![]() |
![]() |
|
SUBSCRIBE
The leading Copyright |
[Congressional Record: November 12, 2002 (House)] [Page H8067-H8079] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr12no02-63] CYBER SECURITY RESEARCH AND DEVELOPMENT ACT Mr. BOEHLERT. Mr. Speaker, I move to suspend the rules and concur in the Senate amendment to the bill (H.R. 3394) an Act to authorize funding for computer and network security research and development and research fellowship programs, and for other purposes. The Clerk read as follows: Senate amendment: Strike out all after the enacting clause and insert: SECTION 1. SHORT TITLE. This Act may be cited as the ``Cyber Security Research and Development Act''. SEC. 2. FINDINGS. The Congress finds the following: (1) Revolutionary advancements in computing and communications technology have interconnected government, commercial, scientific, and educational infrastructures-- including critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, water supply, banking and finance, and emergency and government services--in a vast, interdependent physical and electronic network. (2) Exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure. (3) A Department of Defense Joint Task Force concluded after a 1997 United States information warfare exercise that the results ``clearly demonstrated our lack of preparation for a coordinated cyber and physical attack on our critical military and civilian infrastructure''. (4) Computer security technology and systems implementation lack-- (A) sufficient long term research funding; (B) adequate coordination across Federal and State government agencies and among government, academia, and industry; and (C) sufficient numbers of outstanding researchers in the field. (5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to-- (A) improve vulnerability assessment and technological and systems solutions; (B) expand and improve the pool of information security professionals, including researchers, in the United States workforce; and (C) better coordinate information sharing and collaboration among industry, government, and academic research projects. (6) While African-Americans, Hispanics, and Native Americans constitute 25 percent of the total United States workforce and 30 percent of the college-age population, members of these minorities comprise less than 7 percent of the United States computer and information science workforce. SEC. 3. DEFINITIONS. In this Act: (1) Director.--The term ``Director'' means the Director of the National Science Foundation. (2) Institution of higher education.--The term ``institution of higher education'' has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)). SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH. (a) Computer and Network Security Research Grants.-- (1) In general.--The Director shall award grants for basic research on innovative approaches to the structure of computer and network hardware and software that are aimed at enhancing computer security. Research areas may include-- (A) authentication, cryptography, and other secure data communications technology; (B) computer forensics and intrusion detection; (C) reliability of computer and network applications, middleware, operating systems, control systems, and communications infrastructure; (D) privacy and confidentiality; (E) network security architecture, including tools for security administration and analysis; (F) emerging threats; (G) vulnerability assessments and techniques for quantifying risk; (H) remote access and wireless security; and (I) enhancement of law enforcement ability to detect, investigate, and prosecute cyber-crimes, including those that involve piracy of intellectual property. (2) Merit review; competition.--Grants shall be awarded under this section on a merit-reviewed competitive basis. (3) Authorization of appropriations.--There are authorized to be appropriated to the National Science Foundation to carry out this subsection-- (A) $35,000,000 for fiscal year 2003; (B) $40,000,000 for fiscal year 2004; (C) $46,000,000 for fiscal year 2005; (D) $52,000,000 for fiscal year 2006; and (E) $60,000,000 for fiscal year 2007. (b) Computer and Network Security Research Centers.-- (1) In general.--The Director shall award multiyear grants, subject to the availability of appropriations, to institutions of higher education, nonprofit research institutions, or consortia thereof to establish multidisciplinary Centers for Computer and Network Security Research. Institutions of higher education, nonprofit research institutions, or consortia thereof receiving such grants may partner with 1 or more government laboratories or for-profit institutions, or other institutions of higher education or nonprofit research institutions. (2) Merit review; competition.--Grants shall be awarded under this subsection on a merit-reviewed competitive basis. (3) Purpose.--The purpose of the Centers shall be to generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research in computer and network security, including the research areas described in subsection (a)(1). (4) Applications.--An institution of higher education, nonprofit research institution, or consortia thereof seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-- (A) the research projects that will be undertaken by the Center and the contributions of each of the participating entities; (B) how the Center will promote active collaboration among scientists and engineers from different disciplines, such as computer scientists, engineers, mathematicians, and social science researchers; (C) how the Center will contribute to increasing the number and quality of computer and network security researchers and other professionals, including individuals from groups historically underrepresented in these fields; and (D) how the center will disseminate research results quickly and widely to improve cyber security in information technology networks, products, and services. (5) Criteria.--In evaluating the applications submitted under paragraph (4), the Director shall consider, at a minimum-- (A) the ability of the applicant to generate innovative approaches to computer and network security and effectively carry out the research program; (B) the experience of the applicant in conducting research on computer and network security and the capacity of the applicant to foster new multidisciplinary collaborations; (C) the capacity of the applicant to attract and provide adequate support for a diverse group of undergraduate and graduate students and postdoctoral fellows to pursue computer and network security research; and (D) the extent to which the applicant will partner with government laboratories, for-profit entities, other institutions of higher education, or nonprofit research institutions, and the role the partners will play in the research undertaken by the Center. (6) Annual meeting.--The Director shall convene an annual meeting of the Centers in order to foster collaboration and communication between Center participants. (7) Authorization of appropriations.--There are authorized to be appropriated for the National Science Foundation to carry out this subsection-- (A) $12,000,000 for fiscal year 2003; (B) $24,000,000 for fiscal year 2004; (C) $36,000,000 for fiscal year 2005; (D) $36,000,000 for fiscal year 2006; and (E) $36,000,000 for fiscal year 2007. SEC. 5. NATIONAL SCIENCE FOUNDATION COMPUTER AND NETWORK SECURITY PROGRAMS. (a) Computer and Network Security Capacity Building Grants.-- (1) In general.--The Director shall establish a program to award grants to institutions of higher education (or consortia thereof) to establish or improve undergraduate and master's degree programs in computer and network security, to increase the number of students, including the number of students from groups historically underrepresented in these fields, who pursue undergraduate or master's degrees in fields [[Page H8068]] related to computer and network security, and to provide students with experience in government or industry related to their computer and network security studies. (2) Merit review.--Grants shall be awarded under this subsection on a merit-reviewed competitive basis. (3) Use of funds.--Grants awarded under this subsection shall be used for activities that enhance the ability of an institution of higher education (or consortium thereof) to provide high-quality undergraduate and master's degree programs in computer and network security and to recruit and retain increased numbers of students to such programs. Activities may include-- (A) revising curriculum to better prepare undergraduate and master's degree students for careers in computer and network security; (B) establishing degree and certificate programs in computer and network security; (C) creating opportunities for undergraduate students to participate in computer and network security research projects; (D) acquiring equipment necessary for student instruction in computer and network security, including the installation of testbed networks for student use; (E) providing opportunities for faculty to work with local or Federal Government agencies, private industry, nonprofit research institutions, or other academic institutions to develop new expertise or to formulate new research directions in computer and network security; (F) establishing collaborations with other academic institutions or academic departments that seek to establish, expand, or enhance programs in computer and network security; (G) establishing student internships in computer and network security at government agencies or in private industry; (H) establishing collaborations with other academic institutions to establish or enhance a web-based collection of computer and network security courseware and laboratory exercises for sharing with other institutions of higher education, including community colleges; (I) establishing or enhancing bridge programs in computer and network security between community colleges and universities; and (J) any other activities the Director determines will accomplish the goals of this subsection. (4) Selection process.-- (A) Application.--An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum-- (i) a description of the applicant's computer and network security research and instructional capacity, and in the case of an application from a consortium of institutions of higher education, a description of the role that each member will play in implementing the proposal; (ii) a comprehensive plan by which the institution or consortium will build instructional capacity in computer and information security; (iii) a description of relevant collaborations with government agencies or private industry that inform the instructional program in computer and network security; (iv) a survey of the applicant's historic student enrollment and placement data in fields related to computer and network security and a study of potential enrollment and placement for students enrolled in the proposed computer and network security program; and (v) a plan to evaluate the success of the proposed computer and network security program, including post-graduation assessment of graduate school and job placement and retention rates as well as the relevance of the instructional program to graduate study and to the workplace. (B) Awards.--(i) The Director shall ensure, to the extent practicable, that grants are awarded under this subsection in a wide range of geographic areas and categories of institutions of higher education, including minority serving institutions. (ii) The Director shall award grants under this subsection for a period not to exceed 5 years. (5) Assessment required.--The Director shall evaluate the program established under this subsection no later than 6 years after the establishment of the program. At a minimum, the Director shall evaluate the extent to which the program achieved its objectives of increasing the quality and quantity of students, including students from groups historically underrepresented in computer and network security related disciplines, pursuing undergraduate or master's degrees in computer and network security. (6) Authorization of appropriations.--There are authorized to be appropriated to the National Science Foundation to carry out this subsection-- (A) $15,000,000 for fiscal year 2003; (B) $20,000,000 for fiscal year 2004; (C) $20,000,000 for fiscal year 2005; (D) $20,000,000 for fiscal year 2006; and (E) $20,000,000 for fiscal year 2007. (b) Scientific and Advanced Technology Act of 1992.-- (1) Grants.--The Director shall provide grants under the Scientific and Advanced Technology Act of 1992 (42 U.S.C. 1862i) for the purposes of section 3(a) and (b) of that Act, except that the activities supported pursuant to this subsection shall be limited to improving education in fields related to computer and network security. (2) Authorization of appropriations.--There are authorized to be appropriated to the National Science Foundation to carry out this subsection-- (A) $1,000,000 for fiscal year 2003; (B) $1,250,000 for fiscal year 2004; (C) $1,250,000 for fiscal year 2005; (D) $1,250,000 for fiscal year 2006; and (E) $1,250,000 for fiscal year 2007. (c) Graduate Traineeships in Computer and Network Security Research.-- (1) In general.--The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs for graduate students who pursue computer and network security research leading to a doctorate degree by providing funding and other assistance, and by providing graduate students with research experience in government or industry related to the students' computer and network security studies. (2) Merit review.--Grants shall be provided under this subsection on a merit-reviewed competitive basis. (3) Use of funds.--An institution of higher education shall use grant funds for the purposes of-- (A) providing traineeships to students who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are pursuing research in computer or network security leading to a doctorate degree; (B) paying tuition and fees for students receiving traineeships under subparagraph (A); (C) establishing scientific internship programs for students receiving traineeships under subparagraph (A) in computer and network security at for-profit institutions, nonprofit research institutions, or government laboratories; and (D) other costs associated with the administration of the program. (4) Traineeship amount.--Traineeships provided under paragraph (3)(A) shall be in the amount of $25,000 per year, or the level of the National Science Foundation Graduate Research Fellowships, whichever is greater, for up to 3 years. (5) Selection process.--An institution of higher education seeking funding under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-- (A) the instructional program and research opportunities in computer and network security available to graduate students at the applicant's institution; and (B) the internship program to be established, including the opportunities that will be made available to students for internships at for-profit institutions, nonprofit research institutions, and government laboratories. (6) Review of applications.--In evaluating the applications submitted under paragraph (5), the Director shall consider-- (A) the ability of the applicant to effectively carry out the proposed program; (B) the quality of the applicant's existing research and education programs; (C) the likelihood that the program will recruit increased numbers of students, including students from groups historically underrepresented in computer and network security related disciplines, to pursue and earn doctorate degrees in computer and network security; (D) the nature and quality of the internship program established through collaborations with government laboratories, nonprofit research institutions, and for-profit institutions; (E) the integration of internship opportunities into graduate students' research; and (F) the relevance of the proposed program to current and future computer and network security needs. (7) Authorization of appropriations.--There are authorized to be appropriated to the National Science Foundation to carry out this subsection-- (A) $10,000,000 for fiscal year 2003; (B) $20,000,000 for fiscal year 2004; (C) $20,000,000 for fiscal year 2005; (D) $20,000,000 for fiscal year 2006; and (E) $20,000,000 for fiscal year 2007. (d) Graduate Research Fellowships Program Support.-- Computer and network security shall be included among the fields of specialization supported by the National Science Foundation's Graduate Research Fellowships program under section 10 of the National Science Foundation Act of 1950 (42 U.S.C. 1869). (e) Cyber Security Faculty Development Traineeship Program.-- (1) In general.--The Director shall establish a program to award grants to institutions of higher education to establish traineeship programs to enable graduate students to pursue academic careers in cyber security upon completion of doctoral degrees. (2) Merit review; competition.--Grants shall be awarded under this section on a merit-reviewed competitive basis. (3) Application.--Each institution of higher education desiring to receive a grant under this subsection shall submit an application to the Director at such time, in such manner, and containing such information as the Director shall require. (4) Use of funds.--Funds received by an institution of higher education under this paragraph shall-- (A) be made available to individuals on a merit-reviewed competitive basis and in accordance with the requirements established in paragraph (7); (B) be in an amount that is sufficient to cover annual tuition and fees for doctoral study at an institution of higher education for the duration of the graduate traineeship, and shall include, in addition, an annual living stipend of $25,000; and (C) be provided to individuals for a duration of no more than 5 years, the specific duration of each graduate traineeship to be determined by the institution of higher education, on a case-by-case basis. (5) Repayment.--Each graduate traineeship shall-- (A) subject to paragraph (5)(B), be subject to full repayment upon completion of the doctoral [[Page H8069]] degree according to a repayment schedule established and administered by the institution of higher education; (B) be forgiven at the rate of 20 percent of the total amount of the graduate traineeship assistance received under this section for each academic year that a recipient is employed as a full-time faculty member at an institution of higher education for a period not to exceed 5 years; and (C) be monitored by the institution of higher education receiving a grant under this subsection to ensure compliance with this subsection. (6) Exceptions.--The Director may provide for the partial or total waiver or suspension of any service obligation or payment by an individual under this section whenever compliance by the individual is impossible or would involve extreme hardship to the individual, or if enforcement of such obligation with respect to the individual would be unconscionable. (7) Eligibility.--To be eligible to receive a graduate traineeship under this section, an individual shall-- (A) be a citizen, national, or lawfully admitted permanent resident alien of the United States; (B) demonstrate a commitment to a career in higher education. (8) Consideration.--In making selections for graduate traineeships under this paragraph, an institution receiving a grant under this subsection shall consider, to the extent possible, a diverse pool of applicants whose interests are of an interdisciplinary nature, encompassing the social scientific as well as the technical dimensions of cyber security. (9) Authorization of appropriations.--There are authorized to be appropriated to the National Science Foundation to carry out this paragraph $5,000,000 for each of fiscal years 2003 through 2007. SEC. 6. CONSULTATION. In carrying out sections 4 and 5, the Director shall consult with other Federal agencies. SEC. 7. FOSTERING RESEARCH AND EDUCATION IN COMPUTER AND NETWORK SECURITY. Section 3(a) of the National Science Foundation Act of 1950 (42 U.S.C. 1862(a)) is amended-- (1) by striking ``and'' at the end of paragraph (6); (2) by striking ``Congress.'' in paragraph (7) and inserting ``Congress ; and''; and (3) by adding at the end the following: ``(8) to take a leading role in fostering and supporting research and education activities to improve the security of networked information systems.''. SEC. 8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY PROGRAMS. (a) Research Program.--The National Institute of Standards and Technology Act (15 U.S.C. 271 et seq.) is amended-- (1) by moving section 22 to the end of the Act and redesignating it as section 32; (2) by inserting after section 21 the following new section: ``Sec. 22. research program on security of computer systems ``(a) Establishment.--The Director shall establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities to support research to improve the security of computer systems. The partnerships may also include government laboratories and nonprofit research institutions. The program shall-- ``(1) include multidisciplinary, long-term research; ``(2) include research directed toward addressing needs identified through the activities of the Computer System Security and Privacy Advisory Board under section 20(f); and ``(3) promote the development of a robust research community working at the leading edge of knowledge in subject areas relevant to the security of computer systems by providing support for graduate students, post-doctoral researchers, and senior researchers. ``(b) Fellowships.-- ``(1) Post-doctoral research fellowships.--The Director is authorized to establish a program to award post-doctoral research fellowships to individuals who are citizens, nationals, or lawfully admitted permanent resident aliens of the United States and are seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. ``(2) Senior research fellowships.--The Director is authorized to establish a program to award senior research fellowships to individuals seeking research positions at institutions, including the Institute, engaged in research activities related to the security of computer systems, including the research areas described in section 4(a)(1) of the Cyber Security Research and Development Act. Senior research fellowships shall be made available for established researchers at institutions of higher education who seek to change research fields and pursue studies related to the security of computer systems. ``(3) Eligibility.-- ``(A) In general.--To be eligible for an award under this subsection, an individual shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. ``(B) Stipends.--Under this subsection, the Director is authorized to provide stipends for post-doctoral research fellowships at the level of the Institute's Post Doctoral Research Fellowship Program and senior research fellowships at levels consistent with support for a faculty member in a sabbatical position. ``(c) Awards; Applications.-- ``(1) In general.--The Director is authorized to award grants or cooperative agreements to institutions of higher education to carry out the program established under subsection (a). No funds made available under this section shall be made available directly to any for-profit partners. ``(2) Eligibility.--To be eligible for an award under this section, an institution of higher education shall submit an application to the Director at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of-- ``(A) the number of graduate students anticipated to participate in the research project and the level of support to be provided to each; ``(B) the number of post-doctoral research positions included under the research project and the level of support to be provided to each; ``(C) the number of individuals, if any, intending to change research fields and pursue studies related to the security of computer systems to be included under the research project and the level of support to be provided to each; and ``(D) how the for-profit entities, nonprofit research institutions, and any other partners will participate in developing and carrying out the research and education agenda of the partnership. ``(d) Program Operation.-- ``(1) Management.--The program established under subsection (a) shall be managed by individuals who shall have both expertise in research related to the security of computer systems and knowledge of the vulnerabilities of existing computer systems. The Director shall designate such individuals as program managers. ``(2) Managers may be employees.--Program managers designated under paragraph (1) may be new or existing employees of the Institute or individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970, except that individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 shall not directly manage such employees. ``(3) Manager responsibility.--Program managers designated under paragraph (1) shall be responsible for-- ``(A) establishing and publicizing the broad research goals for the program; ``(B) soliciting applications for specific research projects to address the goals developed under subparagraph (A); ``(C) selecting research projects for support under the program from among applications submitted to the Institute, following consideration of-- ``(i) the novelty and scientific and technical merit of the proposed projects; ``(ii) the demonstrated capabilities of the individual or individuals submitting the applications to successfully carry out the proposed research; ``(iii) the impact the proposed projects will have on increasing the number of computer security researchers; ``(iv) the nature of the participation by for-profit entities and the extent to which the proposed projects address the concerns of industry; and ``(v) other criteria determined by the Director, based on information specified for inclusion in applications under subsection (c); and ``(D) monitoring the progress of research projects supported under the program. ``(4) Reports.--The Director shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science annually on the use and responsibility of individuals on assignment at the Institute under the Intergovernmental Personnel Act of 1970 who are performing duties under subsection (d). ``(e) Review of Program.-- ``(1) Periodic review.--The Director shall periodically review the portfolio of research awards monitored by each program manager designated in accordance with subsection (d). In conducting those reviews, the Director shall seek the advice of the Computer System Security and Privacy Advisory Board, established under section 21, on the appropriateness of the research goals and on the quality and utility of research projects managed by program managers in accordance with subsection (d). ``(2) Comprehensive 5-year review.--The Director shall also contract with the National Research Council for a comprehensive review of the program established under subsection (a) during the 5th year of the program. Such review shall include an assessment of the scientific quality of the research conducted, the relevance of the research results obtained to the goals of the program established under subsection (d)(3)(A), and the progress of the program in promoting the development of a substantial academic research community working at the leading edge of knowledge in the field. The Director shall submit to Congress a report on the results of the review under this paragraph no later than 6 years after the initiation of the program. ``(f) Definitions.--In this section: ``(1) Computer system.--The term `computer system' has the meaning given that term in section 20(d)(1). ``(2) Institution of higher education.--The term `institution of higher education' has the meaning given that term in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a)).''. (b) Amendment of Computer System Definition.--Section 20(d)(1)(B)(i) of National Institute of Standards and Technology Act (15 U.S.C. 278g-3(d)(1)(B)(i)) is amended to read as follows: ``(i) computers and computer networks;''. (c) Checklists for Government Systems.-- (1) In general.--The Director of the National Institute of Standards and Technology shall develop, and revise as necessary, a checklist setting forth settings and option selections that [[Page H8070]] minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal government. (2) Priorities for development; excluded systems.--The Director of the National Institute of Standards and Technology may establish priorities for the development of checklists under this paragraph on the basis of the security risks associated with the use of the system, the number of agencies that use a particular system, the usefulness of the checklist to Federal agencies that are users or potential users of the system, or such other factors as the Director determines to be appropriate. The Director of the National Institute of Standards and Technology may exclude from the application of paragraph (1) any computer hardware or software system for which the Director of the National Institute of Standards and Technology determines that the development of a checklist is inappropriate because of the infrequency of use of the system, the obsolescence of the system, or the inutility or impracticability of developing a checklist for the system. (3) Dissemination of checklists.--The Director of the National Institute of Standards and Technology shall make any checklist developed under this paragraph for any computer hardware or software system available to each Federal agency that is a user or potential user of the system. (4) Agency use requirements.--The development of a checklist under paragraph (1) for a computer hardware or software system does not-- (A) require any Federal agency to select the specific settings or options recommended by the checklist for the system; (B) establish conditions or prerequisites for Federal agency procurement or deployment of any such system; (C) represent an endorsement of any such system by the Director of the National Institute of Standards and Technology; nor (D) preclude any Federal agency from procuring or deploying other computer hardware or software systems for which no such checklist has been developed. (d) Federal Agency Information Security Programs.-- (1) In general.--In developing the agencywide information security program required by section 3534(b) of title 44, United States Code, an agency that deploys a computer hardware or software system for which the Director of the National Institute of Standards and Technology has developed a checklist under subsection (c) of this section-- (A) shall include in that program an explanation of how the agency has considered such checklist in deploying that system; and (B) may treat the explanation as if it were a portion of the agency's annual performance plan properly classified under criteria established by an Executive Order (within the meaning of section 1115(d) of title 31, United States Code). (2) Limitation.--Paragraph (1) does not apply to any computer hardware or software system for which the National Institute of Standards and Technology does not have responsibility under section 20(a)(3) of the National Institute of Standards and Technology Act (15 U.S.C.278g- 3(a)(3)). SEC. 9. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND INFORMATION. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is amended by adding at the end the following new subsection: ``(e) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary $1,060,000 for fiscal year 2003 and $1,090,000 for fiscal year 2004 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues, including research needs, related to computer security, privacy, and cryptography and, as appropriate, to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects.''. SEC. 10. INTRAMURAL SECURITY RESEARCH. Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by redesignating subsection (e) as subsection (f), and by inserting after subsection (d) the following: ``(e) Intramural Security Research.--As part of the research activities conducted in accordance with subsection (b)(4), the Institute shall-- ``(1) conduct a research program to address emerging technologies associated with assembling a networked computer system from components while ensuring it maintains desired security properties; ``(2) carry out research associated with improving the security of real-time computing and communications systems for use in process control; and ``(3) carry out multidisciplinary, long-term, high-risk research on ways to improve the security of computer systems.''. SEC. 11. AUTHORIZATION OF APPROPRIATIONS. There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology-- (1) for activities under section 22 of the National Institute of Standards and Technology Act, as added by section 8 of this Act-- (A) $25,000,000 for fiscal year 2003; (B) $40,000,000 for fiscal year 2004; (C) $55,000,000 for fiscal year 2005; (D) $70,000,000 for fiscal year 2006; (E) $85,000,000 for fiscal year 2007; and (2) for activities under section 20(f) of the National Institute of Standards and Technology Act, as added by section 10 of this Act-- (A) $6,000,000 for fiscal year 2003; (B) $6,200,000 for fiscal year 2004; (C) $6,400,000 for fiscal year 2005; (D) $6,600,000 for fiscal year 2006; and (E) $6,800,000 for fiscal year 2007. SEC. 12. NATIONAL ACADEMY OF SCIENCES STUDY ON COMPUTER AND NETWORK SECURITY IN CRITICAL INFRASTRUCTURES. (a) Study.--Not later than 3 months after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall enter into an arrangement with the National Research Council of the National Academy of Sciences to conduct a study of the vulnerabilities of the Nation's network infrastructure and make recommendations for appropriate improvements. The National Research Council shall-- (1) review existing studies and associated data on the architectural, hardware, and software vulnerabilities and interdependencies in United States critical infrastructure networks; (2) identify and assess gaps in technical capability for robust critical infrastructure network security and make recommendations for research priorities and resource requirements; and (3) review any and all other essential elements of computer and network security, including security of industrial process controls, to be determined in the conduct of the study. (b) Report.--The Director of the National Institute of Standards and Technology shall transmit a report containing the results of the study and recommendations required by subsection (a) to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science not later than 21 months after the date of enactment of this Act. (c) Security.--The Director of the National Institute of Standards and Technology shall ensure that no information that is classified is included in any publicly released version of the report required by this section. (d) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary of Commerce for the National Institute of Standards and Technology for the purposes of carrying out this section, $700,000. SEC. 13. COORDINATION OF FEDERAL CYBER SECURITY RESEARCH AND DEVELOPMENT The Director of the National Science Foundation and the Director of the National Institute of Standards and Technology shall coordinate the research programs authorized by this Act or pursuant to amendments made by this Act. The Director of the Office of Science and Technology Policy shall work with the Director of the National Science Foundation and the Director of the National Institute of Standards and Technology to ensure that programs authorized by this Act or pursuant to amendments made by this Act are taken into account in any government-wide cyber security research effort. SEC. 14. OFFICE OF SPACE COMMERCIALIZATION. Section 8(a) of the Technology Administration Act of 1998 (15 U.S.C. 1511e(a)) is amended by inserting ``the Technology Administration of'' after ``within''. SEC. 15. TECHNICAL CORRECTION OF NATIONAL CONSTRUCTION SAFETY TEAM ACT. Section 2(c)(1)(d) of the National Construction Safety Team Act is amended by striking ``section 8;'' and inserting ``section 7;''. SEC. 16. GRANT ELIGIBILITY REQUIREMENTS AND COMPLIANCE WITH IMMIGRATION LAWS. (a) Immigration Status.--No grant or fellowship may be awarded under this Act, directly or indirectly, to any individual who is in violation of the terms of his or her status as a nonimmigrant under section 101(a)(15)(F), (M), or (J) of the Immigration and Nationality Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)). (b) Aliens from Certain Countries.--No grant or fellowship may be awarded under this Act, directly or indirectly, to any alien from a country that is a state sponsor of international terrorism, as defined under section 306(b) of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C. 1735(b)), unless the Secretary of State determines, in consultation with the Attorney General and the heads of other appropriate agencies, that such alien does not pose a threat to the safety or national security of the United States. (c) Non-complying Institutions.--No grant or fellowship may be awarded under this Act, directly or indirectly, to any institution of higher education or non-profit institution (or consortia thereof) that has-- (1) materially failed to comply with the recordkeeping and reporting requirements to receive nonimmigrant students or exchange visitor program participants under section 101(a)(15)(F), (M), or (J) of the Immigration and Nationality Act (8 U.S.C. 1101(a)(15)(F), (M), or (J)), or section 641 of the Illegal Immigration Reform and Responsibility Act of 1996 (8 U.S.C. 1372), as required by section 502 of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C. 1762); or (2) been suspended or terminated pursuant to section 502(c) of the Enhanced Border Security and VISA Entry Reform Act (8 U.S.C 1762(c)). SEC. 17. REPORT ON GRANT AND FELLOWSHIP PROGRAMS. Within 24 months after the date of enactment of this Act, the Director, in consultation with the Assistant to the President for National Security Affairs, shall submit to Congress a report reviewing this Act to ensure that the programs and fellowships are being awarded under this Act to individuals and institutions of higher education who are in compliance with the Immigration and Nationality Act (8 U.S.C. 1101 et seq.) in order to protect our national security. The SPEAKER pro tempore. Pursuant to the rule, the gentleman from [[Page H8071]] New York (Mr. Boehlert) and the gentleman from Washington (Mr. Baird) each will control 20 minutes. The Chair recognizes the gentleman from New York (Mr. Boehlert). General Leave Mr. BOEHLERT. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days within which to revise and extend their remarks and to include extraneous material on H.R. 3394. The SPEAKER pro tempore. Is there objection to the request of the gentleman from New York? There was no objection. Mr. BOEHLERT. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I am pleased to bring H.R. 3394, the Cyber Security Research and Development Act, before the House again, this time for final passage. Back in February, the House passed the bill 400 to 12, a sign of the widely recognized need for this legislation. The Senate, by unanimous consent, has now returned the bill to us entirely intact, with a few negotiated noncontroversial additions. These additions include an additional fellowship program, greater efforts to approve the security of Federal computers, language to ensure that existing rules concerning foreign students are being enforced, and a technical correction to the bill we passed in response to the collapse of the World Trade Center. With this background, no one should be surprised that I expect this bill to be signed shortly by the President. That is as it should be. H.R. 3394 will provide a targeted solution to a serious but largely overlooked problem: cyber security. Cyber security is a problem that is even worse than it first appears. That is because not only are our Nation's computers and networks vulnerable to attack, and not only could a cyber attack disrupt our economy and threaten public health and safety, but we simply do not know enough about how to design computers and networks to make them less vulnerable. For too long, cyber security has just not been a research priority. The private sector was much more focused on making computers cheaper, faster, and easier to use. The market did not put a premium on security. Government similarly turned its attention elsewhere. As a result, computers have become omnipresent. We are more and more at their mercy, without becoming any more secure. In an age of terrorism, such willful ignorance about cyber security has got to come to an end. {time} 1430 We received yet another reminder of that monumental fact last month when the servers that run the Internet in the United States were subject to a concerted attack from overseas. H.R. 3394 is designed quite simply, to usher in a new era in cyber security research. Cyber security research will no longer be a backwater, but rather will become a priority at two of our premier research agencies, the National Science Foundation and the National Institute of Standards and Technology, and through them, a priority in academia and industry. And the programs created by H.R. 3394 are designed not only to spur new thinking about how to safeguard computers and networks in both the short and long run, but to make sure that we have a cadre of experts who will devote their careers to improving cyber security. The bill includes incentives for researchers to turn their attention to cyber security, and incentives to attract students to the field at the undergraduate, graduate and post-doctoral levels. In short, this bill is a targeted but comprehensive attempt to ensure that the Nation's best minds are focused on improving cyber security. That is what it will take to stave off a cyber attack. I want to thank the many people inside and outside Congress who helped us bring this bill to fruition. Bill Wulf, the president of the National Academy of Engineering, is really the godfather of this bill, bringing the problem and potential solutions to our attention, and he has always been available to bounce ideas off of. Industry groups have been enormously helpful and supportive, including the Information Technology Association of America and the National Association of Manufacturers. This bill has been a bipartisan effort from its inception. I want to thank the gentleman from Texas (Mr. Hall), the ranking member, and the other Members of the minority, including the gentleman from Washington (Mr. Baird), who have helped shape this bill. We have had similar partnership in the other body led by Senators Wyden and Allen. In short, H.R. 3394 is a bipartisan approach to a very real but very solvable problem. I urge its final passage, not just because it is needed, but because it will reflect the fine efforts of so many dedicated people on the staff of both the Republican and Democrat side. This bill has been bicameral, and has the private sector working in partnership with government. That is the way it should be. We are addressing a very serious problem, and trying to get ahold of it before it gets out of hand, and I am optimistic we are moving in the right direction. Mr. Speaker, I urge final passage of this bill. Mr. Speaker, I reserve the balance of my time. Mr. BAIRD. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise in strong support of H.R. 3394, the Cyber Security Research and Development Act. I thank the gentleman from New York (Chairman Boehlert) for his outstanding leadership on this bill, and commend the gentleman from Texas (Mr. Hall) for his leadership as well. I am tremendously honored that H.R. 3316, a computer security bill that I authored along with the gentleman from New York (Mr. Boehlert), are included in today's bill. Essentially, H.R. 3394 is the same as the version that was passed by the House back in February. This legislation will address the long-term needs to secure the Nation's information infrastructure, as well as strengthening the security of the nonclassified computer systems of our Federal agencies. Since September 11, attention has been focused in an unprecedented way on increasing our security against terrorism. Today, security has to mean more than locking doors and installing metal detectors. In addition to physical security, virtual information systems that are vital to our Nation's security and economy must be protected. Telecommunications and computer technologies are vulnerable to attack from far away by enemies who can remain anonymous, hidden in the vast maze of the Internet. Examples of systems that rely on computer networks include our electric power grid, rail networks and financial transaction networks. The gentleman from New York (Mr. Boehlert) and the gentlewoman from Maryland (Mrs. Morella), the former chairman of the subcommittee, have had the foresight to begin hearings on this matter, even well before September 11. It is that kind of forward thinking that we need to protect our Nation's security and to secure our information infrastructure from cyber attacks. Our vulnerability to Internet-based computer viruses, denial of service attacks, and defaced websites is well known to the general public. Such widely reported and indeed widely experienced events have increased in frequency over time. These attacks disrupt business and government activities, sometimes resulting in significant recovery costs. While we have yet to face a catastrophic cyber attack thus far, Richard Clarke, the chair of the President's Critical Infrastructure Protection Board, has said that the government must make cyber security a priority or we face the possibility of what he termed a digital Pearl Harbor. Potentially vulnerable computer systems are largely owned and operated by the private sector, but the government has an important role in supporting the research and development activities that provide the tools for protecting information systems. An essential component for ensuring improved information security is a vigorous and creative basic research effort focused on the security of networked information systems. Witnesses at our Committee on Science hearings last year noted the anemic level of funding for research on computer and network security. Such lack of funding has resulted in the lack of a critical mass of researchers in the field and has severely limited the focus [[Page H8072]] of research. The witnesses at the hearings advocated increased and sustained research funding from the Federal Government to support both expanded training and research on a long-term basis. H.R. 3394 meets those needs. It authorizes $903 million over 5 years to create new cyber security programs within the National Science Foundation and the National Institute of Standards and Technology. Under the bill, the NSF will create new cyber security research centers, undergraduate grants, community college grants, and fellowships. The legislation also includes language I authored pertaining to NIST. The bill requires NIST to create new program grants for partnerships between academia and industry, new post-doctoral students, and a new program to encourage senior researchers in other fields to work on computer security. I believe the legislation before us today will provide the resources necessary to ensure the security of business networks and the safety of America's computer infrastructure. I thank the staff of the Committee on Science for their tireless work on H.R. 3394, and I urge all members to support this important measure. Mr. Speaker, I invite the chairman of the Committee on Science to enter into a brief colloquy to ask for two brief points of clarification. Section 16(c) forbids the NSF from awarding grants or fellowships to institutions of higher education or nonprofit institutions that materially fail to comply with record-keeping requirements under certain sections of the Immigration and Nationality Act and the Illegal Immigration Reform and Responsibility Act. This section does not have an effective date at present. Many of these record-keeping requirements have yet to be written or promulgated. Therefore, the effective date for this subsection cannot be the date of enactment. In bringing the bill forward for consideration by the House, what is the gentleman's intent concerning the effective date for this provision? Mr. BOEHLERT. Mr. Speaker, will the gentleman yield? Mr. BAIRD. I yield to the gentleman from New York. Mr. BOEHLERT. Mr. Speaker, the gentleman from Washington makes a very important point. Neither the Immigration and Naturalization Service nor the Department of State have provided final guidance to enable universities to participate in the new Student Exchange Visitor Information System, which provides tracking, monitoring, and access to accurate and current information on nonimmigration students and exchange visas. It is not possible to be materially out of compliance with these requirements until the final guidance and an appropriate time for implementation have been provided to the university research community. Mr. BAIRD. Mr. Speaker, my second question deals with Section 17 that requires the Director, 24 months after the date of enactment of this act, to submit a report to Congress reviewing this act to ensure that awards under the act are made to individuals and institutions that are in compliance with the Immigration and Nationality Act. I assume this is a simple reporting requirement similar to other reports to Congress by the NSF and that it is not meant to require the Director to enforce our Nation's immigration laws? Mr. BOEHLERT. Mr. Speaker, if the gentleman would continue to yield, the gentleman is correct. Enforcement of the immigration laws is the responsibility of the INS and the State Department. Section 17 requires that NSF report to Congress on information it obtains from institutions of higher education, State and INS. This section does not require the NSF Director to commission a duplicative study to secure information that should be readily obtainable from the State Department and INS. Mr. BAIRD. Mr. Speaker, I thank the gentleman for that clarification, and thank the gentleman for his leadership on this legislation. Mr. Speaker, I reserve the balance of my time. Mr. BOEHLERT. Mr. Speaker, I ask unanimous consent to yield the balance of my time to the gentleman from Michigan (Mr. Ehlers) for purposes of control. The SPEAKER pro tempore (Mr. Culberson). Is there objection to the request of the gentleman from New York? There was no objection. Mr. BAIRD. Mr. Speaker, I yield 5 minutes to the gentleman from Oregon (Mr. Wu). Mr. WU. Mr. Speaker, I rise in strong support of H.R. 3394, the Cyber Security Research and Development Act. We have become increasingly reliant on the Internet and computer technology. And unfortunately, with this reliance comes increased vulnerability to cyber attacks on our network systems and infrastructure. America's network infrastructure is increasingly exposed to both benign and destructive disruptions, including defacement of web sites, denial of service, virus infections throughout the computer networks, and unauthorized intrusions and sabotage of systems and networks. Past attacks show the types of danger and potential disruption cyber attacks can have on our Nation's infrastructure. The cyber threats to this country are significant and getting more sophisticated as time goes by. A recent survey found that 85 percent of respondents experienced computer intrusions. Moreover, Carnegie Mellon University's CERT Coordination Center, which serves as a reporting center for Internet security problems, received almost six times the number of vulnerability reports in 2001 as it did just 2 years earlier. Similarly, the number of specific incidents reported to CERT exploded from 9.589 in 1999 to 52,658 in 2001. Even more alarming is CERT's estimates that these statistics may only represent 20 percent of the incidents that actually occurred. The Cyber Security Research and Development Act will play a major role in fostering greater research in methods to prevent future cyber attacks and design more secure networks. This legislation will harness and link the intellectual power of the National Science Foundation, the National Institute of Science and Technology, universities, and private industry to develop new computer cryptography authentication, firewalls, forensics, intrusion detection, wireless security and systems management. In addition, this bill is designed to draw more college undergraduate and graduate students into the field of cyber security. It establishes programs to use internships, research opportunities and better equipment to engage students in this field. America is a leader in computer hardware and software development. In order to preserve America's technologic edge and our security, we must have a continuous pipeline of new students in computer science and research. I strongly support this legislation and I am proud to support this important bill as it moved through the Committee on Science and again as it passed the House earlier this February. I commend the leadership of the gentleman from Washington (Mr. Baird), Senator Wyden from Oregon, and the chairman of the Committee on Science, the gentleman from New York (Mr. Boehlert), for their leadership in moving this bill. I am confident that the Federal investment for long-term projects outlined in this legislation will enhance the security of our cyber homeland. Mr. EHLERS. Mr. Speaker, I yield 4 minutes to the gentleman from Michigan (Mr. Smith). Mr. SMITH of Michigan. Mr. Speaker, I thank all Members who worked on this, but certainly commend the gentleman from Texas (Mr. Hall), the ranking member, and the gentleman from New York (Chairman Boehlert) for having the foresight and commitment to initiate and advance this legislation that I would suggest is very important. As chairman of the Subcommittee on Research, I am proud to have worked on this bill and to be a prime sponsor. This act establishes programs at both the National Science Foundation and NIST, the National Institute for Standards and Technology, to advance research and, perhaps most importantly, develop a talented workforce of cyber security researchers and professionals. While the focus in information technology has largely been to build it faster, build it smaller, and build it less expensive, perhaps now more than ever we need to know how to build it safer and more secure. [[Page H8073]] The programs authorized by this act provide much needed support for the research that will help us understand just how to do that. By supporting undergraduate and graduate post-doctoral students, as well as senior researchers who wish to focus some of their research efforts on cyber security, we will train the experts who make sure the appropriate safeguards are in place to protect us from malicious cyber attacks. {time} 1445 It is a huge challenge. It is not going to come cheaply and it is not going to come easily. There are some unique features of this bill that will make it particularly effective in fostering innovative research and education in cyber security. For example, this act will establish a program at the National Science Foundation to help institutions of higher education purchase the equipment that they need so that students can learn how to prevent cyber attacks without risking the integrity of the college's own computer network. Another program established by this act at the National Institute of Standards and Technology will support the kind of high-risk, high-payoff research that is necessary to make great advances in cyber security but that is unlikely to get funded under the traditional peer-review process that tends to favor more conservative approaches to research questions. In addition, in recognition of the fact that effective cyber security will rely largely on the expertise of computer technicians, this bill amends the Scientific and Advanced Technology Act of 1992 to provide the National Science Foundation funding to 2-year colleges to make sure that graduates of technical programs are properly trained in cyber security. Just a few weeks ago, an electronic attack crippled 13 computer servers that manage Internet traffic. While this hour-long attack went nearly unnoticed by routine computer users, a longer attack could cripple communication, infrastructure operations and even national security efforts. This country more than any other country in the world has come to depend on our software and our computer technology, from how we run our financial services to how we move our railroads to certainly our airlines and transportation down to how we transfer electrical power throughout the United States, not to mention our national security and our military efforts. We cannot allow these kinds of attacks to happen. In conclusion, as we move forward in our war against terrorism, it is going to be as important for us to secure cyber space as it will be for us to secure homeland security against malicious attack. I look forward to working with the National Science Foundation as they implement the programs authorized by this act. Mr. EHLERS. Mr. Speaker, I am pleased to yield 3 minutes to the gentleman from Texas (Mr. Smith). Mr. SMITH of Texas. I thank the gentleman from Michigan for yielding me this time. Mr. Speaker, I support the Senate amendment to H.R. 3394, the Cyber Security Research and Development Act. Earlier this year, a federally funded research center operated by Carnegie Mellon University reported that breaches in security of computer systems more than doubled from 2000 to 2001. More than 52,000 incidents were reported in 2001, up from 22,000 in 2000. Last spring the Committee on the Judiciary's Subcommittee on Crime, Terrorism and Homeland Security that I chair held a series of hearings on cyber crime. We heard testimony from local, State and Federal officials and also from the private sector. A common observation emerged: The demand for highly trained and skilled personnel to investigate computer crimes is tremendous. This problem is compounded by the rapid advances in technology which make continued training an absolute necessity. We must have training both for a new generation of cyber warriors whose most important weapon is not a gun but a laptop and for private sector companies that must protect their Internet presence. This bill seeks to expand what many States and cities are already doing, investing in cyber security training activities. In my hometown, the University of Texas at San Antonio has established the Center for Information Assurance and Security, known as CIAS. The CIAS will be the hub of a city initiative to research, develop and address computer protection mechanisms to prevent and detect intrusions on computer networks. With funding provided in this bill, UTSA and dozens of other universities will be able to train the next generation of cyber warriors, cyber defenders and ``white hat netizens.'' This legislation supports the work at UTSA and other universities for students who want to pursue computer security studies. While the benefits of the digital age are obvious, the Internet also has fostered an environment where hackers retrieve private data for amusement, individuals distribute software illegally, and viruses circulate with the sole purpose of debilitating computers. A well- trained and highly skilled force of cyber protectors is urgently needed in America today. Mr. Speaker, I urge my colleagues to support this legislation. Mr. EHLERS. Mr. Speaker, I yield myself such time as I may consume. It is my pleasure to see this bill reach the floor for final passage and on its way to the President. I certainly agree with all the comments that have been made and I will not repeat them, but I did want to point out that in passing this legislation, both the House and the Senate have recognized the important role that the National Institute of Standards and Technology plays in cyber security. This is very important to note, because in the original proposal for the homeland security bill that particular activity would have been transferred out of the National Institute of Standards and Technology and placed in the Department of Homeland Security. I think that would have been very disruptive to the activity, but the important thing to recognize is that this group at the National Institute of Standards and Technology is the leading group in doing the basic research necessary to solve our cyber security problems. Members of the House and of the Senate working on the homeland security legislation should embrace this role as well. While there have been proposals to transfer NIST's cyber security division into the new department, this legislation clearly identifies the role that NIST should play in cyber security. As such, the proposals to move this responsibility elsewhere do not meet the test. Any conference agreement should recognize this as well by keeping NIST's cyber security division within NIST. Let me also add that to most individuals in this land, cyber security means not having someone steal their credit card number. That is a very important function. But there is much more at stake here, as we have heard. That is the Nation's security. Two years ago, I wrote a report for the NATO parliamentary assembly, which is the legislative body relating to NATO, that discussed and studied information warfare. Much of what I said in that report is pertinent to this discussion today. Mr. Speaker, I include that report at this point in the proceedings. Information Warfare and International Security I. INTRODUCTION 1. The importance of Information Technology (IT) to the functioning of our societies is evident in virtually every human activity. Computers are involved in and often control everything from government operations to transportation, from energy to finance, from telecommunications to water management. Every day an enormous amount of information is exchanged or stored by electronic means and trillions of dollars travel throughout the world electronically. Information technology has become even more pervasive with the widespread dispersion of personal computers. According to projections of the US Computer Industry Almanac, by the year 2000 there will be more than 550 million PCs in the world, 230 million of which will be connected to the Internet (92 million in the United States alone). 2. The pace of technological change and our increasing reliance on technology are even more impressive. Five years ago, a computer chip could carry the equivalent of 1.1 million transistors. Now the number has increased to 120 million and engineers believe they can reach 400 million and even 1 billion. Capable of 256 billion multiplications per second, the latest desktop computers have acquired the speed of yesterday's supercomputers. This has accelerated the dispersion and use of the Internet. To achieve mass-user status, it took radio 35 years, television 13 years and the Internet only 4 years. Microsoft experts assert that Internet traffic doubles every 100 days and, according to other estimates, one billion people (one-sixth of humanity) will be on-line by 2005. [[Page H8074]] 3. The reliance of our societies on computers and the fact that many critical infrastructures are electronically interconnected poses evident security problems. Although computer experts have been working on these problems for years, only in the mid-1990s did Western defence analysts begin to pay serious attention to them. In a variety of studies and reports, a strategic catch phrase emerged to define a new concept: Information Warfare. In a 1997 Report, the NAA Science and Technology Committee provided a first assessment of Information Warfare, analysing most of the available sources on the subject. The threat of possible attacks on information systems and the potential risks for our military and civilian infrastructures were outlined in that Report. (1) 4. In the last two years technological advances as well as governmental and international actions have changed the world of information security. As a consequence, the subject of information warfare has been extensively discussed and analysed, both within and outside the information technology and defence communities. This report analyses these new developments, starting with some new definitions of information warfare, assesses the effective strategic threats, and reports about the US and other governments' initiatives to counter them. It is also our intention to consider the concerns expressed by the science and technology community about the possible overstatement of such threats, especially with reference to some cases of media hyperbole. II. WHAT IS INFORMATION WARFARE? A. Definitions 5. The cited 1997 STC Report emphasised the distinction between the use of information in warfare and the newer concept of information warfare, the first being recognised since ancient times and referring basically to tactical and strategic deception, war propaganda, and destruction of command and control systems. In the current conceptualisation, information warfare ``extends far beyond the traditional battlefield, and its possible perpetrators and victims are by no means confined to the military''. A few definitions were reported then, to which your Rapporteur would like to add some new ones. The first is proposed by the Institute for the Advanced Study of Information Warfare: ``Information warfare is the offensive and defensive use of information and information systems to exploit, corrupt, or destroy an adversary's information and information systems, while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries.'' (2) 6. The International Centre for Security Analysis of King's College, London suggests that information warfare ``is about struggles for control over information activities'' and distinguishes three levels or categories: ideational struggle for the mind of an opponent, struggle for information dominance, and attacks on, and defence of, information flows and activities. The first, highest level ``encompasses the whole range of psychological, media, diplomatic and military techniques for influencing the mind of an opponent, whether that opponent is a military commander or a whole population''. The second level could be assimilated with the Revolution in Military Affairs (RMA), whose theorists and advocates see, as the future evolution of armed forces, the goal of dominating the ``information spectrum''. The ultimate objective of this level of information warfare would be to render physical conflict ``either unnecessary or at worst short, sharp and successful''. At the third level the focus is on any kind of electronic attack upon military or civilian information infrastructures, including criminal hacking (or cracking), data disruption, illegal systems penetration, and also physical destruction, deception and psychological operations. (3) 7. The Washington based Center for Strategic and International Studies (CSIS) recently published a comprehensive study on these issues and admitted that so many different activities have been classified under the label ``information warfare'' that it is now difficult to understand exactly what it is. Nonetheless, this study classifies information warfare activities according to the source, the form, and the tactical objectives of the attack. Thus, information warfare can be viewed as a combination of these three dimensions. 8. First, an attack could originate either from outside or from within the targeted organisation or system. Second, four categories of attack can be identified: Data attacks are conducted by inserting data into a system to make it malfunction. Software attacks, similar to data attacks, are conducted by penetrating systems with software causing failure or making them perform functions different from those intended. Hacking or cracking is seizing or attempting to seize control of an information system (or a vital part of it) to disrupt, deny use, steal resources or data, or cause any other kind of harm. Physical attacks are the traditional form of attack (bombing, assaulting, and destroying) directed against information systems. An electromagnetic pulse (EMP) produced by nuclear explosions can also be included in this kind of attack. 9. All these different forms of information warfare attack can be categorised by their goals or tactical objectives: they could be aimed at exploitation, deception, disruption or destruction of information systems. (4) 10. The French Ministry of Defence has also offered an interesting definition of information warfare. It has singled out three types: War for information (guerre pour l'information): to obtain information about the enemy's means, capabilities and strategies in order to defend ourselves; War against information (guerre contre l'information): at the same time to protect our information systems and to disrupt or destroy the enemy's. War through information (guerre par l'information): to conduct misinformation or deception operations against the enemy in order to achieve ``information dominance''. (5) 11. All the above are accurate and acceptable definitions, but for the sake of clarity we can try to summarise them into a simpler and more limited formula. Information warfare could be then defined as defensive and offensive operations, conducted by individuals or structured organisations with specific political and strategic goals, for the exploitation, disruption or destruction of data contained in computers or transmitted over the Internet and other networked information systems. (6) B. Assessing the Threat 12. In general terms, a threat can be defined as the combination of a capability and a hostile intent. According to many analysts, the reason for concern about attacks upon information systems, or information warfare, is that the means of offence are widely available, inexpensive and easy to use. In a world where even governments and the military tend to rely on computer hardware and software available commercially off-the-shelf (COTS), virtually anybody with a computer and the technical skills could become a cracker or a cyberterrorist. Moreover, the progress in information technology makes the electronic tools available to conduct such attacks more sophisticated every day and, through the Internet and the interlinked computer world, easier to acquire. But the most potentially dangerous feature of information warfare is that it can be conducted from anywhere in the world and the possibilities of discovering the attack's origin, or even its presence, are extremely difficult. 13. Who can conduct such attacks? A recent analysis has listed the potential ``enemies'' according to the levels of threat. At the lower level are the crackers, or ``hackers with malicious intentions'', sometimes highly knowledgeable in technical matters and very determined, but often isolated and without a clear political agenda. Then we have some pressure groups, organisations that fight for specific political causes and might decide to acquire the technology in order to attack the information systems of other organisations or even of states. Terrorists come next in the scale: some groups are becoming increasingly sophisticated in the use of technology and can conduct strategic offensive information warfare. At the highest level are the states, many of which now have access to extremely sophisticated technology and can acquire the necessary organisational infrastructure to conduct both offensive and defensive information warfare. In fact, some experts doubt the effectiveness, capability, or even willingness of the non- state actors to conduct attacks that can seriously threaten other nations' security. (7) 14. In the last fifteen years, both the private and public sectors' information systems have been subjected to attacks that have substantially increased with the growth of the Internet. Computer viruses have been a primary concern of information security experts. These are generally very small programmes, often with destructive capabilities, designed to invade computer systems or individual PCs by attaching themselves to other bits of executable programme codes. Created by hackers, computer science students or disgruntled programmers, these viruses have been extremely destructive to many computers and networks, but have not proved to be particularly effective as weapons to date. Because of their non-professional origins, the viruses often contain errors and, moreover, their authors are often incapable of envisioning the complexity and variety of the systems they are attacking. 15. Of course, it is still possible that a state or a terrorist group can assemble a team of experts capable of creating malicious viruses and using them to conduct information warfare attacks. But computer viruses are extremely unpredictable and far from precise in their behaviour, and they might eventually damage the attacker as much as the victim. In addition, the international anti-virus industry is mature and is well positioned to create necessary antidotes to almost any new virus. 16. Other, more dangerous attacks on information systems have been conducted by criminal hacking intruders. Private corporations, particularly in the financial sector, are regularly penetrated by cybercriminals: the FBI estimates that these electronic intrusions cause yearly losses of about $10 billion in the United States alone. This is probably only the tip of the iceberg. In fact, concerns about protecting shareholder value and customer confidence may keep many firms from reporting all the attacks to law enforcement agencies. 17. Electronic intrusions into the military information infrastructure cause deep concern in the United States. According to the [[Page H8075]] CSIS, probe attacks against the Pentagon number in the tens of thousands every year. John J. Hamre, Deputy Secretary of Defense, recently stated that from January to mid-November 1998, the National Security Agency (NSA) recorded more than 3,800 incidents of intrusion attempts against the Defense Department's unclassified computer systems and networks. Over 100 of these attacks reached root-level access and many were even able to break down some kinds of service. This reflects only what has been reported to NSA, but ``the actual number of intrusions probably is considerably higher''. (8) 18. The literature and the chronicles are full of examples of successful network intrusions at the US Department of Defense (DoD) and other Western defence institutions. One of the most interesting is the break-in at the Air Force's Laboratories in the town of Rome, in New York State, when two British boys hacked into the system with the help of what is called a ``sniffer'' programme, able to capture passwords and user log-ins to the network. The case served as a learning experience for the Air Force Information Warfare Center, which then developed the advanced technical skills to counter these intrusions. Similar hacker intrusions are regularly experienced by all other US military services and government agencies. 19. While most of the attacks in the last few years were generally conducted by individuals or by small groups of intruders, with little or no political purpose, recently some cases suggested the possibility of state-sponsored hacking or cracking. Additionally, some anti-state, politically motivated activity has occurred. In October 1998, China launched a new website to publicise its efforts in human rights. A few days later, hackers replaced the home page of that site with a message condemning Beijing for its poor record in human rights. (9) 20. Another, more revealing case occurred in Ireland, where refugees from East Timor had set up a website to protest against the occupation of their country by Indonesia. The Irish Internet provider even created a new domain name ``.tp'', as if East Timor were an independent country. In January 1999, a concerted attack against the East Timorese server started, originating from 18 different places as far apart as Australia, the United States, Japan, the Netherlands and Canada. The attackers managed to render the web server useless and forced the Irish provider to disconnect its entire system. Clearly, this was not an ordinary cracker intrusion, though many doubt that the Indonesian government had the capability to conduct such a concerted information warfare action. The most probable culprit is a group of politicised hackers sympathetic with the Indonesian position. (10) 21. The NATO information system was also indirectly threatened in October 1998, when a Serbian group of hackers known as Black Hand penetrated a Kosovo Albanian web server and threatened to sabotage the Alliance's information system. The organisation temporarily closed all foreign access to its web server and its web site was down for two days. Realising that the electronic defences of the NATO web server were extremely weak, experts took some countermeasures, which proved to be insufficient in the light of subsequent events. (11) 22. During the Kosovo crisis, hackers attacked the NATO web site, causing a line saturation of the server by using a ``bombardment strategy''. The organisation had to defend itself from macro viruses from FRY trying to corrupt its e- mail system, which was also being saturated by one individual sending 2,000 messages a day. These attacks were possible because NATO was using the same server for the e-mail system and its web-pages. When these tasks are done by separate servers, as is now the case at NATO, the threat is reduced. Allied governments' web sites have also been targeted during the war, and according to US Air Force sources the attacks came not only from FRY, but also from Russia and China. It is unclear, however, whether these attacks were state-sponsored or the work of groups of hackers. Conversely, FRY's information systems were severely damaged by NATO bombings and electronic operations--although Belgrade itself dismantled communication systems to deprive its people of outside information. In addition, thousands of Western civilian hackers conducted online attacks against the FRY government's web servers. (12) 23. Such cases might not prove the existence of state- sponsored information warfare or cyberterrorism, but they offer good examples of what could happen if the capability is coupled with a hostile intent. The subsequent question is: could a group of state-sponsored terrorists or individual crackers damage the information infrastructure of another nation so as to cause a major strategic disruption? The US Department of Defense seems to think so. 24. In the summer of 1997, a simulation exercise called ``Eligible Receiver'' was conducted at the Pentagon, ordered by the Joint Chiefs of Staff, to test the ability of the nation's military and civilian infrastructure to resist a concerted information warfare attack. A team of fictional hackers, the Red Team, was allowed to use only COTS materiel and information available on the Web and had to act within the US law. So far, the results of this exercise remain strictly ``top secret''. Nonetheless, many officials have referred to it in public declarations and some have partially revealed the outcome. James Adams, a journalist based in Washington DC, claimed in a book to have interviewed senior officials about ``Eligible Receiver'': ``The [simulated] attacks focused on three main areas: the national information infrastructure, the military leadership and the political leadership. In each of these three areas, the hackers found it exceptionally easy to penetrate apparently well-defended systems. Air traffic control systems were taken down, power grids made to fail, oil refineries stopped pumping--all initially apparent incidents. At the same time, in response to a hypothetical international crisis, the Defense department was moving to deploy forces overseas and the logistics network was swinging into action. It proved remarkably easy to disrupt that network by changing orders and interrupt[ing] the logistics flow. The hackers began to feed false news reports into the decision-making process so that the politicians faced a lack of public will about prosecuting a potential conflict and lacked detailed and accurate information.'' (13) 25. In conclusion, according to Adams' sources, a team of skilled hackers, using standard equipment and publicly available information and playing by the rules, was able to cause a ``serious degradation of the Pentagon's ability to deploy and to fight''. In other words, they demonstrated that an ``electronic Pearl Harbor'' was possible. 26. Many things have changed in the last two years due to the fast pace of progress in information technology. Moreover, the policies and actions taken by the US government may have reduced the vulnerability of the nation's infrastructure. Nonetheless, if technology is helping Western governments establish better defences, it also helps potential enemies improve their capabilities to attack. A recently announced new breed of hacker software, that can learn and adapt to the network environment it attacks, may represent a new threat. According to information technology experts, the new programmes can change their mode of operation, or their targets, based on external stimulants. Pre-programmed to search for specific types of files common to most networks, such software, once in the system, can target data or files of interest to the intruders, even those marked secure or for internal use only. (14) 27. In addition, many nations are trying to acquire the capabilities needed to conduct information warfare operations and new terrorist groups like Osama bin Laden's are known to use computers and satellite telecommunications. China has recently intensified its information warfare programmes, both to protect its own military infrastructures and to enable the People's Liberation Army to conduct electronic attacks. According to James Mulvenon, a defence specialist at Rand Corporation, Beijing ``is seeking the ability both to interfere with Taiwan's command system, and ultimately to `hack' into US military networks which control deployment in the Asian region.'' (15) 28. A serious physical threat to information systems can be posed by the effects of the electro-magnetic pulse (EMP) produced by nuclear explosions. The immediate energy release from a detonated nuclear device produces intense, rapidly varying electric and magnetic fields that can extend for considerable distances and severely affect all electronic equipment and electrical or radar transmissions even to the point of destroying equipment circuits, microprocessors, and other components. Therefore, a single, very high-altitude nuclear blast above Europe or the United States, which may cause no physical damage to structures or people, could disable or disrupt all non-hardened information systems. While few nations currently have both nuclear weapons and the missiles capable of delivering them in space, the increasing number of ``rogue'' nations with nuclear weapons that are also developing or acquiring long-range missiles may present an extremely serious EMP threat in the near future. 29. EMP effects from nuclear explosions and non-nuclear weapons, such as HERP (High-Energy Radio Frequency) guns or EMP/T (Electro-Magnetic Pulses Transformer) bombs, may be much more dangerous for civilian information systems than for military ones, most of which are now EMP hardened. Shielding of iron or other materials such as copper mesh or non- magnetic metals is generally available only for the protection of sensitive military technology. III. RESPONSES TO THE THREAT 30. Efforts to respond to the threat of attacks to information systems, or information warfare, have been made by many nations. Generally, the military and defence ``think tanks'' have been the first to address the issue, but now most Western governments have taken steps towards more co- ordinated and structured responses. 31. In the United States, different panels, commissions and study groups have been examining these issues since the early 1990s and the government has taken several important measures. Congressional Committees have held hearings to investigate the nature of the information warfare threat. The National Defense University has extensively worked on the issue since the early 1990s. However, the most comprehensive appraisal of the nation's vulnerabilities in the field of information technology has been provided by the Presidential Commission on Critical Infrastructure Protection, created in 1996, involving officials from the energy, defence, commerce and law enforcement areas, as well as representatives of the private sector. After 15 months of study, the [[Page H8076]] Commission published an extensive report highlighting the vulnerabilities of the US infrastructure and the weakness of the information systems, which proved to be a potentially easy target for any concerted attack. The report also indicated that government and industry do not efficiently share information that might give warning of an electronic attack and that the federal R&D budget does not include the analysis of the threats to the information systems in the infrastructure. (16) 32. The work of the Presidential Commission resulted in the issuing in May 1998 of two Presidential Decision Directives, 62 and 63, on Critical Infrastructure Protection. The provisions of these Directives included: Interagency co-ordination for critical infrastructure protection; Definition of the roles and responsibilities of US agencies in fighting terrorism; Improvements in capabilities for protecting the national information structure, the most important of which is the creation of a National Infrastructure Protection Center (NIPC) in the FBI; Promotion of partnerships with industry and other private players to enhance computer security; Study of plans for minimising damage and recovering rapidly from attacks to its vital infrastructures. 33. Some experts criticised the US administration decisions, claiming that the above provisions underestimated the realities of the information warfare threat. Nonetheless this is the most comprehensive and complete initiative taken so far by any Western government to respond to the risks of attacks on information systems. 34. Moreover, the DoD, actively participating in the government initiatives, has recently created a Joint Task Force for Computer Network Defense (JTF-CND) to co-ordinate all the activities in this field and direct the Pentagon's response to computer network attacks. The JTF-CND will plan defensive measures, leverage existing capabilities and develop procedures for the military commanders-in-chief, services and agencies, as well as provide strategic focus at all levels. Fully operational in the summer of 1999, the JTF- CND will also develop relationships with intelligence and law enforcement agencies, the NIPC and the private sector. (17) 35. Among European nations, France appears to have developed a coherent strategy to deal with attacks on information systems. In the absence of a general programme for infrastructure protection, such as that in the United States, the Delegation generale pour l'armement (DGA) of the Ministry of Defence has concentrated technical activities in the field of information warfare at the Centre d'electronique de l'armement (CELAR). This centre employs some 900 experts in many scientific and technological areas, and has resources and capabilities with probably no equal on the continent. All CELAR activities are related to information warfare (guerre de l'information), defensive and offensive, and are divided into five tasks: weapon systems for electronic warfare, information security, information systems, telecommunications, and electronic components. CELAR analyses the threats, establishes the needs, and tests the proficiency and the limits of the systems and equipment. In particular, within the information security field of CELAR, the Centre de l'armement pour la securite des systemes d'information (CASSI), is responsible for the development of all security programmes and strategies in the Ministry of Defence and acts as a consultant for other ministries and governmental agencies. (18) 36. In Germany, the efforts of the Government and the Bundestag to address the problem of security in information technology led to the creation, in 1991, of a Federal Agency for Security in Information Technology (Bundesamt fur Sicherheit in der Informationstechnik, or BSI). The BSI is responsible for assessing the risks and developing the criteria, tools and procedures to assure the security of vital information systems. However, according to German officials, the BSI has concentrated its work on the non- military aspects of information warfare. In other words, it has considered the possibility of attacks to information systems only in the civilian field. At the same time, the German military has conducted some studies on information warfare and has recently initiated a new one, called ``2020'', which will consider the future evolution of the topic. Recently, a working group has been created at a federal level to draft a policy paper on ``Information Warfare and IT Security'', aimed at reaching a better co- ordination within the civilian and military fields. 37. The UK Ministry of Defence has addressed, in various areas, the problems related to information warfare, recognising that ``the potential vulnerabilities and risks arising from `information warfare' go much wider than the Armed Forces and the defence infrastructure'' (19). The MoD is therefore known to be working with other areas of Government, allies and suppliers of key services to co- ordinate security policies and find technical solutions to protect the nation's infrastructure. 38. Other countries, such as Finland, Norway, Sweden and Switzerland have taken initiatives similar to those of the United States. Australia, Canada and Israel are investing in studies of defensive measures and approaches (20). NATO has recently analysed the threats of information warfare attacks and given indications to member states. For the moment, the most relevant studies conducted by the Alliance on the subject are classified. IV. Information warfare or simplY Information Security? 39. As it is often the case with extensively debated issues, some defence analysts and information security experts are doubting the actual size of the information warfare threat as it is presented by the media and even by some official reports. They contend that newspapers and magazines report stories about dangerous viruses, violated military websites and crackers penetrating corporate information systems in distorted and exaggerated ways. Some also list errors and overstatements included in official documents and defence studies. Fairness demands that we also consider these points of view, and below we summarise the most salient issues. 40. In 1997, for instance, a US government commission, that included former directors of the CIA and the National Reconnaissance Office, warned against a virus contained in an e-mail message entitled ``Penpal Greetings''. According to the commission's report, the virus ``could infect the hard- drive and destroy all data present''. Moreover, the virus was reportedly ``self-replicating'' and ``would automatically forward itself to any e-mail address stored in the recipient's in-box.'' According to many computer security analysts, the report was wrong and the Penpal virus was in fact a hoax. However, more recently several viruses spreading by e-mail could nonetheless perform extremely destructive actions. (21) 41. In March 1999, a type of macro virus propagating by e- mail called Melissa damaged, according to many journalistic sources, more than 100,000 computers. Hidden within a file of a popular word processing software, Melissa affected its security settings, rendering personal computers vulnerable to further attacks. While some defence leaders, experts on terrorism, lawmen and software executives hailed ``another warning siren of the vulnerability of our networks'' or even ``a demonstration of what an electronic Pearl Harbor might look like'', most computer security people defined Melissa as ``just another dangerous virus'', no more sophisticated than prior ones using the identical modus operandi. Moreover, they contended, Melissa (although very costly to many businesses) had no noticeable effect on Internet use or stock markets or electronic commerce. They also noted that most persons using the web on a regular basis would not open an unknown file attachment received by e-mail, especially if reportedly it contained a list of pornographic websites. (22) 42. But computer scientists and IT security experts are not only highlighting general misinformation and myths about viruses. They contest as well the alarming figures suggesting that the Pentagon and other US vital infrastructures are under almost permanent attack by crackers or cyberterrorists. They admit that malefactors can break into military and civilian web servers, and maybe even cause serious damage, but that it is far from representing an ``electronic Pearl Harbor'' for the United States. As Kevin Ziese, the computer scientist who led the Rome Laboratories investigation, and other experts put it, these break-ins can be defined as the virtual equivalent of a ``kid walking into the Pentagon cafeteria.'' (23) 43. Equating computer viruses and hacker software with weapons of mass destruction, many analysts insist, is overreaching. And classifying them as such would be like considering teen hackers or virus creators equivalent to terrorists or ``rogue'' states. The recent attacks on the Alliance's information system during the Kosovo crisis, according to these sources, might have proved just that. In fact, they report that computer security experts in the US Department of Defense were ``completely unimpressed by whatever it was Serbian hackers did during the Yugoslavian war. The worst it did is make the NATO administrator of the site work a little harder. It didn't have any impact on the Yugoslavian war at all.'' (24) 44. With regard to the supposedly frightening results of the ``Eligible Receiver'' exercise, which are still considered ``sensitive information'' by the Pentagon, many object that they should be opened up to an independent audit. Until then, computer scientists declare that they will remain extremely sceptical. Moreover, they say the Pentagon's position is in stark contrast to the wide-open discussions of computer security vulnerabilities that reign on the Internet. 45. According to William M. Arkin, an army veteran, defence analyst and editor of US Military Online, the excessive secrecy in the Pentagon's attitude towards information security reflects a basic misjudgement of the power of the Internet and the ability of the military to control it. A directive issued on 24 September 1998 by Deputy Defense Secretary John Hamre instructed all military services and agencies to ``ensure national security is not compromised or personnel placed at risk'' by information available on military websites. In fact, the Pentagon has for years had policies that required just that, and therefore only unclassified information has ever been made available on the Internet. John Pike of the Federation of American Scientists agrees with Arkin that the DoD issued this new policy out of ``a desire to show vigilance, coupled with a profound lack of understanding of information and computer security'', rather than because of [[Page H8077]] any new threats coming from the Internet. (25) 46. Many experts and scientists are critical of the approach taken by some of the Pentagon leaders not because they believe there are no threats coming from cyberspace, but because they feel those threats might have been overstated or mystified through what they call ``info-warrior rhetoric''. Computer security analysts, who have been working on these problems for years, have the impression that ``information warfare'' might just be old wine in new bottles. In fact, many of the activities now classified under this definition could be traditional intelligence work, intelligence analyses through the Internet or psychological operations and deception. For instance, the US Air Force Information Warfare Center (AFIWC, part of the Air Intelligence Agency) in San Antonio and other similar organisations are the equivalent of computer emergency response teams, and the military and civilians employed in them are all computer security specialists. 47. In spite of these reservations, it is clear that there are many serious threats. In sum, according to George Smith, editor of The Crypt Newsletter, an Internet publication dealing with computer security for computer analysts: ``It is far from proven that the country [i.e., the United States] is at the mercy of possible devastating computerized attacks. On the other hand, even the small number of examples of malicious behaviour demonstrate that computer security issues in our increasingly technological world will be of primary concern well into the foreseeable future.'' V. CONCLUSION 48. It is clear, even from the words of the most sceptical analysts, that the security of information systems must be a high priority for any nation. With the increasing dependence on information technologies, all our vital infrastructures are potentially vulnerable to some sort of external attack. Even if experts disagree on the extent and the nature of the threat, we need nonetheless to adopt measures to strengthen the protection of our information systems. 49. The first priority should be to seek objectivity in the assessment of the real threats. An independent group should be set up to provide such assessment, maybe at the international level. An example is provided by the G-8 High Tech Crime Group, a multilateral forum seeking to enhance transnational co-operation in investigating and prosecuting criminal misuse and exploitation of information systems. Parliaments and governments, as well as the industry, the scientific community and computer security experts should work within a similar group focused on information warfare threats in order to share their knowledge and competence and analyse the subject from different perspectives. A serious evaluation of the claims of computer security software and hardware producers could be the first task of such a group. 50. Programmes to raise public awareness and encourage education in the field of computer security and infrastructure protection would be extremely useful, and they should cover all possible audiences. They should include conferences, university studies, presentations at industry associations and professional societies, and sponsorship of graduate studies and programmes. In addition, research efforts are needed to both substantially improve and deploy more widely the existing technology. In particular, new capabilities for detection and identification of intrusion and improved simulation and modelling capability to understand the effects upon interconnected and interdependent infrastructures would be beneficial. 51. The law has to keep pace with the development of new technologies. Parliaments can play an important role in reconsidering and readapting the laws regulating infrastructure protection and information systems assurance. The United States can provide some good examples in terms of both statutes and case law and the Justice Department has a section devoted to this area. However, due to the open and global nature of the Internet, this effort should involve computer security experts and legislators internationally. In fact, creating a specific international set of rules or conventions is an essential prerequisite for establishing a credible and efficient Internet economy. 52. Intelligence can also contribute to a clearer understanding of the new threats of the information age in terms of actors, motives, and capabilities. Of course, the traditional intelligence work and organisation, developed during the Cold War, must be adapted to the new environment. Intelligence officials in all nations must reconsider their methods for information acquisition and rely on new sources. National agencies must also start recruiting special talents familiar with the new threats, such as skilled computer analysts with a direct experience of hacking methods. 53. Since most experts agree that commercial information systems are now more vulnerable to external attacks, it is essential to foster public-private co-operation. Much of the information that private companies need to protect their information systems may be available from the defence, intelligence and law enforcement communities. Often the private sector can better identify, understand and evaluate the threats. In many countries, co-operation between industries and their governments could be extremely helpful to share ``information and techniques related to risk management assessment, including incident reports, identification of weak spots, plans and technology to prevent attacks and disruptions, and plans for how to recover from them.'' Of course, public-private collaboration also has its limits, such as classified and secret materials or proprietary and competitively sensitive information. 54. Finally, in most Western countries, but particularly in the United States, the military should address many questions concerning the effective role of the information warfare programmes in their general policy. Programmes like those going under the definition of ``Revolution in Military Affairs'' (RMA) have already tried to assess the future impact that the use of information technology could have on weapon systems and on military organisation and strategy. However, the US military still needs to clarify its policy about the options for deterring an attack on vital information systems and the possible use of offensive information warfare. The link between information warfare and other military strategies should be better articulated: for instance, would it be possible to respond to an information warfare attack with conventional forces? Moreover, the possibility that the United States (or any other Western country) would develop and deploy offensive information warfare techniques has not been adequately discussed in public forums. This can be essential in order to build a national and possibly international consensus about the role of offensive information warfare and to clearly define its policies of use. Notes and References 1. Lord Lyell, Lothar Ibrugger, Information Warfare and the Millennium Bomb, General Report, NAA Science and Technology Committee [AP 237 STC (97) 7] 2. Definition found on the website of the Institute for the Advanced Study of Information Warfare, self-defined ``a virtual non-governmental organisation'', http:// www.psycom.net/iwar.1.html 3. Dr. Andrew Rathmell, ``Information Warfare: Implications for Arms Control'', Bulletin of Arms Control, No. 29, April 1998, on the web page of King's College London, http:// www.kcl.ac.uk/orgs/icsa/cds.html. With regard to the Revolution of Military Affairs, see the STC 1998 General Report on the subject [AR 299 STC (98) 6] 4. Cybercrime-Cyberterrorism-Cyberwarfare, Averting an Electronic Waterloo, CSIS Task Force Report, Center for Strategic and International Studies, Washington DC, 1998, pp. 9-11. 5. Col Jean-Luc Moliner, ``La guerre de l'information vue par un operationnel francais'', L'Armement, No. 60, Dec. 1997-Jan. 1998, p. 11 6. Information warfare should be limited to ``specific political and strategic goals'' to avoid confusion with cybercrime or industrial espionage. Attacks to private corporations (see para.16) might be included only if conducted as part of political or strategic offensive. The limit to ``Internet and other networked information systems'' helps avoid confusion with espionage cases involving the use (or misuse) of restricted or secret information systems and/ or data bases (such as recent alleged espionage at DOE weapons laboratories). Lorenzo Valeri, ``Information requirements for Information Warfare: the need for a multidisciplinary approach'', presentation prepared for the 1999 InfoWar Conference, 27 May 1999, London; and George Ballantyne, ``www.terrorism.now'', RUSI Newsbrief, April 1999, p.31. From letter by John J. Hamre published in Issues in Science and Technology, Winter 1998-99, pp.10-11 7. Alden M. Hayashi, ``The Net Effect'', Scientific American, January 1999, p. 13 8. Niall McKay, ``Indonesia, Ireland in Info War?'' Wired News, 27 January 1999, at the website http://www.wired.com/ news/; Michelle Knott, ``Virtual Warfare'', New Scientist, 27 February 1999, p.51 9. Chris Nuttall, ``Kosovo info warfare spreads'', BBC Online, 1 April 1999, http://news.bbc.co.uk/ and interview with Mr. Chris Scheurweghs of the NATO Integrated Data Service 10. ``Computer hackers in Belgrade'', Aviation Week & Space Technology, 5 April 1999, p.23; Patrick Riley, ``E-Strikes and Cyber-Sabotage: Civilian Hackers Go Online to Fight'', Fox News, 15 April 1999, http://www.foxnews.com/; Bob Brewin, ``General: Cyberattacks against NATO traced to China'', Federal Computer Week, 1 September 1999, http://www.fcw.com/ 11. James Adams, The Next World War, Hutchinson, London, 1998, pp.187-8 12. George I. Seffers, ``Stealthy New Software Enhances Hacker Arsenal'', Defense News, 15 March 1999, p. 3 13. Tony Walker and Stephen Fidler, ``China studies computer warfare'', Financial Times, 16 March 1999, p. 4 14. Information on the Commission, as well as the text of the report are available on the Web at http://www.pccip.gov 15. George I. Seffers, interview with Maj. Gen. John Campbell, Defense News, 29 March 1999, p.30 16. Jean-Pierre Meunier, ``Le CELAR, centre technique de la guerre de l'information'', L'Armement, N. 60, Dec. 1997-Jan. 1998, pp.84-88 17. Strategic Defence Review, Chapter 5: The Future Shape of Our Forces, available on the Web at http://www.mod.uk/ policy/sdr/ 18. Andrew Rathmell, ``Information Warfare and sub-state actors'', Information, Communication & Society, Winter 1998, p. 490 19. Quoted in George Smith, ``Truth is the first casualty of cyberwar'', The Wall Street Journal, 8 September 1998 [[Page H8078]] 20. Kurt Kleiner, Matt Walker, ``Melissa's mayhem'', New Scientist, 10 April 1999, p.4; ``The Melissa media hangover'', The Crypt Newsletter, available on the Web at http://sun.soci.niu.edu/ Share this page | Bookmark this page The leading immigration law publisher - over 50000 pages of free information!
© Copyright 1995- American Immigration LLC, ILW.COM ![]() |