S 1901 IS, the Cybersecurity Research and Education Act of 2002.
Introduced by Sen. John Edwards (D-NC).
Date introduced: January 28, 2002.

S. 1901

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Cybersecurity Research and Education Act of 2002''.

SEC. 2. FINDINGS.

Congress finds that--

(1) critical elements of the Nation's basic economic and physical infrastructure rely on information technology for effective functioning;

(2) increased reliance on technology has left our Nation vulnerable to the threat of cyberterrorism;

(3) long-term research on practices, methods, and technologies that will help ensure the safety of our information infrastructure remains woefully inadequate;

(4) there is a critical shortage of faculty at institutions of higher education who specialize in disciplines related to cybersecurity;

(5) a vigorous scholarly community in fields related to cybersecurity is necessary to help conduct research and disseminate knowledge about the practical application of the community's findings; and

(6) universities in the United States award the Ph.D. degree in computer sciences to approximately 1,000 individuals each year, but of those awarded this degree, less than 0.3 percent specialize in cybersecurity and still fewer become employed in faculty positions at institutions of higher education.

SEC. 3. DEFINITIONS.

In this Act:

(1) CYBERSECURITY.--The term ``cybersecurity'' means information assurance, including scientific, technical, management, or any other relevant disciplines required to ensure computer and network security, including, but not limited to, a discipline related to the following functions:

(A) Secure System and network administration and operations.

(B) Systems security engineering.

(C) Information assurance systems and product acquisition.

(D) Cryptography.

(E) Threat and vulnerability assessment, including risk management.

(F) Web security.

(G) Operations of computer emergency response teams.

(H) Cybersecurity training, education, and management.

(I) Computer forensics.

(J) Defensive information operations.

(2) CYBERSECURITY INFRASTRUCTURE.--The term ``cybersecurity infrastructure'' includes--

(A) equipment that is integral to research and education capabilities in cybersecurity, including, but not limited to--

(i) encryption devices;

(ii) network switches;

(iii) routers;

(iv) firewalls;

(v) wireless networking gear;

(vi) protocol analyzers;

(vii) file servers;

(viii) workstations;

(ix) biometric tools; and

(x) computers; and

(B) technology support staff (including graduate students) that is integral to research and education capabilities in cybersecurity.

(3) DIRECTOR.--The term ``Director'' means the Director of the National Science Foundation.

(4) INSTITUTION OF HIGHER EDUCATION.--The term ``institution of higher education'' has the meaning given the term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).

(5) OTHER RELEVANT DISCIPLINE.--The term ``other relevant discipline'' includes, but is not limited to, the following fields as the fields specifically relate to securing information infrastructures:

(A) Biometrics.

(B) Software engineering.

(C) Computer science and engineering.

(D) Law.

(E) Business management or administration.

(F) Psychology.

(G) Mathematics.

(H) Sociology.

(6) QUALIFIED INSTITUTION.--The term ``qualified institution'' means an institution of higher education that, at the time of submission of an application pursuant to any of the programs authorized by this Act--

(A) has offered, for not less than 3 years prior to the date the application is submitted under this Act, a minimum of 2 graduate courses in cybersecurity (not including short-term special seminars or 1-time classes offered by visitors);

(B) has not less than 3 faculty members who teach cybersecurity courses--

(i) each of whom has published not less than 1 refereed cybersecurity research article in a journal or through a conference during the 2-year period preceding the date of enactment of this Act;

(ii) at least 1 of whom is tenured; and

(iii) each of whom has demonstrated active engagement in the cybersecurity scholarly community during the 2-year period preceding the date of enactment of this Act, such as serving as an editor of a cybersecurity journal or participating on a program committee for a cybersecurity conference or workshop;

(C) has graduated not less than 1 Ph.D. scholar in cybersecurity during the 2-year period preceding the date of enactment of this Act; and

(D) has not less than 3 graduate students enrolled who are pursuing a Ph.D. in cybersecurity.

SEC. 4. CYBERSECURITY GRADUATE FELLOWSHIP PROGRAM.

(a) PURPOSE.--The purpose of this section is--

(1) to encourage individuals to pursue academic careers in cybersecurity upon the completion of doctoral degrees; and

(2) to stimulate advanced study and research, at the doctoral level, in complex, relevant, and important issues in cybersecurity.

(b) ESTABLISHMENT.--The Director is authorized to establish a Cybersecurity Fellowship Program (referred to in this section as the ``fellowship program'') to annually award 3 to 5-year graduate fellowships to individuals for studies and research at the doctoral level in cybersecurity.

(c) CYBERSECURITY FELLOWSHIP PROGRAM ADVISORY BOARD.--

(1) ESTABLISHMENT.--There is established a Cybersecurity Fellowship Program Advisory Board (referred to in this section as the ``Board'').

(2) MEMBERSHIP.--The Director shall appoint members of the Board who shall include--

(A) not fewer than 3 full-time faculty members--

(i) each of whom teaches at an institution of higher education; and

(ii) each of whom has a specialty in cybersecurity; and

(B) not fewer than 2 research scientists employed by a Federal agency with duties that include cybersecurity activities.

(3) TERMS.--Members of the Board shall be appointed for renewable 2-year terms.

(d) APPLICATION.--Each individual desiring to receive a graduate fellowship under this section shall submit an application to the Director at such time, in such manner, and containing such information as the Director, in consultation with the Board, shall require.

(2) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at a qualified institution for the duration of the graduate fellowship, and shall include, in addition, an annual living stipend of $20,000; and

(3) be for a duration of 3 to 5-years, the specific duration of each graduate fellowship to be determined by the Director in consultation with the Board on a case-by-case basis.

(f) REPAYMENT.--Each graduate fellowship shall--

(1) subject to paragraph (f)(2), be subject to full repayment upon completion of the doctoral degree according to a repayment schedule established and administered by the Director;

(2) be forgiven at the rate of 20 percent of the total amount of graduate fellowship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and

(3) be monitored by the Director to ensure compliance with this section.

(g) ELIGIBILITY.--To be eligible to receive a graduate fellowship under this section, an individual shall--

(1) be a citizen of the United States;

(2) be matriculated or eligible to be matriculated for doctoral studies at a qualified institution; and

(3) demonstrate a commitment to a career in higher education.

(h) SELECTION.--

(1) IN GENERAL.--The Director, in consultation with the Board, shall select recipients for graduate fellowships.

(2) DUTIES.--The Director, in consultation with the Board, shall--

(A) establish criteria for a competitive selection process for recipients of graduate fellowships;

(B) establish and promulgate an application process for the fellowship program;

(C) receive applications for graduate fellowships;

(D) annually review applications and select recipients of graduate fellowships; and

(E) establish and administer a repayment schedule for recipients of graduate fellowships.

(3) CONSIDERATION.--In making selections for graduate fellowships, the Director, to the extent possible and in consultation with the Board, shall consider applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as technical dimensions of cybersecurity.

(i) AUTHORIZATION OF APPROPRIATIONS.--There are authorized to be appropriated to carry out this section $5,000,000 for each of fiscal years 2003 through 2005, and such sums as may be necessary for each succeeding fiscal year.

SEC. 5. SABBATICAL FOR DISTINGUISHED FACULTY IN CYBERSECURITY.

(a) ESTABLISHMENT.--The Director is authorized to award grants to institutions of higher education to enable faculty members who are teaching cybersecurity subjects to spend a sabbatical from teaching working at--

(1) the National Security Agency;

(2) the Department of Defense;

(3) the National Institute of Standards and Technology;

(4) a research laboratory supported by the Department of Energy; or

(5) a qualified institution.

(b) APPLICATION.--Each institution of higher education desiring to receive a grant under this section shall submit an application to the Director at such time, in such manner, and containing such information as the Director shall require.

(c) GRANT AWARDS.--

(1) IN GENERAL.--The Director shall award a grant under this section only if the National Science Foundation and the agency or institution where the faculty member will spend the sabbatical approve the sabbatical placement.

(2) NUMBER AND DURATION.--For each fiscal year, the Director shall award grants for not more than 25 sabbatical positions that will each be for a 1-year period.

(3) AMOUNT OF AWARD.--

(A) IN GENERAL.--Each institution of higher education that is awarded a grant under this section shall receive $250,000 for each faculty member who will spend a sabbatical pursuant to the grant.

(B) USE OF AWARD.--The Director shall award a grant under this section in 2 disbursements in the following manner:

(i) FIRST DISBURSEMENT.--The first disbursement shall be made upon selection of a grant recipient and shall consist of the following:

(I) $20,000 to provide a stipend for living expenses to each faculty member awarded a sabbatical under this section.

(II) An amount sufficient for the grant recipient to hire a qualified replacement for the faculty member awarded a sabbatical under this section for the term of the sabbatical, if such a replacement is possible.

(ii) SECOND DISBURSEMENT.--The second disbursement shall be made at the conclusion of the sabbatical, only if the faculty member completes the sabbatical in its entirety, and shall be used for the grant recipient's cybersecurity infrastructure needs, including--

(I) acquiring equipment or technology;

(II) hiring graduate students; or

(III) supporting any other activity that will enhance the grant recipient's course offerings and research in cybersecurity.

(d) ELIGIBILITY.--To be eligible to receive a grant under this section, an institution of higher education shall submit an application under subsection (b) that--

(1) identifies the faculty member to whom the institution of higher education will provide a sabbatical and ensures that the faculty member is a citizen of the United States;

(2) ensures that the faculty member to whom the institution of higher education will provide a sabbatical is tenured at that institution of higher education and meets general standards of excellence in research or teaching; and

(3) explains how the faculty member to whom the institution of higher education will provide a sabbatical will--

(A) integrate into the faculty member's course offerings knowledge related to cybersecurity that is gained during the sabbatical; and

(B) in conjunction with the institution of higher education, use the second disbursement of funds available under subsection (c)(3)(B)(ii).

(e) AUTHORIZATION OF APPROPRIATIONS.--There is authorized to be appropriated to carry out this section $8,000,000 for each of fiscal years 2003 through 2005.

SEC. 6. ENHANCING CYBERSECURITY INFRASTRUCTURE.

(a) ESTABLISHMENT.--The Director is authorized to award grants to qualified institutions to fund activities that provide, enhance, and facilitate acquisition of cybersecurity infrastructure at qualified institutions.

(b) USE OF GRANT AWARD.--Each qualified institution that receives a grant under this section shall use the grant funds for needs specifically related to--

(1) cybersecurity education and research; and

(2) development efforts related to cybersecurity.

(c) MATCHING FUNDS.--Each qualified institution that receives a grant under this section shall contribute to the activities assisted under this section non-Federal matching funds equal to not less than 25 percent of the amount of the grant.

(d) AUTHORIZATION OF APPROPRIATIONS.--There is authorized to be appropriated to carry out this section $10,000,000 for each of fiscal years 2003 through 2005.

SEC. 7. CYBERSECURITY AWARENESS, TRAINING, AND EDUCATION PROGRAM.

(a) PURPOSE.--The purpose of this section is to increase the quality of education and training in cybersecurity, thereby increasing the number of qualified students entering the field of cybersecurity to adequately address the Nation's increasing dependence on information technology and to defend the Nation's increasingly vulnerable information infrastructure.

(b) ESTABLISHMENT.--The Director of the National Security Agency is authorized to award grants, on a competitive basis, to qualified institutions to establish Cybersecurity Awareness, Training, and Education Programs (referred to in this section as ``information programs'').

(c) APPLICATION.--

(1) IN GENERAL.--Each qualified institution desiring to receive a grant under this section shall submit an application to the Director of the National Security Agency at such time, in such manner, and accompanied by such information as the Director of the National Security Agency shall require.

(2) PLANS.--Each application submitted pursuant to paragraph (1) shall include a plan for establishing and maintaining an information program under this section, including a description of--

(A) the design, structure, and scope of the proposed information program, including unique qualities that may distinguish the proposed information program from possible approaches of other qualified institutions;

(B) research being conducted in the disciplines encompassed by the plan;

(C) any integration of the information program with other federally funded programs related to cybersecurity education, such as the National Science Foundation Scholarship for Service Program, the Department of Defense Multidisciplinary Research Program of the University Research Initiative, and the Department of Defense Information Assurance Scholarship Program;

(D) necessary costs for information infrastructure to support the information program;

(E) how the qualified institution will protect the integrity and security of the information infrastructure and any student testing mechanisms; and

(F) other relevant information.

(3) COLLABORATION.--A qualified institution desiring to receive a grant under this section may propose collaboration with other qualified institutions.

(d) GRANT AWARDS.--Each qualified institution that receives a grant under this section shall use the grant funds to--

(1) establish or enhance a Center for Studies in Cybersecurity Awareness, Training, and Education that shall--

(A) establish a professionally produced, web-based collection of cybersecurity programs of instruction that have been approved for general public dissemination by the authors and owners of the programs;

(B) maintain a web-based directory of cybersecurity education and training related conferences and symposia;

(C) sponsor the development of specific instructional materials in cybersecurity and other relevant disciplines, including--

(i) intrusion detection;

(ii) overview of information assurance;

(iii) ethical use of computing systems;

(iv) network security;

(v) cryptography;

(vi) risk management;

(vii) malicious logic; and

(viii) system security engineering;

(D) sponsor cybersecurity education symposia;

(E) collaborate with the National Colloquium for Information Assurance Education;

(F) create a `Virtual Academy' for sharing courseware and laboratory exercises in cybersecurity; and

(G) review and participate in integrating various cybersecurity education and training standards into unified curricula; and

(2) establish or enhance a Center for the Development of Faculty in Cybersecurity that shall--

(A) establish criteria for recognition and certification of cybersecurity trainers and educators;

(B) establish faculty training outreach to teachers in kindergarten through grade 12 and to faculty of part B institutions (as defined in section 322 of the Higher Education Act of 1965 (20 U.S.C. 1061));

(C) build, test, and evaluate laboratory exercises that represent use of model practices in cybersecurity for use in training and education programs; and

(D) establish an integrated program to include the programs described in this paragraph and paragraph (1).

(e) AUTHORIZATION OF APPROPRIATIONS.--There are authorized to be appropriated to carry out this section--

(1) $1,500,000 for fiscal year 2003;

(2) $2,000,000 for fiscal year 2004;

(3) $3,000,000 for fiscal year 2005; and

(4) $4,500,000 for fiscal year 2006.

SEC. 8. CYBERSECURITY WORKFORCE AND FACILITIES STUDY.

(a) STUDY.--The Comptroller General shall conduct a study and collect data on the following:

(1) The cybersecurity workforce, including--

(A) the size and nature of the cybersecurity workforce by occupation category (including academic faculty at institutions of higher education), level of education and training, personnel demographics, and industry characteristics; and

(B) the role of foreign workers in the cybersecurity workforce.

(2) Academic cybersecurity research facilities, including--

(A) total academic research space available or utilized for research relating to cybersecurity;

(B) academic research space relating to cybersecurity that is in need of major repair or renovation;

(C) new or ongoing projects at institutions of higher education expected to produce new or renovated research space to be used for research relating to cybersecurity; and

(D) any research space needs related to cybersecurity and based on projections of growth in educational programs and research, including costs and initiatives required to meet such needs and possible consequences of failure to meet such needs.

(3) Other information that the Comptroller General determines appropriate.

(b) REPORT.--Not later than 6 months after the date of enactment of this Act, and biennially thereafter, the Comptroller General shall prepare and submit a report on the study conducted pursuant to subsection (a) to the--

(1) Committee on Health, Education, Labor and Pensions of the Senate; and

(2) Committee on Education and the Workforce of the House of Representatives.