X

U.S. House passes cybersecurity research bill

The measure, passed by a vote of 422 to 5, would boost research and public education efforts to bolster flagging cybersecurity efforts.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

The U.S. House of Representatives overwhelmingly approved a cybersecurity bill that calls for beefing up training, research, and coordination so the government can be better prepared to deal with cyberattacks.

The Cyber Security Research and Development Act of 2009, which passed by a vote of 422 to 5, authorizes the National Institute of Standards and Technology (NIST) to develop a cybersecurity education program that can help consumers, businesses, and government workers keep their computers secure.

It also creates cybersecurity scholarship programs for college students and research centers, and asks NIST to boost development of identity management systems used to control access to buildings, computer networks, and data.

Federal agencies spend $6 billion a year on cybersecurity to protect the government's IT infrastructure and $356 million on research, according to the Office of Management and Budget. Despite that funding, a government review of its cybersecurity efforts last year concluded that they are not adequate to prepare the country against cyberattacks.

Under the measure, if it becomes law, NIST would have one year to deliver a plan to Congress detailing its plans to participate in international cybersecurity technical standards development and 90 days to deliver a plan describing a cybersecurity awareness and education program.

Alan Paller, director of research at the SANS Institute computer security training organization, said the bill is vital to improving the country's cybersecurity defenses, but said the Appropriations Committee needs to provide for the necessary funding for it to have impact. Funding could be affected if schools don't upgrade their security programs and graduate students with key technical skills, and if NIST doesn't prove it can be a good partner with the agencies that have the necessary skills.

"NIST has 'grasped defeat from the jaws of victory' once too often (because of their lack of operational knowledge) to give that agency sole responsibility for something as important as the first line of defense (configuration standards, et al)," Paller wrote in an e-mail.

"This bill will help improve the security of cyberspace by ensuring federal investments in cybersecurity are better focused, more effective, and that research into innovative, transformative security technologies is fully supported," said Symantec CTO Mark Bregman. "HR 4061 represents a major step forward towards defining a clear research agenda that is necessary to stimulate investment in both the private and academic worlds, resulting in the creation of jobs in a badly understaffed industry."

The vote comes two days after Dennis Blair, White House director of national intelligence, warned the Senate that the U.S. is under severe threat from cyberattacks, and a week after nearly 50 House and Senate Web sites were defaced.

There has been a heightened level of interest in cybersecurity since Google announced last month that its network had been attacked and intellectual property stolen. More than 20 (now more than 30) other companies were also targeted and the attacks appeared to come from China, Google said. Separately, Gmail users who are human rights activists were targeted. As a result of the attacks, Google said it would stop censoring its Web search results in China as it has been doing and may even stop doing business in the country.

Updated 3:54 p.m. PST with SANS Institute comment.