House considers bill to fund cybersecurity training, research and development

Security expert Alan Paller says the bill may still face lack of funding if passed. Bill Clark

The House could vote on a bill Thursday that would provide $395 million for cybersecurity research and development programs and establish standards to reduce the security risks in federal networks.

The 2009 Cybersecurity Enhancement Act (H.R. 4061), introduced by Reps. Michael McCaul, R-Texas, and Daniel Lipinski, D-Ill., would attempt to bolster what many experts in the security field believe are federal systems that are wide open to attack and have lost valuable and sensitive information.

The bill provides about $395 million in grants for computer and network security research and development programs at the National Science Foundation between 2010 and 2014. It also funds nearly $100 million in scholarships to recruit and train cybersecurity professionals, and would provide $120 million for construction of research facilities and development of training programs at colleges and universities. The bill requires a task force, made up of representatives from federal government, industry and academia, to consider how to encourage collaborative research and development for cybersecurity.

The bill calls for the National Institute for Standards and Technology to develop standards to improve cybersecurity, identity management and interoperability among federal networks, as well as creating checklists, configuration profiles and deployment recommendations that minimize security risks associated with computer hardware and software systems. It also funds additional cybersecurity research activities and awareness programs at NIST.

"The objectives and the elements of this bill are vital to making significant progress in defending and fighting in cyberspace, and should be passed," said Alan Paller, director of research at the SANS Institute. "However, none of its large impact elements will have an effect if the appropriations committee does not fund them."

Congress might not fully fund key provisions in the bill because there are too few high-quality cybersecurity training programs at colleges and universities and NIST has failed to work with agencies to reduce security risks, he said.

"This bill could do a lot of good only if the weaker [universities] upgrade their programs so they produce technically skilled people and if NIST stops using its money to produce paperwork exercises that make money for contractors but put the nation at risk," Paller said.

Although a number of other bills in Congress would enhance federal cybersecurity efforts, no companion bill to the Cybersecurity Enhancement Act exists in the Senate. The bill was endorsed by a number of industry associations, security vendors and academic organizations.

"The bill focuses on cybersecurity areas that are strategic in nature and long term, focusing on education, training, and research and development," said Liesyl Franz, vice president of information security and global public policy at TechAmerica. "But this is only one piece of the greater cyber puzzle," which also must address public-private partnerships, international engagement and reform of the existing Federal Information Security Management Act, she added.