Senate, House staff in final talks on cybersecurity bill

Senate and House staffers are trying to resolve final differences over a bill that would authorize nearly $1 billion for cybersecurity research in hopes of passage this fall, congressional and industry sources said Tuesday.

"The bills are very similar and we're very close to an agreement, possibly by the end of the week," said Heidi Tringe, spokeswoman for the House Science Committee. A Senate aide concurred with the deadline, saying, "We're tying up loose ends."

Another Senate aide said that staffers are "pre-conferencing the bill," a process designed to ease formal House-Senate negotiations before sending compromise language to both chambers.

The House passed the bill, H.R. 3394, by a 400-12 margin in February. Sens. Ron Wyden, D-Ore., and George Allen, R-Va., introduced similar legislation, S. 2182, modifying the House language to reflect two related measures, S. 1900 and S. 1901, that were authored by Sen. John Edwards, D-N.C.

The legislation would authorize $978 million in funding for research and development and research fellowship programs related to computer and network security.

Since scheduling Senate floor action at this point in the year is so difficult, proponents are hoping to get unanimous consent, a Senate aide said. Senate staffers are working with the staff of House bill sponsor Sherwood Boehlert, R-N.Y., to resolve differences before the Senate vote so the ensuing House-Senate negotiation can move quickly and the bill can head back to both chambers for quick, final approval. The differences are not considered major, sources emphasized.

The discussions at this point are focused on the "mechanics" of the bill, such as how grants will work, the Senate aide said.

Senate changes to the bill clarified some language and softened a requirement for federal agencies to adopt benchmark security standards developed by the National Institute of Standards and Technology (NIST) that the tech industry saw as too prescriptive. The Wyden-Edwards compromise instead would require agencies to follow a security checklist developed by NIST.

The Senate version also added examples to a list of potential research categories. Industry officials were concerned that naming only a few types might bias research grants in those areas.

The House bill identifies the following research areas: authentication and cryptography; computer forensics and intrusion detection; the reliability of computer and network applications, operating systems, "middleware" that expands the capabilities of operating systems, and communications infrastructure; and privacy and confidentiality. The Senate bill added "firewall" technology; emerging cyber-security threats, including malicious ones such as viruses and worms; vulnerability assessments; management of operations and control systems; and management of interoperable digital certificates or digital "watermarking."

The Information Technology Association of America and the Business Software Alliance (BSA) are gearing up to press Senate leadership for action on the bill, including sending a letter. Industry believes the measure highlights an area of computer science research long neglected as a separate discipline.

"We think the bill makes an important contribution to the homeland security effort because it makes sure we will research the tools needed to confront ever-evolving cybersecurity threats," said Mario Correa, BSA's director of Internet and network security policy.