House Panel OKs $150 Million for Infosec R&DSeeking Innovative Ways to Protect Government IT
The bill, H.R. 4842, would appropriate to the Department of Homeland Security's Science and Technology Directorate $75 million in each of the next two fiscal years to fund R&D projects aimed at improving the nation's ability to prevent, protect, detect, respond to and recover from cyber attacks, focusing on large-scale, high-impact attacks.
The measure, the Homeland Security Science and Technology Authorization Act of 2010, is the first bill to appropriate money to the directorate since the creation of DHS in 2002 and is a product of nine months of bipartisan cooperation, Committee Chairman Bennie Thompson, D.-Miss., said in a statement.
Cybersecurity R&D spending would represent only a fraction of the $2.27 billion in appropriations in the bill. The measure also would require the directorate to develop a strategic plan, reform management processes and streamline procedures to drive research activities in a way that's responsive to its stakeholders: the Transportation Security Agency, Customs and Border Protection, Coast Guard and other DHS agencies as well as the nation's first responders, Thompson said.
In addition, the bill would authorize DHS's Office of Public-Private Partnerships to increase outreach and to ensure technological innovations get quick review as well as creates a new rapid review division to assess unsolicited proposals. The legislation would require the Homeland Security secretary to review existing federal venture capital programs and develop a model for DHS to assure access to capital, which Thompson characterizes as the single biggest obstacle to homeland security technology innovation. .
"This bill seeks to enhance accessibility, transparency, and responsiveness to ensure innovative firms - especially small businesses - can do business with S&T," Thompson said.
Among the cybersecurity R&D work the bill would fund:
- More secure versions of fundamental Internet protocols and architectures, including domain name systems and routing protocols.
- Technologies to detect attacks or intrusions.
- Mitigation and recovery methodologies, including techniques to contain attacks and develop resilient networks and systems that degrade gracefully.
- Infrastructure and tools to support cybersecurity R&D efforts, including modeling, testbeds and data sets for assessment of new cybersecurity technologies.
- Technologies to reduce vulnerabilities in process control systems.
- Test, evaluate and facilitate the transfer of technologies associated with the engineering of less vulnerable software and securing the software development lifecycle.
The bill also would set aside $500,000 to be allotted next fiscal year to study:
- Liability that subjects software and system vendors and system operators to potential damages for system breaches.
- Required reporting of security breaches that could threaten critical societal functions.
- Regulation that imposes under threat of civil penalty best practices on system operators of critical infrastructure.
- Certification from standards bodies about conformance to relevant cybersecurity standards that can be used as a marketplace differentiation.
- Accounting practices that require companies to report their cybersecurity practices and postures and the results of independently conducted red team simulated attacks or exercises.
- Cybersecurity risk insurance.
A third research project in the bill would have DHS working with national security and intelligence agencies to determine if the government-owned communications and information systems essential to the nation's electronic grid have been compromised. Research would explore the extent of any compromise; identity of any attacker; method of penetration; ramifications of such compromise on the operation of the electric grid, society and national security, including war-fighting capabilities; and recommended mitigation action.
No dollar amount was specified, meaning DHS can appropriate necessary money from the overall amount appropriated in the bill.