While the Senate bogs down in negotiations over drafting major cybersecurity reform legislation, a House panel Wednesday passed a nuts-and-bolts IT security bill that would require the president to assess the government's cybersecurity workforce, including an agency-by-agency skills assessment, and provide scholarship to students who agree to work as cybersecurity specialists for the government after graduation.
The House Science and Technology Committee unanimously approved by voice vote the Cybersecurity Enhancement Act, or HR 4061, that combined the Cybersecurity Coordination and Awareness Act and the Cybersecurity Research and Development Amendments Act, which passed two panel subcommittees earlier this fall.
"There are some very technically, sophisticated ways in enhancing cybersecurity, but there are some simple ways, also," said Rep. David Wu, D.-Ore, one of the bill's sponsors, who added that many of the measure's provisions won't bankrupt the Treasury. "Some aspects of computer security are rocket science and others are fairly, simple precautionary steps which most people can take."
Among the bill's key provisions:
- Increase the role of the National Institute of Standards and Technology in developing international cybersecurity technical standards. The measure also charges NIST with creating IT security awareness and education campaigns for the public, improving the interoperability of identity management systems to encourage more widespread use and developing an IT security checklist for agencies to use before acquiring IT wares. The panel adopted an amendment from Rep. Michael McCaul, R.-Texas, to clarify that use of the checklist in voluntary. "There was some concern that the language of the bill would prevent NIST from including software developed outside of NIST on the checklist, distributed to federal agencies," McCaul said. "This amendment clarifies that NIST can include software developed by an outside source or by the private sector. There is no reason that a federal agency not be allowed to use software developed by the private sector if that software is superior and can do the job."
- Order agencies to develop, update and implement a strategic plan for cybersecurity research and development based on an assessment of cybersecurity risk, and that it specify and prioritize near-term, mid-term and long-term research objectives, describing how the near-term objectives complement R&D occurring in the private sector. "The common thread through all of the recommendations of the review was the importance of partnerships between the federal government and the private sector in achieving a more secure cyberspace," said Rep. Bart Gordon, the Tennessee Democrat who chairs the Science and Technology Committee. "HR 4061 is based on the concept that, in order to improve the security of our networked systems, the federal government must work in concert with the private sector."
- Establish a scholarship fund, administrated by the National Science Foundation, in which student recipients promise to work as IT security professionals in government in an equal number of years in which they received the grant. The NSF program also would fund faculty professional development and cybersecurity curricula development programs at U.S. colleges and university. The funding would be spread equally around the country, and would encourage minority students to pursue careers in cybersecurity.
- Direct the National Science Foundation to support research on the social and behavioral aspects of cybersecurity as part of their total cybersecurity research portfolio. "People are the weakest link in many of our IT systems." the bill's primary sponsor, Rep. Daniel Lipinski, D.-Ill., said in an interview with GovInfoSecurity.com last month. "We really need a cultural change in the way Americans practice computer hygiene. The idea of computer hygiene is something most people don't understand."
- Direct NSF to establish a postdoctoral fellowship program in cybersecurity. The measure also would reauthorize the NSF cybersecurity research program and includes identity management as one of the research areas support. Another provision would reauthorize NSF programs that provide funding for capacity building grants, graduate student fellowships, graduate student traineeships and research centers in cybersecurity.