode of
operation, or their targets, based on external stimulants.
Pre-programmed to search for specific types of files common
to most networks, such software, once in the system, can
target data or files of interest to the intruders, even those
marked secure or for internal use only. (14)
27. In addition, many nations are trying to acquire the
capabilities needed to conduct information warfare operations
and new terrorist groups like Osama bin Laden's are known to
use computers and satellite telecommunications. China has
recently intensified its information warfare programmes, both
to protect its own military infrastructures and to enable the
People's Liberation Army to conduct electronic attacks.
According to James Mulvenon, a defence specialist at Rand
Corporation, Beijing ``is seeking the ability both to
interfere with Taiwan's command system, and ultimately to
`hack' into US military networks which control deployment in
the Asian region.'' (15)
28. A serious physical threat to information systems can be
posed by the effects of the electro-magnetic pulse (EMP)
produced by nuclear explosions. The immediate energy release
from a detonated nuclear device produces intense, rapidly
varying electric and magnetic fields that can extend for
considerable distances and severely affect all electronic
equipment and electrical or radar transmissions even to the
point of destroying equipment circuits, microprocessors, and
other components. Therefore, a single, very high-altitude
nuclear blast above Europe or the United States, which may
cause no physical damage to structures or people, could
disable or disrupt all non-hardened information systems.
While few nations currently have both nuclear weapons and the
missiles capable of delivering them in space, the increasing
number of ``rogue'' nations with nuclear weapons that are
also developing or acquiring long-range missiles may present
an extremely serious EMP threat in the near future.
29. EMP effects from nuclear explosions and non-nuclear
weapons, such as HERP (High-Energy Radio Frequency) guns or
EMP/T (Electro-Magnetic Pulses Transformer) bombs, may be
much more dangerous for civilian information systems than for
military ones, most of which are now EMP hardened. Shielding
of iron or other materials such as copper mesh or non-
magnetic metals is generally available only for the
protection of sensitive military technology.
III. RESPONSES TO THE THREAT
30. Efforts to respond to the threat of attacks to
information systems, or information warfare, have been made
by many nations. Generally, the military and defence ``think
tanks'' have been the first to address the issue, but now
most Western governments have taken steps towards more co-
ordinated and structured responses.
31. In the United States, different panels, commissions and
study groups have been examining these issues since the early
1990s and the government has taken several important
measures. Congressional Committees have held hearings to
investigate the nature of the information warfare threat. The
National Defense University has extensively worked on the
issue since the early 1990s. However, the most comprehensive
appraisal of the nation's vulnerabilities in the field of
information technology has been provided by the Presidential
Commission on Critical Infrastructure Protection, created in
1996, involving officials from the energy, defence, commerce
and law enforcement areas, as well as representatives of
the private sector. After 15 months of study, the
[[Page H8076]]
Commission published an extensive report highlighting the
vulnerabilities of the US infrastructure and the weakness
of the information systems, which proved to be a
potentially easy target for any concerted attack. The
report also indicated that government and industry do not
efficiently share information that might give warning of
an electronic attack and that the federal R&D budget does
not include the analysis of the threats to the information
systems in the infrastructure. (16)
32. The work of the Presidential Commission resulted in the
issuing in May 1998 of two Presidential Decision Directives,
62 and 63, on Critical Infrastructure Protection. The
provisions of these Directives included:
Interagency co-ordination for critical infrastructure
protection;
Definition of the roles and responsibilities of US agencies
in fighting terrorism;
Improvements in capabilities for protecting the national
information structure, the most important of which is the
creation of a National Infrastructure Protection Center
(NIPC) in the FBI;
Promotion of partnerships with industry and other private
players to enhance computer security;
Study of plans for minimising damage and recovering rapidly
from attacks to its vital infrastructures.
33. Some experts criticised the US administration
decisions, claiming that the above provisions underestimated
the realities of the information warfare threat. Nonetheless
this is the most comprehensive and complete initiative taken
so far by any Western government to respond to the risks of
attacks on information systems.
34. Moreover, the DoD, actively participating in the
government initiatives, has recently created a Joint Task
Force for Computer Network Defense (JTF-CND) to co-ordinate
all the activities in this field and direct the Pentagon's
response to computer network attacks. The JTF-CND will plan
defensive measures, leverage existing capabilities and
develop procedures for the military commanders-in-chief,
services and agencies, as well as provide strategic focus at
all levels. Fully operational in the summer of 1999, the JTF-
CND will also develop relationships with intelligence and law
enforcement agencies, the NIPC and the private sector. (17)
35. Among European nations, France appears to have
developed a coherent strategy to deal with attacks on
information systems. In the absence of a general programme
for infrastructure protection, such as that in the United
States, the Delegation generale pour l'armement (DGA) of the
Ministry of Defence has concentrated technical activities in
the field of information warfare at the Centre d'electronique
de l'armement (CELAR). This centre employs some 900 experts
in many scientific and technological areas, and has resources
and capabilities with probably no equal on the continent. All
CELAR activities are related to information warfare (guerre
de l'information), defensive and offensive, and are divided
into five tasks: weapon systems for electronic warfare,
information security, information systems,
telecommunications, and electronic components. CELAR analyses
the threats, establishes the needs, and tests the proficiency
and the limits of the systems and equipment. In particular,
within the information security field of CELAR, the Centre de
l'armement pour la securite des systemes d'information
(CASSI), is responsible for the development of all security
programmes and strategies in the Ministry of Defence and acts
as a consultant for other ministries and governmental
agencies. (18)
36. In Germany, the efforts of the Government and the
Bundestag to address the problem of security in information
technology led to the creation, in 1991, of a Federal Agency
for Security in Information Technology (Bundesamt fur
Sicherheit in der Informationstechnik, or BSI). The BSI is
responsible for assessing the risks and developing the
criteria, tools and procedures to assure the security of
vital information systems. However, according to German
officials, the BSI has concentrated its work on the non-
military aspects of information warfare. In other words, it
has considered the possibility of attacks to information
systems only in the civilian field. At the same time, the
German military has conducted some studies on information
warfare and has recently initiated a new one, called
``2020'', which will consider the future evolution of the
topic. Recently, a working group has been created at a
federal level to draft a policy paper on ``Information
Warfare and IT Security'', aimed at reaching a better co-
ordination within the civilian and military fields.
37. The UK Ministry of Defence has addressed, in various
areas, the problems related to information warfare,
recognising that ``the potential vulnerabilities and risks
arising from `information warfare' go much wider than the
Armed Forces and the defence infrastructure'' (19). The MoD
is therefore known to be working with other areas of
Government, allies and suppliers of key services to co-
ordinate security policies and find technical solutions to
protect the nation's infrastructure.
38. Other countries, such as Finland, Norway, Sweden and
Switzerland have taken initiatives similar to those of the
United States. Australia, Canada and Israel are investing in
studies of defensive measures and approaches (20). NATO has
recently analysed the threats of information warfare attacks
and given indications to member states. For the moment, the
most relevant studies conducted by the Alliance on the
subject are classified.
IV. Information warfare or simplY Information Security?
39. As it is often the case with extensively debated
issues, some defence analysts and information security
experts are doubting the actual size of the information
warfare threat as it is presented by the media and even by
some official reports. They contend that newspapers and
magazines report stories about dangerous viruses, violated
military websites and crackers penetrating corporate
information systems in distorted and exaggerated ways.
Some also list errors and overstatements included in
official documents and defence studies. Fairness demands
that we also consider these points of view, and below we
summarise the most salient issues.
40. In 1997, for instance, a US government commission, that
included former directors of the CIA and the National
Reconnaissance Office, warned against a virus contained in an
e-mail message entitled ``Penpal Greetings''. According to
the commission's report, the virus ``could infect the hard-
drive and destroy all data present''. Moreover, the virus was
reportedly ``self-replicating'' and ``would automatically
forward itself to any e-mail address stored in the
recipient's in-box.'' According to many computer security
analysts, the report was wrong and the Penpal virus was in
fact a hoax. However, more recently several viruses spreading
by e-mail could nonetheless perform extremely destructive
actions. (21)
41. In March 1999, a type of macro virus propagating by e-
mail called Melissa damaged, according to many journalistic
sources, more than 100,000 computers. Hidden within a file of
a popular word processing software, Melissa affected its
security settings, rendering personal computers vulnerable to
further attacks. While some defence leaders, experts on
terrorism, lawmen and software executives hailed ``another
warning siren of the vulnerability of our networks'' or even
``a demonstration of what an electronic Pearl Harbor might
look like'', most computer security people defined Melissa as
``just another dangerous virus'', no more sophisticated than
prior ones using the identical modus operandi. Moreover, they
contended, Melissa (although very costly to many businesses)
had no noticeable effect on Internet use or stock markets or
electronic commerce. They also noted that most persons using
the web on a regular basis would not open an unknown file
attachment received by e-mail, especially if reportedly it
contained a list of pornographic websites. (22)
42. But computer scientists and IT security experts are not
only highlighting general misinformation and myths about
viruses. They contest as well the alarming figures suggesting
that the Pentagon and other US vital infrastructures are
under almost permanent attack by crackers or cyberterrorists.
They admit that malefactors can break into military and
civilian web servers, and maybe even cause serious damage,
but that it is far from representing an ``electronic Pearl
Harbor'' for the United States. As Kevin Ziese, the computer
scientist who led the Rome Laboratories investigation, and
other experts put it, these break-ins can be defined as the
virtual equivalent of a ``kid walking into the Pentagon
cafeteria.'' (23)
43. Equating computer viruses and hacker software with
weapons of mass destruction, many analysts insist, is
overreaching. And classifying them as such would be like
considering teen hackers or virus creators equivalent to
terrorists or ``rogue'' states. The recent attacks on the
Alliance's information system during the Kosovo crisis,
according to these sources, might have proved just that. In
fact, they report that computer security experts in the US
Department of Defense were ``completely unimpressed by
whatever it was Serbian hackers did during the Yugoslavian
war. The worst it did is make the NATO administrator of the
site work a little harder. It didn't have any impact on the
Yugoslavian war at all.'' (24)
44. With regard to the supposedly frightening results of
the ``Eligible Receiver'' exercise, which are still
considered ``sensitive information'' by the Pentagon, many
object that they should be opened up to an independent audit.
Until then, computer scientists declare that they will remain
extremely sceptical. Moreover, they say the Pentagon's
position is in stark contrast to the wide-open discussions of
computer security vulnerabilities that reign on the Internet.
45. According to William M. Arkin, an army veteran, defence
analyst and editor of US Military Online, the excessive
secrecy in the Pentagon's attitude towards information
security reflects a basic misjudgement of the power of the
Internet and the ability of the military to control it. A
directive issued on 24 September 1998 by Deputy Defense
Secretary John Hamre instructed all military services and
agencies to ``ensure national security is not compromised or
personnel placed at risk'' by information available on
military websites. In fact, the Pentagon has for years had
policies that required just that, and therefore only
unclassified information has ever been made available on the
Internet. John Pike of the Federation of American Scientists
agrees with Arkin that the DoD issued this new policy out of
``a desire to show vigilance, coupled with a profound lack of
understanding of information and computer security'', rather
than because of
[[Page H8077]]
any new threats coming from the Internet. (25)
46. Many experts and scientists are critical of the
approach taken by some of the Pentagon leaders not because
they believe there are no threats coming from cyberspace, but
because they feel those threats might have been overstated or
mystified through what they call ``info-warrior rhetoric''.
Computer security analysts, who have been working on these
problems for years, have the impression that ``information
warfare'' might just be old wine in new bottles. In fact,
many of the activities now classified under this definition
could be traditional intelligence work, intelligence analyses
through the Internet or psychological operations and
deception. For instance, the US Air Force Information Warfare
Center (AFIWC, part of the Air Intelligence Agency) in San
Antonio and other similar organisations are the equivalent of
computer emergency response teams, and the military and
civilians employed in them are all computer security
specialists.
47. In spite of these reservations, it is clear that there
are many serious threats. In sum, according to George Smith,
editor of The Crypt Newsletter, an Internet publication
dealing with computer security for computer analysts: ``It is
far from proven that the country [i.e., the United States]
is at the mercy of possible devastating computerized
attacks. On the other hand, even the small number of
examples of malicious behaviour demonstrate that computer
security issues in our increasingly technological world
will be of primary concern well into the foreseeable
future.''
V. CONCLUSION
48. It is clear, even from the words of the most sceptical
analysts, that the security of information systems must be a
high priority for any nation. With the increasing dependence
on information technologies, all our vital infrastructures
are potentially vulnerable to some sort of external attack.
Even if experts disagree on the extent and the nature of the
threat, we need nonetheless to adopt measures to strengthen
the protection of our information systems.
49. The first priority should be to seek objectivity in the
assessment of the real threats. An independent group should
be set up to provide such assessment, maybe at the
international level. An example is provided by the G-8 High
Tech Crime Group, a multilateral forum seeking to enhance
transnational co-operation in investigating and prosecuting
criminal misuse and exploitation of information systems.
Parliaments and governments, as well as the industry, the
scientific community and computer security experts should
work within a similar group focused on information warfare
threats in order to share their knowledge and competence and
analyse the subject from different perspectives. A serious
evaluation of the claims of computer security software and
hardware producers could be the first task of such a group.
50. Programmes to raise public awareness and encourage
education in the field of computer security and
infrastructure protection would be extremely useful, and they
should cover all possible audiences. They should include
conferences, university studies, presentations at industry
associations and professional societies, and sponsorship of
graduate studies and programmes. In addition, research
efforts are needed to both substantially improve and deploy
more widely the existing technology. In particular, new
capabilities for detection and identification of intrusion
and improved simulation and modelling capability to
understand the effects upon interconnected and interdependent
infrastructures would be beneficial.
51. The law has to keep pace with the development of new
technologies. Parliaments can play an important role in
reconsidering and readapting the laws regulating
infrastructure protection and information systems assurance.
The United States can provide some good examples in terms of
both statutes and case law and the Justice Department has a
section devoted to this area. However, due to the open and
global nature of the Internet, this effort should involve
computer security experts and legislators internationally. In
fact, creating a specific international set of rules or
conventions is an essential prerequisite for establishing a
credible and efficient Internet economy.
52. Intelligence can also contribute to a clearer
understanding of the new threats of the information age in
terms of actors, motives, and capabilities. Of course, the
traditional intelligence work and organisation, developed
during the Cold War, must be adapted to the new environment.
Intelligence officials in all nations must reconsider their
methods for information acquisition and rely on new sources.
National agencies must also start recruiting special talents
familiar with the new threats, such as skilled computer
analysts with a direct experience of hacking methods.
53. Since most experts agree that commercial information
systems are now more vulnerable to external attacks, it is
essential to foster public-private co-operation. Much of the
information that private companies need to protect their
information systems may be available from the defence,
intelligence and law enforcement communities. Often the
private sector can better identify, understand and evaluate
the threats. In many countries, co-operation between
industries and their governments could be extremely helpful
to share ``information and techniques related to risk
management assessment, including incident reports,
identification of weak spots, plans and technology to prevent
attacks and disruptions, and plans for how to recover from
them.'' Of course, public-private collaboration also has its
limits, such as classified and secret materials or
proprietary and competitively sensitive information.
54. Finally, in most Western countries, but particularly in
the United States, the military should address many questions
concerning the effective role of the information warfare
programmes in their general policy. Programmes like those
going under the definition of ``Revolution in Military
Affairs'' (RMA) have already tried to assess the future
impact that the use of information technology could have on
weapon systems and on military organisation and strategy.
However, the US military still needs to clarify its policy
about the options for deterring an attack on vital
information systems and the possible use of offensive
information warfare. The link between information warfare and
other military strategies should be better articulated: for
instance, would it be possible to respond to an information
warfare attack with conventional forces? Moreover, the
possibility that the United States (or any other Western
country) would develop and deploy offensive information
warfare techniques has not been adequately discussed in
public forums. This can be essential in order to build a
national and possibly international consensus about the role
of offensive information warfare and to clearly define its
policies of use.
Notes and References
1. Lord Lyell, Lothar Ibrugger, Information Warfare and the
Millennium Bomb, General Report, NAA Science and Technology
Committee [AP 237 STC (97) 7]
2. Definition found on the website of the Institute for the
Advanced Study of Information Warfare, self-defined ``a
virtual non-governmental organisation'', http://
www.psycom.net/iwar.1.html
3. Dr. Andrew Rathmell, ``Information Warfare: Implications
for Arms Control'', Bulletin of Arms Control, No. 29, April
1998, on the web page of King's College London, http://
www.kcl.ac.uk/orgs/icsa/cds.html. With regard to the
Revolution of Military Affairs, see the STC 1998 General
Report on the subject [AR 299 STC (98) 6]
4. Cybercrime-Cyberterrorism-Cyberwarfare, Averting an
Electronic Waterloo, CSIS Task Force Report, Center for
Strategic and International Studies, Washington DC, 1998, pp.
9-11.
5. Col Jean-Luc Moliner, ``La guerre de l'information vue
par un operationnel francais'', L'Armement, No. 60, Dec.
1997-Jan. 1998, p. 11
6. Information warfare should be limited to ``specific
political and strategic goals'' to avoid confusion with
cybercrime or industrial espionage. Attacks to private
corporations (see para.16) might be included only if
conducted as part of political or strategic offensive. The
limit to ``Internet and other networked information systems''
helps avoid confusion with espionage cases involving the use
(or misuse) of restricted or secret information systems and/
or data bases (such as recent alleged espionage at DOE
weapons laboratories). Lorenzo Valeri, ``Information
requirements for Information Warfare: the need for a
multidisciplinary approach'', presentation prepared for the
1999 InfoWar Conference, 27 May 1999, London; and George
Ballantyne, ``www.terrorism.now'', RUSI Newsbrief, April
1999, p.31. From letter by John J. Hamre published in Issues
in Science and Technology, Winter 1998-99, pp.10-11
7. Alden M. Hayashi, ``The Net Effect'', Scientific
American, January 1999, p. 13
8. Niall McKay, ``Indonesia, Ireland in Info War?'' Wired
News, 27 January 1999, at the website http://www.wired.com/
news/; Michelle Knott, ``Virtual Warfare'', New Scientist, 27
February 1999, p.51
9. Chris Nuttall, ``Kosovo info warfare spreads'', BBC
Online, 1 April 1999, http://news.bbc.co.uk/ and interview
with Mr. Chris Scheurweghs of the NATO Integrated Data
Service
10. ``Computer hackers in Belgrade'', Aviation Week & Space
Technology, 5 April 1999, p.23; Patrick Riley, ``E-Strikes
and Cyber-Sabotage: Civilian Hackers Go Online to Fight'',
Fox News, 15 April 1999, http://www.foxnews.com/; Bob Brewin,
``General: Cyberattacks against NATO traced to China'',
Federal Computer Week, 1 September 1999, http://www.fcw.com/
11. James Adams, The Next World War, Hutchinson, London,
1998, pp.187-8
12. George I. Seffers, ``Stealthy New Software Enhances
Hacker Arsenal'', Defense News, 15 March 1999, p. 3
13. Tony Walker and Stephen Fidler, ``China studies
computer warfare'', Financial Times, 16 March 1999, p. 4
14. Information on the Commission, as well as the text of
the report are available on the Web at http://www.pccip.gov
15. George I. Seffers, interview with Maj. Gen. John
Campbell, Defense News, 29 March 1999, p.30
16. Jean-Pierre Meunier, ``Le CELAR, centre technique de la
guerre de l'information'', L'Armement, N. 60, Dec. 1997-Jan.
1998, pp.84-88
17. Strategic Defence Review, Chapter 5: The Future Shape
of Our Forces, available on the Web at http://www.mod.uk/
policy/sdr/
18. Andrew Rathmell, ``Information Warfare and sub-state
actors'', Information, Communication & Society, Winter 1998,
p. 490
19. Quoted in George Smith, ``Truth is the first casualty
of cyberwar'', The Wall Street Journal, 8 September 1998
[[Page H8078]]
20. Kurt Kleiner, Matt Walker, ``Melissa's mayhem'', New
Scientist, 10 April 1999, p.4; ``The Melissa media
hangover'', The Crypt Newsletter, available on the Web at
http://sun.soci.niu.edu/
 Follow @ilwcom Share this page | Bookmark this page The leading immigration law publisher - over 50000 pages of free information!
© Copyright 1995- American Immigration LLC, ILW.COM |