Volume 147, No. 161 covering the 1st Session of the 107th Congress (2001 - 2002) was published by the Congressional Record.
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“COMPUTER SECURITY ENHANCEMENT ACT OF 2001” mentioning the Environmental Protection Agency was published in the House of Representatives section on pages H8351-H8356 on Nov. 27, 2001.
The publication is reproduced in full below:
COMPUTER SECURITY ENHANCEMENT ACT OF 2001
Mrs. MORELLA. Madam Speaker, I move to suspend the rules and pass the bill (H.R. 1259) to amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes, as amended.
The Clerk read as follows:
H.R. 1259
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Security Enhancement Act of 2001''.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The National Institute of Standards and Technology has responsibility for developing standards and guidelines needed to ensure the cost-effective security and privacy of sensitive information in Federal computer systems.
(2) The Federal Government has an important role in ensuring the protection of sensitive, but unclassified, information controlled by Federal agencies.
(3) Technology that is based on the application of cryptography exists and can be readily provided by private sector companies to ensure the confidentiality, authenticity, and integrity of information associated with public and private activities.
(4) The development and use of encryption technologies by industry should be driven by market forces rather than by Government imposed requirements.
(b) Purposes.--The purposes of this Act are to--
(1) reinforce the role of the National Institute of Standards and Technology in ensuring the security of unclassified information in Federal computer systems; and
(2) promote technology solutions based on private sector offerings to protect the security of Federal computer systems.
SEC. 3. SECURITY OF FEDERAL COMPUTERS AND NETWORKS.
Section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended--
(1) by redesignating paragraphs (4) and (5) as paragraphs
(7) and (8), respectively; and
(2) by inserting after paragraph (3) the following new paragraphs:
``(4) except for national security systems, as defined in section 5142 of Public Law 104-106 (40 U.S.C. 1452), to provide guidance and assistance to Federal agencies for protecting the security and privacy of sensitive information in interconnected Federal computer systems, including identification of significant risks thereto;
``(5) to promote compliance by Federal agencies with existing Federal computer information security and privacy guidelines;
``(6) in consultation with appropriate Federal agencies, assist Federal response efforts related to unauthorized access to Federal computer systems;''.
SEC. 4. COMPUTER SECURITY IMPLEMENTATION.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3) is further amended--
(1) by redesignating subsections (c) and (d) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (b) the following new subsection:
``(c)(1) In carrying out subsection (a)(2) and (3), the Institute shall--
``(A) emphasize the development of technology-neutral policy guidelines for computer security and electronic authentication practices by the Federal agencies;
``(B) promote the use of commercially available products, which appear on the list required by paragraph (2), to provide for the security and privacy of sensitive information in Federal computer systems;
``(C) develop qualitative and quantitative measures appropriate for assessing the quality and effectiveness of information security and privacy programs at Federal agencies;
``(D) upon the request of a Federal agency, perform evaluations to assess its existing information security and privacy programs;
``(E) promote development of accreditation procedures for Federal agencies based on the measures developed under subparagraph (C);
``(F) if requested, consult with and provide assistance to Federal agencies regarding the selection by agencies of security technologies and products and the implementation of security practices; and
``(G)(i) develop uniform testing procedures suitable for determining the conformance of commercially available security products to the guidelines and standards developed under subsection (a)(2) and (3);
``(ii) establish procedures for certification of private sector laboratories to perform the tests and evaluations of commercially available security products developed in accordance with clause (i); and
``(iii) promote the testing of commercially available security products for their conformance with guidelines and standards developed under subsection (a)(2) and (3).
``(2) The Institute shall maintain and make available to Federal agencies and to the public a list of commercially available security products that have been tested by private sector laboratories certified in accordance with procedures established under paragraph (1)(G)(ii), and that have been found to be in conformance with the guidelines and standards developed under subsection (a)(2) and (3).
``(3) The Institute shall annually transmit to the Congress, in an unclassified format, a report containing--
``(A) the findings of the evaluations and tests of Federal computer systems conducted under this section during the 12 months preceding the date of the report, including the frequency of the use of commercially available security products included on the list required by paragraph (2);
``(B) the planned evaluations and tests under this section for the 12 months following the date of the report; and
``(C) any recommendations by the Institute to Federal agencies resulting from the findings described in subparagraph (A), and the response by the agencies to those recommendations.''.
SEC. 5. COMPUTER SECURITY REVIEW, PUBLIC MEETINGS, AND
INFORMATION.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by inserting after subsection (c), as added by section 4 of this Act, the following new subsection:
``(d)(1) The Institute shall solicit the recommendations of the Computer System Security and Privacy Advisory Board, established by section 21, regarding standards and guidelines that are being considered for submittal to the Secretary in accordance with subsection (a)(4). The recommendations of the Board shall accompany standards and guidelines submitted to the Secretary.
``(2) There are authorized to be appropriated to the Secretary $1,030,000 for fiscal year 2002 and $1,060,000 for fiscal year 2003 to enable the Computer System Security and Privacy Advisory Board, established by section 21, to identify emerging issues related to computer security, privacy, and cryptography and to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects.''.
SEC. 6. LIMITATION ON PARTICIPATION IN REQUIRING ENCRYPTION
AND ELECTRONIC AUTHENTICATION STANDARDS.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended by adding at the end the following new subsection:
``(g) The Institute shall not promulgate, enforce, or otherwise adopt standards or policies for the Federal establishment of encryption and electronic authentication standards required for use in computer systems other than Federal Government computer systems.''.
SEC. 7. MISCELLANEOUS AMENDMENTS.
Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-3), as amended by this Act, is further amended--
(1) in subsection (b)(8), as so redesignated by section 3(1) of this Act, by inserting ``to the extent that such coordination will improve computer security and to the extent necessary for improving such security for Federal computer systems'' after ``Management and Budget)'';
(2) in subsection (e), as so redesignated by section 4(1) of this Act, by striking ``shall draw upon'' and inserting in lieu thereof ``may draw upon'';
(3) in subsection (e)(2), as so redesignated by section 4(1) of this Act, by striking ``(b)(5)'' and inserting in lieu thereof ``(b)(7)''; and
(4) in subsection (f)(1)(B)(i), as so redesignated by section 4(1) of this Act, by inserting ``and computer networks'' after ``computers''.
SEC. 8. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
Section 5(b) of the Computer Security Act of 1987 (40 U.S.C. 759 note) is amended--
(1) by striking ``and'' at the end of paragraph (1);
(2) by striking the period at the end of paragraph (2) and inserting in lieu thereof ``; and''; and
(3) by adding at the end the following new paragraph:
``(3) to include emphasis on protecting information in Federal databases and Federal computer sites that are accessible through public networks.''.
SEC. 9. COMPUTER SECURITY FELLOWSHIP PROGRAM.
There are authorized to be appropriated to the Secretary of Commerce $5,000,000 for fiscal year 2002 and $5,000,000 for fiscal year 2003 for the Director of the National Institute of Standards and Technology for fellowships, subject to the provisions of section 18 of the National Institute of Standards and Technology Act (15 U.S.C. 278g-1), to support students at institutions of higher learning in computer security. Amounts authorized by this section shall not be subject to the percentage limitation stated in such section 18.
SEC. 10. STUDY OF ELECTRONIC AUTHENTICATION TECHNOLOGIES BY
THE NATIONAL RESEARCH COUNCIL.
(a) Review by National Research Council.--Not later than 90 days after the date of the enactment of this Act, the Secretary of Commerce shall enter into a contract with the National Research Council of the National Academy of Sciences to conduct a study of electronic authentication technologies for use by individuals, businesses, and government.
(b) Contents.--The study referred to in subsection (a) shall--
(1) assess technology needed to support electronic authentication technologies;
(2) assess current public and private plans for the deployment of electronic authentication technologies;
(3) assess interoperability, scalability, and integrity of private and public entities that are elements of electronic authentication technologies; and
(4) address such other matters as the National Research Council considers relevant to the issues of electronic authentication technologies.
(c) Interagency Cooperation With Study.--All agencies of the Federal Government shall cooperate fully with the National Research Council in its activities in carrying out the study under this section, including access by properly cleared individuals to classified information if necessary.
(d) Report.--Not later than 18 months after the date of the enactment of this Act, the Secretary of Commerce shall transmit to the Committee on Science of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report setting forth the findings, conclusions, and recommendations of the National Research Council for public policy related to electronic authentication technologies for use by individuals, businesses, and government. The National Research Council shall not recommend the implementation or application of a specific electronic authentication technology or electronic authentication technical specification for use by the Federal Government. Such report shall be submitted in unclassified form.
(e) Authorization of Appropriations.--There are authorized to be appropriated to the Secretary of Commerce $450,000 for fiscal year 2002, to remain available until expended, for carrying out this section. SEC. 11. PROMOTION OF NATIONAL INFORMATION SECURITY.
The Under Secretary of Commerce for Technology shall--
(1) promote an increased use of security techniques, such as risk assessment, and security tools, such as cryptography, to enhance the protection of the Nation's information infrastructure;
(2) establish a central repository of information for dissemination to the public to promote awareness of information security vulnerabilities and risks; and
(3) in a manner consistent with section 12(d) of the National Technology Transfer and Advancement Act of 1995 (15 U.S.C. 272 nt), promote the development of national standards-based infrastructures needed to support government, commercial, and private uses of encryption technologies for confidentiality and authentication.
SEC. 12. ELECTRONIC AUTHENTICATION INFRASTRUCTURES.
(a) Electronic Authentication Infrastructures.--
(1) Technology-neutral guidelines and standards.--Not later than 18 months after the date of the enactment of this Act, the Director, in consultation with industry and appropriate Federal agencies, shall develop technology-neutral guidelines and standards, or adopt existing technology-neutral industry guidelines and standards, for electronic authentication infrastructures to be made available to Federal agencies so that such agencies may effectively select and utilize electronic authentication technologies in a manner that is--
(A) adequately secure to meet the needs of those agencies and their transaction partners; and
(B) interoperable, to the maximum extent possible.
(2) Elements.--The guidelines and standards developed under paragraph (1) shall include--
(A) protection profiles for cryptographic and noncryptographic methods of authenticating identity for electronic authentication products and services;
(B) a core set of interoperability specifications for the use of electronic authentication products and services in electronic transactions between Federal agencies and their transaction partners; and
(C) validation criteria to enable Federal agencies to select cryptographic electronic authentication products and services appropriate to their needs.
(3) Revisions.--The Director shall periodically review the guidelines and standards developed under paragraph (1) and revise them as appropriate.
(b) Listing of Products.--Not later than 30 months after the date of the enactment of this Act, and thereafter, the Director shall maintain and make available to Federal agencies a nonmandatory list of commercially available electronic authentication products, and other such products used by Federal agencies, evaluated as conforming with the guidelines and standards developed under subsection (a).
(c) Specifications for Electronic Certification and Management Technologies.--
(1) Specifications.--The Director shall, as appropriate, establish core specifications for particular electronic certification and management technologies, or their components, for use by Federal agencies.
(2) Evaluation.--The Director shall advise Federal agencies on how to evaluate the conformance with the specifications established under paragraph (1) of electronic certification and management technologies, developed for use by Federal agencies or available for such use.
(3) Maintenance of list.--The Director shall maintain and make available to Federal agencies a list of electronic certification and management technologies evaluated as conforming to the specifications established under paragraph
(1).
(d) Reports.--Not later than 18 months after the date of the enactment of this Act, and annually thereafter, the Director shall transmit to the Congress a report that includes--
(1) a description and analysis of the utilization by Federal agencies of electronic authentication technologies; and
(2) a description and analysis regarding the problems Federal agencies are having, and the progress such agencies are making, in implementing electronic authentication infrastructures.
(e) Definitions.--For purposes of this section--
(1) the term ``electronic authentication'' means cryptographic or noncryptographic methods of authenticating identity in an electronic communication;
(2) the term ``electronic authentication infrastructure'' means the software, hardware, and personnel resources, and the procedures, required to effectively utilize electronic authentication technologies;
(3) the term ``electronic certification and management technologies'' means computer systems, including associated personnel and procedures, that enable individuals to apply electronic authentication to electronic information; and
(4) the term ``protection profile'' means a list of security functions and associated assurance levels used to describe a product.
SEC. 13. SOURCE OF AUTHORIZATIONS.
There are authorized to be appropriated to the Secretary of Commerce $7,000,000 for fiscal year 2002 and $8,000,000 for fiscal year 2003, for the National Institute of Standards and Technology to carry out activities authorized by this Act for which funds are not otherwise specifically authorized to be appropriated by this Act.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from Maryland (Mrs. Morella) and the gentleman from Texas (Mr. Hall) each will control 20 minutes.
The Chair recognizes the gentlewoman from Maryland (Mrs. Morella).
General Leave
Mrs. MORELLA. Madam Speaker, I ask unanimous consent that all Members may have 5 legislative days within which to revise and extend their remarks on H.R. 1259.
The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from Maryland?
There was no objection.
Mrs. MORELLA. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, it is with great pleasure that I rise to offer H.R. 1259, the Computer Security Enhancement Act of 2001. This legislation represents many years of bipartisan work of the Committee on Science. Over the years, the committee has held numerous hearings on various aspects of the bill's provisions and has incorporated many constructive suggestions made by both industry and governmental agencies. This bill provides important updates to current law to ensure the Federal Government's virtual security.
Fourteen years ago, this body passed the Computer Security Act of 1987, which gave authority over computer and communication security standards for Federal civilian agencies to the National Institute for Standards and Technology. Much has changed since then. In the mid-
eighties, we were dealing with issues surrounding the migration from mainframes to personal computers and how to provide secure access to extremely limited, site-specific internal networks. Today, with the worldwide web, every PC on the planet represents a potential source of attack, and we need to develop new tools to protect the integrity of our Nation's computers.
While no single piece of legislation can fully protect our Federal computer systems, this act is a vital step to strengthen and update the authority given the National Institute of Standards and Technology to provide guidance to our security efforts.
This bill is an important first step in the right direction. The legislation would allow NIST to: promote the use of commercially available, off-the-shelf security products by Federal agencies; increase privacy protection by giving an independent advisory board more responsibility and resources to review NIST's computer security efforts and make recommendations; support the development of a well-
trained workforce by creating a fellowship program in the field of computer security; study the efforts of the Federal Government to develop a secure, interoperable electronic infrastructure; to advise agencies on the deployment of electronic authentication technologies; and, finally, establish an expert review team to assist agencies in identifying and fixing existing information security vulnerabilities.
In today's environment, the intense need for this legislation is obvious. For the last few months, we have been frantically trying to recover from the awful attacks of September 11 and plug the many holes in our society's lax security practices. We have gone to great effort to quickly react to vulnerabilities on many fronts. We passed legislation to secure much of our important infrastructure, and the administration has moved forward with many counterterrorism proposals. But, along with the real world, we need to protect ourselves in cyberspace.
Fortunately, we have not suffered a major cyberattack, but that is hardly a reason not to act. A major cyberoffensive could be every bit as devastating as an actual physical assault. A full third of our recent economic development has been credited to e-commerce and needs to be secure. Never before has so much of our daily lives been documented and placed on Federal computers. Americans have the right to expect that this information does not fall into the wrong hands.
Unfortunately, the government is not very adept at protecting this information. Over the last decade, the General Accounting Office has issued nearly 40 reports describing serious information security weaknesses at major Federal agencies. Our own House Committee on Government Reform has recently issued its computer security report card and given the government an ``F.''
Quite frankly, this is unacceptable. Now is the time to expand NIST's authority so we can begin to address these issues.
Located in my home district of Montgomery County, NIST already plays a critical control role in our Nation's computer security. They are our Nation's premier developer of standards and guidelines and have worked tirelessly in the information technology area. They work closely with industry, Federal agencies, testing organizations, academicians and other private sector users with the broad mission of improving our competitiveness in IT and computer-related industries.
Specifically, they work to improve awareness of computer security issues, conduct research on new cutting-edge technologies, develop and manage security testing programs, and produce security guidance and planning.
Madam Speaker, I am very proud of their work in this area. They have a well-deserved reputation for excellence and deserve the additional resources to expand their efforts in computer security. They are the recognized leader in this field and the logical choice to coordinate and critique the government's efforts.
Madam Speaker, a wide array of technology organizations have recognized the need for H.R. 1259 to protect our Nation's computer systems and secure our virtual presence. I thank them for their support. I urge my colleagues to stand with these organizations and take the important step towards securing our computer data and resources by passing H.R. 1259.
Madam Speaker, I reserve the balance of my time.
Mr. HALL of Texas. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I rise today in support of H.R. 1259; and, in her usual good practice, the gentlewoman from Maryland (Mrs. Morella) has very well outlined the provisions of the legislation. I would just like to make a few observations concerning the need for the legislation before us today.
The Committee on Science developed the Computer Security Act 13 years ago with the goal in mind of improving the security of nonclassified information in the Federal agencies' computer systems. When Congress passed the Computer Security Act back in 1987, most of us realized that this new method of communication needed to be secure in order to realize the full potential that those that brought it forth had hoped for. At that time we had no idea of the growth of the Internet, electronic commerce, or even the growth of e-mail communication from our constituents. In the past few years, the spread of computer viruses, attacks by computer hijackers and electronic identification theft have all been on the rise. Regardless of our reliance on the Internet and computer networks, computer security is still generally regarded as an afterthought.
On September 11, we realized how very vulnerable our Nation could be. We no longer can afford to be complacent about our physical and electronic security. Hearings by the Committee on Science and assessments by the General Accounting Office have revealed that computer security at Federal levels is still, in many people's opinion, sub par.
The National Institute of Standards and Technology has an important role to play here. It is responsible for developing security standards and developing the very best security practices. It should assist agencies in training their computer security personnel and help assess their security weaknesses.
Unfortunately, NIST has never really requested nor received the resources it needs to effectively carry out their statutory role in these areas. The Committee on Science has developed this bipartisan legislation to correct this problem. The goal of this legislation is to strengthen the computer security of Federal agencies, including, of course, the use of electronic authentication technologies.
H.R. 1259 is not merely in response to the events of September 11. Actually, H.R. 1259 is and has been a result of continued and careful study and deliberation by the Committee on Science. We began work on this legislation at the beginning of the last Congress, and it has been the subject of hearings, and we have asked for comments by industry and Federal agencies. It is a thoughtful and straightforward approach for making Federal agencies a model of good security practices.
I congratulate the gentlewoman from Maryland (Mrs. Morella), the gentleman from Tennessee (Mr. Gordon), and the gentleman from Michigan
(Mr. Barcia) for their hard work on this legislation. Also, we would not be here without the assistance and support of the gentleman from New York (Chairman Boehlert) and his efforts to bring this bill to the floor. This a timely piece of legislation, Madam Speaker, and I would urge my colleagues to support the bill.
Madam Speaker, I reserve the balance of my time.
Mrs. MORELLA. Madam Speaker, I yield myself such time as I may consume.
Madam Speaker, I commend the ranking member, the gentleman from Texas
(Mr. Hall), for his leadership. Together we are a team. The Committee on Science is a very bipartisan, almost nonpartisan committee, and it is my pleasure to thank the gentleman from Texas and the gentleman from New York (Chairman Boehlert).
Madam Speaker, I yield such time as he may consume to the gentleman from New York (Mr. Boehlert), the chairman of the Committee on Science, and commend him for his leadership.
Mr. BOEHLERT. Madam Speaker, I thank the gentlewoman for yielding me this time.
Madam Speaker, I rise to support H.R. 1259, the Computer Security Enhancement Act of 2001, and to congratulate the gentlewoman from Maryland (Mrs. Morella) and the gentleman from Texas (Mr. Hall) and the gentleman from Tennessee (Mr. Gordon) for their bipartisan work on this legislation and for the leadership of the past chairman, the gentleman from Wisconsin (Mr. Sensenbrenner), who shepherded this bill through the House in the last Congress.
Since the tragedy of September 11, our Nation has awakened to a new world of potential threats. Some of them before now were thought not possible. Some were thought not likely. And, unfortunately, some were simply ignored. But in the last 2 months, the world has changed and we have resolved to fortify our Nation's critical assets, to protect our airports and strengthen our infrastructure.
One compelling need is to improve the security of our Nation's computer systems and the uncountable government services on which they depend. In the last 9 years, the General Accounting Office has issued some three dozen reports detailing the serious information security weaknesses at major Federal agencies. We in the House, and particularly on the Committee on Science, have heeded these warnings. Others must, also.
{time} 1500
Federal systems are not the only ones central to our Nation's smooth functioning. Earlier this year, the Committee on Science held several hearings on cybersecurity. In one of those, Governor Gilmore testified that his commission, which was charged with evaluating our Nation's vulnerabilities to weapons of mass destruction, could not ignore the potential additional havoc that computer attacks could wreak on our country, especially if computer attacks were launched at the same time as some other attack. Computer breaches must not be allowed to hamstring State and local governments as they attempt to respond to other kinds of threats.
This bill, the first of several dealing with cybersecurity that the Committee on Science plans to bring to the floor, begins to make the kinds of improvements necessary to address the concerns these reports have raised. H.R. 1259 will encourage the computer security teams at the National Institute of Standards and Technology to assist other government agencies to improve the security of their computer networks. It will spur the private sector to develop improved computer security products to benefit the public and private sectors alike. And it will help recruit and train future experts in the profession of computer security.
I would also like to point out that this very same bill passed this body a little over a year ago. Unfortunately, the other body did not have time to pass it and send it on to the President. This time, however, I hope we can work with our colleagues in the Senate to pass this bill to strengthen our Nation's computer security and to help protect the American people.
This bill is a good bill that will help our Nation deal with a serious threat that for too long has been inadequately addressed. I urge my colleagues to support this bill and help put our Nation on the road to better computer security.
In closing, let me once again commend the leadership of the gentlewoman from Maryland and the bipartisan team that she has assembled and led as we have moved this through the committee and now to the House floor. I hope others are paying attention, because they need to follow through.
Mr. HALL of Texas. Madam Speaker, I yield such time as he may consume to the gentleman from Tennessee (Mr. Gordon), who was ranking member on the Subcommittee on Environment, Technology, and Standards back when this legislation first began and wrote the electronic authentication provisions in it. He is now ranking member on the Subcommittee on Space and Aeronautics.
Mr. GORDON. Madam Speaker, I thank the gentleman from Texas (Mr. Hall) for yielding time, and more importantly I thank him for the leadership he brings to the Committee on Science.
Madam Speaker, I want to thank the gentlewoman from Maryland (Mrs. Morella) and the gentleman from New York (Mr. Boehlert) for their diligent work to bring this bill to the floor today. When the gentlewoman from Maryland and I began to work to improve Federal agencies' nonclassified computer security more than 4 years ago, I became aware that an important element of any computer security regime is electronic authentication.
Consistent with the goals of the Government Paperwork Elimination Act, I wanted to ensure that Federal agencies deployed electronic authentication technologies in a consistent and uniform manner and that there was a reasonable level of interoperability between electronic authentication systems deployed by Federal agencies.
Federal agencies have made some progress on improved computer security since the Committee on Science began working on this issue. However, significant vulnerabilities remain and much work needs to be done. Earlier this year, the GAO documented continued computer security failings of Federal agencies. And just a few weeks ago, a Committee on Government Reform assessment of Federal agencies' computer security was uniformly dismal.
The events of September 11 made it evident that we cannot remain so complacent and lax about the security of electronic documents and transactions. The disruption of traditional document carriers like our mail and airline systems highlighted that we need to be able to transfer documents over an open and secure electronic communications system. Such a system must include robust and widely deployed electronic authentication technologies. Unfortunately, electronic authentication technologies have yet to be widely used. One of the goals of this bill is to ensure the effective deployment of electronic authentication technologies by Federal agencies.
The Computer Security Enhancement Act is the result of discussions with industry, the National Institute of Standards and Technology, and the Department of Commerce. Under the bill, NIST, working with industry, is to develop minimum technical standards and guidelines to assist Federal agencies in deploying electronic authentication technologies. It is my intent that Federal agencies serve as models of how such technologies could be effectively implemented.
I want to clarify that NIST is not developing standards but only guidelines and best practices. When I drafted these provisions relating to electronic authentication, I tried to ensure that the private sector would have a strong voice in the development of any guidelines. NIST has a strong record of working cooperatively with industry. I believe the result will be greater security and lower cost for everyone as we move toward an electronic transaction-based economy.
Finally, Madam Speaker, I want to thank all the staff that have spent so many hours on this bill, particularly Mike Quear that assisted me on the bill. As they did in the 106th Congress, I would urge my colleagues to again support this legislation.
Mr. HALL of Texas. Madam Speaker, I have no further requests for time, and I yield back the balance of my time.
Mrs. MORELLA. Madam Speaker, I yield myself such time as I may consume.
It appears as though everyone recognizes the need for this bill and is in support of it. In addition to the numerous technology organizations that have indicated their strong support and have worked on the bill through the years, the President's Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction chaired by Governor Gilmore has called for an expanded role for NIST. That is what this bill does.
I urge my colleagues to stand with these organizations and take an important step toward securing our computer data and resources by passing H.R. 1259. I also want to add my thanks to the gentleman from Tennessee (Mr. Gordon). He was my ranking member on the Subcommittee on Environment, Technology, and Standards when this bill was crafted. I thank him for his important contributions. Again I reiterate my thanks to ranking member Hall, to Chairman Boehlert, to the gentleman from Michigan (Mr. Barcia), who also served on that subcommittee, and certainly the staff on both sides of the aisle. I want to commend Barry Beringer and certainly thank Ben Wu, who was my staffer who is no longer with us but is now the Deputy Under Secretary of Science and Technology at the Department of Commerce, Carl Piccanatto from the National Academy of Science, Jason Cervenak and the various staff that we have again on both sides of the aisle. I urge everyone to support H.R. 1259.
Ms. JACKSON-LEE of Texas. Madam Speaker, I rise in support of this legislation H.R. 1259, the Computer Security Enhancement Act of 2001.
In the world of technology today, interactive computer applications are a standard worldwide and virtually anyone in the world can gain access to government information. A lack of security in the computer systems of key government agencies is a vulnerability that has persisted for too long and will still be around if it is not dealt with at once. The number of attacks have soared in recent years and it is not just hackers and terrorists that we have to be worried about, but foreign governments and other nation states as well. Less than 3 years ago, the Federal Computer Incident Response Center calculated 376 occurrences upsetting 2,732 Federal systems and 86 military systems. Last year, the number of incidents reported was 586, which involved 575,568 Federal systems and 148 military systems.
A few months ago, Chinese hackers invaded government and business Web sites, including those run by the Navy and the Departments of Labor and Health and Human Services. Last year, a program called, ``ILOVEYOU'' penetrated systems at the Defense Department, the CIA and at least a dozen other agencies, attacking their infrastructure and networks.
There is a clear risk that exists, as computer strikes become more sophisticated. Terrorists or hostile foreign states could unleash attacks through computers, severely damaging or disrupting systems that support critical infrastructure. This can lead to disorder in our Nation's defense and public operations or stolen data of sensitive material. The disturbing element is that the vast majority of these kinds of incidents are never reported, in part, because some agencies cannot detect when a hacker has even gained access to their files.
H.R. 1259, Computer Security Enhancement Act of 2001 will amend the National Institute of Standards and Technology Act by requiring the Institute to provide assistance to Federal agencies. The assistance will include developing cost-effective and uniform standards for the security and privacy of sensitive information in certain Federal systems, providing a list of certified commercial Federal computer system security products, and reporting annually on Federal computer system evaluations. Their aid will be used to protect computer networks, promote Federal compliance with computer information security and privacy guidelines, as well as assist Federal response efforts when there is unauthorized access to Federal systems.
H.R. 1259 will focus the energy of the Institute as well as agencies' such as the National Research Council of he National Academy of Sciences and the Undersecretary of Commerce for Technology on security and encryption issues. Studies, training, and adoption of standards and products will be developed.
This bill will also authorize appropriations for fellowships to students in computer security. There is a need for specialists in the United States and this bill will hopefully be part of a solution to the growing shortage of security professionals within government and this industry.
According to government reports, 24 Federal agencies, have not adopted effective security to protect their computers and networks from attacks. Many agencies still do not use passwords properly and cannot detect intruders. Federal agencies who support this bill: the Defense Department, the Departments of Labor and Health and Human Services, the CIA, the Department of Transportation, Departments of Justice, State and the Treasury, Nuclear Regulatory Commission, U.S. Army Corps of Engineers, the Environmental Protection Agency, the Commerce Department as well as the Federal Aviation Administration.
On a particular occasion last year, a computer virus breached the Defense Department's security system, damaging some computers and infecting several classified systems. Computer attacks could disable sensitive operations such as the FAA flight control system or Pentagon war efforts. This disruption could have chaotic consequences.
This bill is a step forward in combating our current vulnerability of a lack of proper protection on Federal computer systems. With the passing of this bill will come Federal standards that will implement much needed assistance and programs. It is an imperative part of a solution to better respond to current attacks as well as potential ones.
Mr. SMITH of Michigan. Madam Speaker, I rise in strong support of this legislation, offered by the gentlewoman from Maryland, to strengthen the security of sensitive Federal computer systems.
Information security has taken on new significance. Today, the economy and our national security rely on computers as never before. Protecting these systems by reducing their vulnerability to cyber-
attack must therefore be a high priority. The same techniques that agencies are employing to cut costs and improve public services--
interconnected systems, readily accessible information, and paperless processing--are also factors that increase the vulnerability of these systems to hackers.
Key strengths of this bill are its emphasis on cost-effective solutions and government adoption of commercially available products. Equally important are provisions to address privacy issues and ensure public participation in the development of guidelines. I would emphasize the bill does not mandate Federal guidelines or standards for the private sector.
In a series of hearings held by the Science Committee, we learned a great deal about the existing and emerging threats to computer systems. Despite these threats, there is relatively little university-based research.
The computer security fellowship program in this bill is a start. I plan to move an information technology research bill that will increase cyber-security research even further.
As a senior member of the Science Committee, the gentlewoman from Maryland has produced an important piece of legislation that is very much needed. I urge my colleagues to support it.
Mrs. MORELLA. Madam Speaker, I yield back the balance of my time.
The SPEAKER pro tempore (Mrs. Biggert). The question is on the motion offered by the gentlewoman from Maryland (Mrs. Morella) that the House suspend the rules and pass the bill, H.R. 1259, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds of those present have voted in the affirmative.
Mrs. MORELLA. Madam Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX and the Chair's prior announcement, further proceedings on this motion will be postponed.
____________________