05/20/02; Vol. 21 No. 11

Senate committee set to act on cybersecurity bills

By William Jackson
Government Computer News

Two bills to strengthen the nation’s (United States of America) cyberdefense will come up this month before the Senate Commerce, Science and Transportation Committee.

Sen. Ron Wyden (D-Ore.), a sponsor of the Science and Technology Emergency Mobilization Act, said his bill would establish volunteer rapid response teams to help restore critical infrastructures in the wake of disasters. The teams, which would be known as the Net Guard, would function like an IT equivalent of the National Guard.

Another bill, the Cyber Security R&D Act that the House passed in February, would make more than $1 billion available over the next five years for security research and education programs. The bill would fund $743 million through the National Science Foundation and $302 million through the National Institute of Standards and Technology.

The administration has not taken a position on the R&D bill, said George Strawn, NSF’s acting assistant director for computer and information science and engineering.

Research money is badly needed to bolster security of the nation’s information infrastructure, Strawn said at a hearing last month before the Senate Commerce, Science and Transportation Subcommittee on Science, Technology and Space.

NSF now spends about $20 million a year on such research and has requested an additional $19 million for fiscal 2003. It allocated $5 million to its Trusted Computing Program announced in September and by December had received 120 research proposals requesting more than $80 million. Nearly half were worthy of funding, Strawn said, and 10 percent were highly competitive.

A major problem is that the number of faculty members doing cybersecurity research has been quite small, he said.

Lance J. Hoffman, professor of computer science at George Washington University in Washington, told the subcommittee that information security research has been a poor stepchild. It cannot compete with established disciplines because students and faculty have been driven by available funding to work on problems that are better known, he said.

An R&D act could help, he said, but he warned that what Congress encourages with one hand it is restricting with the other.

Laws like the Digital Millennium Copyright Act inhibit individuals’ ability to engage in critical research in computer security and related fields, he said.

Research restrictions

Opponents of the R&D act have said it places such stringent restrictions on study, reverse engineering and discussion of copyrighted software that legitimate researchers could face legal liability. Research is limited to narrow areas, and permission from copyright holders is required in many cases. That means vendors could effectively shut off searches for security flaws, Hoffman said.

You can’t measure what doesn’t happen, he said. But from talking to my peers, the standards laid out in the [copyright] act are so hard to meet that there really is a chill. This has more severe implications now that it has been recognized as a national security issue.

Wyden said it is unlikely the current legislation would take up copyright restrictions.

Hoffman also said that background checks should be required for Net Guard volunteers under the Science and Technology Emergency Mobilization Act. The national Net Guard database would need to be adequately secured to ensure privacy and restrict improper access, he said.

The national guard envisioned by the act might be too ambitious, he added, whereas local and regional programs would be more workable.