Skip to primary navigation Skip to content
Learn More About the CHIPS and Science Act
report a concern
July 21, 2011

Committee Approves Bipartisan Cybersecurity Legislation

(Washington, DC) – Today, the House Committee on Science, Space, and Technology held a markup of H.R. 2096, the Cybersecurity Enhancement Act of 2011.  H.R. 2096 would, among other things, require federal agencies to create a strategic plan guiding the overall direction of federal cybersecurity research and development (R&D); reauthorize cybersecurity research at the National Science Foundation (NSF); authorize scholarships for students in the cybersecurity field in exchange for federal government service; require the National Institute for Standards and Technology (NIST) to produce a cybersecurity awareness and education program; and require the creation of university-industry task force to increase collaboration between the public and private sectors on cybersecurity R&D.  The legislation is very similar to H.R. 4061, the Cybersecurity Enhancement Act of 2010, introduced by Congressman Dan Lipinski (D-IL) in the 111th Congress.  H.R. 4061 passed the House by a vote of 422-5, but never made it through the Senate.

“Computers, cell phones, and the Internet have greatly increased our productivity and connectivity.  Unfortunately, this connectivity and the dependence of our infrastructure, our commerce, and a great deal of our day-to-day lives on information technologies have also increased our vulnerability to cyber attacks,” said Ranking Member Eddie Bernice Johnson (D-TX).  “H.R. 2096 would authorize research, education, and standards activities that are essential to our government’s efforts to strengthen the security of our current information technology systems and to build future systems that are more secure from the outset.”

Rep. Dan Lipinski, Ranking Member of the Subcommittee on Research and Science Education, and lead Democratic sponsor of the bill, said, “Every passing day brings fresh evidence of the serious threat that cybercrime poses to individuals, families, businesses, government, and our national security.” From breaches at financial, consumer, and computer security companies to the most damaging cyber attack on our military to date, this year has brought story after story that underlines the urgency of combating cybercrime. The Cybersecurity Enhancement Act will help ensure we have the highly skilled people and the cutting-edge research and technologies we need to protect not only our critical infrastructure and federal and military computer networks, but also the general public, which increasingly relies on the internet. It has been more than a year since the House passed this bill by an overwhelming margin, and in that time cybercrime has only gotten worse. I am hopeful that Congress will recognize that reality and pass this bill as soon as possible."

Although Committee Democrats expressed support for H.R. 2096, they expressed concern that the bill was not considered through regular order. There has only been one hearing held on cybersecurity in the 112th Congress and H.R. 2096 was not marked up in either of the relevant Subcommittees prior to coming before the Full Committee.

Ms. Johnson said, “[T]he truth is that the field of cybersecurity is rapidly evolving and two years in this field is equivalent to a lifetime in many other fields…The fact that we are rushing this bill through the Committee is preventing us from adequately and effectively doing our due diligence to ensure that it is as current as it can and should be.”

Under the proposed fiscal year 2012 Commerce, Justice, and Science (CJS) Appropriations bill in the House, the research budgets at NSF and NIST would be flat-funded.  NIST has indicated it would be unable to support its expanded role in cybersecurity and NSF has indicated that it would be forced to reduce the number total of research grants they can award by about 2,500, should the proposed funding level be enacted.

“The federal government is already suffering from a lack of adequately trained cybersecurity professionals and flat-funding these key agencies will further erode the human capital we need to build up or cybersecurity capabilities,” said Ms. Johnson.  “It will also slow down much needed advances in research and development on game-changing technologies…It doesn’t seem right to be touting NIST’s role in cybersecurity while also proposing a funding level for the agency that prevents it from carrying out critical cybersecurity related activities.”

Democratic Amendments Offered

McNerney (D-CA)– adds National Laboratories to the list of institutions and organizations that the Director of NIST will collaborate with in coordinating a cybersecurity awareness and education program.  (passed by voice vote)

Johnson (D-TX)– updates the cybersecurity awareness and education section to more accurately reflect the current state of activities in this area by adding language that reflects the four tracks currently being pursued under the National Initiative for Cybersecurity Education (NICE). (withdrawn at the request of the Chair)

Clarke (D-MI)– clarifies and updates Section 204 on identity management to more accurately reflect the current state of activities in this area, by moving language requiring NIST to facilitate the development of a unified and standardized identity management framework from paragraph 1 of Section 110 into Section 204, and requiring NIST to coordinate and oversee the development of an implementation plan for the identity management framework.  (failed by voice vote)

Wu (D-OR)– adds a new section to the bill which authorizes the Director of NIST to convene representatives of the private sector and other relevant stakeholders, including consumer groups, to collaborate on the development of voluntary consensus standards, guidelines, best practices, and voluntary codes of conduct related to information technology security for use by private sector entities in the Internet and information sector.  (withdrawn at the request of the Chair)

Wu (D-OR)– adds a new section (Section 204) which requires the Director of NIST, as part of the education and awareness program authorized under Section 203, to carry out an assessment of community colleges and cybersecurity education.    (withdrawn at the request of the Chair)

Tonko (D-NY)–states that the activities mandated in Section 108 (cybersecurity university-industry taskforce), are not required to be carried out for any fiscal year unless the amount appropriated to the Office of Science and Technology Policy (OSTP) is equal to or greater than the amount appropriated to the OSTP in the FY 2011 Continuing Resolution. Also states that the activities mandated in Paragraph 1 of Section 110 (identity management framework) Section 202 (international technical standards), and Section 203 (cybersecurity awareness and education program) are not required to be carried out for any fiscal year unless the amount appropriated to the National Institute of Standards and Technology (NIST) is equal to or greater than the amount appropriated to the NIST in the FY 2011 Continuing Resolution. (failed on party-line recorded vote)

Democratic Amendments adopted under unanimous consent en bloc

Luján (D-NM)– adds enhanced consumer privacy as an intended outcome of technology development under the cybersecurity strategic R&D plan required under Section 103.

Luján (D-NM) –clarifies that the plan for technology transfer should focus on the “rapid” transfer of R&D into “timely” applications for the benefit of society and the national interest under the strategic R&D plan in Section 103(b).

Luján (D-NM)– adds National Laboratories to the list of stakeholders that will provide recommendations and input regarding the cybersecurity strategic R&D plan required by Section 103.

Fudge (D-OH)– adds language to ensure that the workforce assessment in Section 107 includes an evaluation of how current higher education and research programs produce cybersecurity professionals from states and regions in which the unemployment rate exceeds the national average.

Lipinski (D-IL)– calls on NIST to continue to develop and implement a comprehensive strategy for the use and adoption of cloud computing services by the federal government. Requires the Director of NIST to give consideration to activities that accelerate the development of standards, support conformance testing, and address security and privacy requirements, including the physical security of cloud computing data centers as part of the strategy.

H.R. 2096 passed by voice vote and was reported favorably out of Committee.

Related Content