Cybersecurity research boosted

Bill would produce new crop of experts

As a House bill that aims to spend $878 million training graduate and doctoral-level cybersecu.rity researchers heads to the Senate, computer industry officials say some of the money ought to be used to train lower-level workers, too.

The Cyber Security Research and Development Act passed on a 400-12 vote Feb. 7 and is expected to be introduced in the Senate in a few weeks.

As written, the House bill would train cybersecurity researchers — "the admirals and generals" of the computer defense corps — but it largely ignores "the foot soldiers" — the computer system administrators and others who oversee networks — according to Thomas Santaniello, public policy manager for the Computer Technology Industry Association (CompTIA).

Jolted by the Sept. 11 terrorist attacks, House Science Committee members said the United States needs much stronger computer security research programs to protect the nation's computer systems from attack.

"Experts tell us that the nation is profoundly at risk from cyber.terrorism," said Rep. Sherwood Boeh.lert (R-N.Y.), sponsor of the act. His bill intends to create "the next generation of cybersecurity researchers" and introduce innovative approaches to computer system security. He concedes that the effort is likely to take years.

"Everyone wants instant results," Boehlert said, "but this committee has to look at the longer range."

More immediate results could be obtained by also providing security training for computer system administrators and others, Santaniello said.

Computer system operators "need a basic, fundamental understanding of security practices. Traditionally, security has not been the highest priority," he said. CompTIA, which represents 9,000 companies and 10,000 technology workers, will ask the Senate to add provisions for security training for "the people who make networks run."

The House version of the bill calls for spending $878 million over five years to support computer and network security research, mainly by doctoral and post.doctoral students studying cyber.security. The money would be split between the National Science Foundation and the National Institute of Standards and Technology (NIST).

Boehlert, who is chairman of the Science Committee, compared the investment to the space research and development boom in the 1950s, sparked in part by the Soviet Union's surprise launch of Sputnik, the first satellite.

U.S. vulnerability to a cyberattack is grave, he said. An attack on computer systems "could knock out electricity, drinking water and sewage systems, financial institutions, assembly lines and communications — just to name a few."

And the danger is growing rapidly, warned Rep. Lamar Smith (R-Texas). The number of computer viruses, attacks by hackers and computer system break-ins doubled in the past year, Smith said. "The demand for expertise in network security, disaster recovery and other cyberdefense skills has never been higher, but the supply of qualified IT professionals falls short," Smith said.

In addition to producing a new crop of computer security experts, the new funding is intended to advance the science of security. At present, "we have few, if any standards as to what constitutes a secure network," said Rep. Connie Morella (R-Md.), "nor do we have generally accepted procedures to evaluate our current systems to upgrade them with the most current security protocols."

NIST, which is located in Morella's district, could create such standards.

The cybersecurity bill sped through the House. It was introduced Dec. 4, 2001, shortly before Congress took a month-long break, and passed less than two weeks after lawmakers reconvened.

That sense of urgency may be lacking in the Senate. "We need to get after the Senate and let them know that we need some action over there," said Rep. Ralph Hall (D-Texas), a cosponsor of the bill.

NEXT STORY: Security board makes progress