Subject: SSSCA - Analysis (Q&D)
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Mon, 10 Sep 2001 11:41:42 -0700
Mon, 10 Sep 2001 11:41:42 -0700
...and not altogether unbiased.

I'd be interested to hear other's reads of this, I think I'm on
relatively firm ground for most of the analysis here, but it's pretty
breathtaking.

------------------------------------------------------------------------

Looks like this might be what our CPRM friends have been up to, among
others.

A (very quick and dirty) analysis of SSCA.


| ========================================================================
| 
| [19 pages]
| [header] S:\SP5HR\LEGCNSL\XYWRITE\COMMS\COPYRITE.5A
| [footer] August 6, 2001 (10:37 a.m.)
| 
| 
| 			[STAFF WORKING DRAFT]
| 			    AUGUST 6, 2001
| 
|     107TH CONGRESS
|     1ST SESSION 	
|     
| 			S.            
| 
| 
|     To provide for private sector development of workable security
|     systems standards and a certification protocol that could be
|     implemented and enforced by Federal regulation, and for other
|     purposes.
| 
| 		----------------------------------------
| 
| IN THE SENATE OF THE UNITED STATES
| SEPTEMBER   , 2001
| 
| Mr. HOLLINGS (for himself and Mr. STEVENS) introduced the following bill
| which was read twice and referred to the Committee on                  .
| 
| 		----------------------------------------
| 
| 
| 			    A BILL
| 
| 
|     To provide for private sector development of workable security
|     system standards and a certification protocol that could be
|     implemented and enforced by Federal regulations, and for other
|     purposes.

E.g.:  the US Government is going into the business of specifying and
enforcing security standards.

|     Be it enacted by the Senate and House of Representatives of the
|     United States of America in Congress assembled,
| 
| 
| 
| SECTION 1.  SHORT TITLE:  TABLE OF SECTIONS.
| 
|     (a) SHORT TITLE. -- This Act may be cited as the "Security Systems
|     Standards and Certification Act".
| 
|     (b)  TABLE OF SECTIONS. -- The table of sections for this Act is as
|     follows:
| 
| 	Sec 1.  Short title, table of sections.
| 	Sec 2.  Findings.
| 
| 		    TITLE 1 -- SECURITY SYSTEM STANDARDS AND CERTIFICATION
| 
| 	Sec 101.  Prohibition of certain devices.
| 	Sec 102.  Preservation of the integrity of security.
| 	Sec 103.  Prohibited acts.
| 	Sec 104.  Adoption of security system standards.
| 	Sec 105.  Certification of technologies.
| 	Sec 106.  Federal Advisory Committee Committee Act Exemption.
| 	Sec 107.  Antitrust Exemption.
| 	Sec 108.  Enforcement.
| 	Sec 109.  Definitions.
| 	Sec 110.  Effective date.
| 
| 		    TITLE II -- INTERNET SECURITY INITIATIVES
| 
| 	Sec 201.  Findings.
| 	Sec 202.  Computer Security Partnership Counsel.
| 	Sec 203.  Research and development.
| 	Sec 204.  Computer security training programs.
| 	Sec 205.  Government Information Security Standards.
| 	Sec 206.  Recognition of quality in computer security practices.
| 	Sec 207.  Development of automated privacy controls.
| 
| 
| 
| Sec 2.  Findings.
| 
| 			(TO BE SUPPLIED)

Note that the justifications for this act have yet to be enumerated.
"It's good for you, we'll die without it, it will bring forth a Grand
New Age of Prosperity For All".

Why am I not convinced?

Watch this space.


| 		    TITLE 1 -- SECURITY SYSTEM 
| 			    STANDARDS 
| 
| Sec. 101.  PROHIBITION OF CERTAIN DEVICES.
| 
|     (a) IN GENERAL -- It is unlawful to manufacture, import, offer to
|     the public, provide or otherwise traffic in any interactive digital
|     device that does not include and utilize certified security
|     technologies that adhere to the security system standards adopted
|     under section 104.

As this is written and terms defined, it effectively outlaws free
software.  It violates the terms of the GNU GPL, and the definitions of
FSF Free Software and OSI Open Source.

"Offer to the public" and "provider or otherwise traffic in" would apply
to common modes of distribution of free software.  As defined in 109,
"interactive digital device" includes "software".

GNU GPL v2, Section 7 (emphasis added):

    7. If, as a consequence of a court judgment or allegation of patent
    infringement OR FOR ANY OTHER REASON (not limited to patent issues),
    conditions are imposed on you (whether by court order, agreement or
    otherwise) that contradict the conditions of this License, they do
    not excuse you from the conditions of this License.  If you cannot
    distribute so as to satisfy simultaneously your obligations under 
    this License and any other pertinent obligations, then as a
    consequence you may not distribute the Program at all.

OSI Open Source Definition 6:  No Discrimination Against Fields of
Endeavor:

    http://www.opensource.org/docs/definition.html

    The license must not restrict anyone from making use of the program
    in a specific field of endeavor.  For example, it may not restrict
    the program from being used in a business, or from being used for
    genetic research.                         

Note that the safty/security aspects of this measure can be accomplished
by legislating effects (liability for security compromise) rather than
means (software/hardware).  At far less impact on civil liberties, I
might add, but the Estimable Senators of SC and AK clearly don't care.

|     (b) EXCEPTION -- Subsection (a) does not apply to the offer for sale
|     or provision of, or other trafficking in, any previously-owned
|     interactive digital device, if such device was legally manufactured
|     or imported, and sold, prior to the effective date of regulations
|     adopted under section 104 and not subsequently modified in violation
|     of subsection (a) or 103(a)

This effectively prohibits free modification of free software.

| 
| 
| Sec. 102.  PRESERVATION OF THE INTEGRITY OF SECURITY.
| 
|     An interactive computer service shall store and transmit with
|     integrity and security measures associated with certified security
|     technologies that is used in connection with copyrighted material or
|     other protected content such service transmits or stores.

This effectively mandates security levels, practices, and procedures to
be used by any binary device.  See definitions section 109 below.

| 
| Sec. 103.  PROHIBITED ACTS.
| 
|     (a) REMOVAL OR ALTERATIONS OF SECURITY. -- No person may--
| 
| 	(1) remove or alter any certified security technology in an
| 	interactive digital device; or
| 
| 	(2) transmit or make available to the public any copyrighted
| 	material or other protected content where the security measure
| 	associated with a certified technology has been removed or
| 	altered.

I'd be repeating myself.  Outlaws/restricts free software, modification
of, and/or distribution of.

|     (b)  PERSONAL TIME-SHIFTING COPIES CANNOT BE BLOCKED. -- No person
|     may apply a security measure that uses a certified security
|     technology to prevent a lawful recipient from making a personal copy
|     for time-shifting purposes of programming at the time it is
|     lawfully performed on an over-the-air broadcast, non-premium cable
|     channel, or non-premium satellite channel, by a television broadcast
|     station (as defined in section 122(j)(5)(A) of title 17, United
|     States Code), a cable system (as defined in section 111(f) of such
|     title), or a satellite carrier (as defined in section 119(d)(6) of
|     such title).

Interesting.

We're going to shit on the IT sector and free software.  But we're not
going to disturb the masses who want to tape the football game, last
night's WWF (too drunk to watch), or the afternoon's episode of As the
World Churns (economy's in the tank, Mom's got to work).

| 
| 
| Sec. 104.  ADOPTION OF SECURITY SYSTEM STANDARDS.
| 
|     (a) CRITERIA. -- In achieving the goals of setting standards that
|     will provide effective security for content and certifying as many
|     conforming technologies as possible to develop a competitive and
|     innovative marketplace, the following criteria shall be applied to
|     the development of security system standards and certified security
|     technologies:
| 
| 	(1) Reliability.
| 	(2) Renewability.
| 	(3) Resistance to attack.
| 	(4) Base of implementation.
| 	(5) Modularity.
| 	(6) Applicability to multiple technology platforms.

Estimable goals, but why not allow these to emerge otherwise?

|     (b) PRIVATE SECTOR EFFORTS. --
| 
| 	(1) IN GENERAL. -- The Secretary shall make a determination,
| 	not more than 12 months after the date of enactment of this Act,
| 	as to whether --
| 
| 	    (A) representatives of interactive digital device
| 	    manufacturers and representatives of copyright owners have
| 	    reached agreement on security system standards for use in
| 	    interactive digital devices; and
| 
| 	    (B) the standards meet the criteria in subsection (a).

Security standards are to be established by executive fiat.

| 	(2) EXTENSION OF 12-MONTH PERIOD. -- The Secretary may, for good
| 	cause shown, extend the 12-month period in paragraph (1) for a
| 	period of not more than 6 months if the Secretary determines
| 	that --
| 
| 	    (A) substantial progress has been made by those
| 	    representatives toward development of security system
| 	    standards that will meet those criteria;
| 
| 	    (B) those representatives are continuing to negotiate in
| 	    good faith; and
| 
| 	    (C) there is a reasonable expectation that final agreement
| 	    will be reached by those representatives before the
| 	    expiration of the extended period of time.

We'll allow corporate collusion for a reasonable amount of time, and
then some.

|     (c)  AFFIRMATIVE DETERMINATION. -- If the Secretary makes a
|     determination under subsection(b)(1) that an agreement on security
|     system standards that meet the criteria in subsection (a) has been
|     reached by these representatives, then the Secretary shall --
| 
| 	(1) initiate a rulemaking within 30 days after the date on which
| 	the determination is made to adopt these standards; and
| 
| 	(2) publish a final rule pursuant to that rulemaking not later
| 	than 90 days after initiating the rulemaking that will take
| 	effect 1 year after its publication.
| 
|     (d) NEGATIVE DETERMINATION. -- If the Secretary makes a determination
|     under subsection (b)(1) that an agreement on security system
|     standards that meet the criteria in subsection (a) has not been
|     reached by those representatives, then the Secretary --
| 
| 	(1) in consultation with the representatives described in
| 	subsection (b)(1)(A), the National Institute of Standards and
| 	Technology and the Register of Copyrights, shall initiate a
| 	rulemaking within 30 days after the date on which the
| 	determination is made to adopt security system standards that
| 	meet those criteria to provide effective security for
| 	copyrighted material and other protected content; and
| 
| 	(2) publish a final rule pursuant to that rulemaking not later
| 	than 1 year after initiating the rulemaking that will take
| 	effect 1 year after its publication.

If corporate collusion doesn't work, government mandate shall establish
the standard.

|     (e)  MEANS OF IMPLEMENTING STANDARDS. -- The security system
|     standards adopted under subsection (c) or (d) shall provide for
|     secure technical means of implementing directions of copyright
|     owners, for copyrighted material, and rights holders, for other
|     protected content with regard to the reproduction, performances,
|     display, storage, and transmission of such material or content.

For all this bill refers to security, it's really the Copyright Robber
Barron's Evisceration of the Public Rights Act of 2001.  There's no
concern for the typical issues of system security, and no effective
protection given in any event.  System security cannot be legislated, it
has to be designed into the system, and afforded by competent
administration.

Bruce Schneier:  Security is not a product.  Security is not a state.
Security is a process.

Let's disabuse ourselves of the shibboleth of "security" in this act.
It is *not* about computer security.  It's about security to eviscerate
the public of its rights, by Disney, et al (see Holling's campaign
contributions list, posted by McCullaugh).

|     (f)  SUBSEQUENT MODIFICATION; NEW STANDARDS. -- The Secretary may
|     conduct subsequent rulemakings to modify any standards established
|     under subsection (c) or (d) or adopt new security system standards
|     that meet the criteria in subsection (a).  In conducting any such
|     subsequent rulemaking, the Secretary shall consult with
|     representatives of interactive digital device manufacturers,
|     representatives of copyright owners, the National Institute of
|     Standards and Technology, and the Register of Copyrights.  Any final
|     rule published in subs a subsequent rulemaking shall --

If we didn't bend you over hard enough the first time, we'll come around
and do it again.

| 	(1) apply prospectively only; and

But not retrospectively.  Thank us for this profusely, please.  Your
gratitude will be rewarded in future Robber Barron Power Extension Acts.

| 	(2) take into consideration the effect of adoption of the
| 	modified or new security system standards on consumers' ability
| 	to utilize interactive digital devices manufactured before the
| 	modified or new standards take effect.  

We wouldn't want the hoi polloi complaining to Congress, now would we?
That might make our (Hollings, Stephens) live hard.

| 
| 
| Sec. 105.  CERTIFICATION OF TECHNOLOGIES.
| 
|     The Secretary shall certify technologies that adhere to the security
|     system standards adopted under section 104.  The Secretary shall
|     certify only those conforming technologies that are available for
|     licensing on reasonable and nondiscriminatory terms.

Note on "reasonable and nondiscriminatory".

This is a standard term used in establishing standards.  It means that
the terms used to license any patents shall be equivalent, and
sufficiently non-avaricious that a typical commercial participant won't
be precluded from using the technology.

The problem is that it's a non-starter for free software.  RF (royalty
free) terms for standards must be specified for standards to be
utilizeable by free software.  In a world in which free software is a
significant player, non-RF standards won't be readily adopted.  This Act
largely precludes FS being a significant player.

| 
| 
| Sec. 106.  FEDERAL ADVISORY COMMITTEE COMMITTEE ACT EXEMPTION.
| 
|     The Federal Advisory Committee Act (5 U.S.C. Ap.) does not apply to
|     any committee, board, commission, council, conference, panel, task
|     force, or other similar group of representatives of interactive
|     digital devices and representatives of copyright owners convened
|     for the purpose of developing the security system standards
|     described in section 104.

No sunshine.

5 USC Appendix dictates that all meetings, hearings, etc., that concern
the making of public policy be open to public participation and/or
viewing.

Specifically, 5 USC 522b holds:

    http://www4.law.cornell.edu/uscode/5/552b.text.html

    (a)(1) the term ''agency'' means any agency, as defined in section
    552(e) [1] of this title, headed by a collegial body composed of two
    or more individual members, a majority of whom are appointed to such
    position by the President with the advice and consent of the Senate,
    and any subdivision thereof authorized to act on behalf of the
    agency;

    <...>
    

    (b) Members shall not jointly conduct or dispose of agency business
    other than in accordance with this section. Except as provided in
    subsection (c), every portion of every meeting of an agency shall be
    open to public observation.


    (f)
	(1) For every meeting closed pursuant to paragraphs
	(1) through (10) of subsection (c), the General Counsel or chief
	legal officer of the agency shall publicly certify that, in his or
	her opinion, the meeting may be closed to the public and shall
	state each relevant exemptive provision. <...>

	(2) The agency shall make promptly available to the public, in a
	place easily accessible to the public, the transcript,
	electronic recording, or minutes (as required by paragraph (1))
	of the discussion of any item on the agenda, or of any item of
	the testimony of any witness received at the meeting, except for
	such item or items of such discussion or testimony as the agency
	determines to contain information which may be withheld under
	subsection (c). Copies of such transcript, or minutes, or a
	transcription of such recording disclosing the identity of each
	speaker, shall be furnished to any person at the actual cost of
	duplication or transcription. The agency shall maintain a
	complete verbatim copy of the transcript, a complete copy of the
	minutes, or a complete electronic recording of each meeting, or
	portion of a meeting, closed to the public, for a period of at
	least two years after such meeting, or until one year after the
	conclusion of any agency proceeding with respect to which the
	meeting or portion was held, whichever occurs later.

All waived.

| 
| Sec. 107.  ANTITRUST EXEMPTION.
| 
|     (a)  IN GENERAL. -- Any person described in section 104(b)(1)(A) may
|     file with the Secretary of Commerce a request for authority for a
|     group of 2 or more such persons to meet and enter into discussions,
|     if the sole purpose of the discussions is to discuss the development
|     of security system standards under section 104.  The Secretary shall
|     grant or deny the request within 10 days after it is received.

Permission for industrial collusion is granted on request.

|     (b)  PROCEDURE. -- The Secretary shall establish procedures within
|     30 days after the date of enactment of this Act for filing requests
|     for an authorization under subsection (a).
| 
|     (c)  EXEMPTION AUTHORIZED. -- When the Secretary fiends that it is
|     required by the public interest, the Secretary shall exempt a person
|     participating in a meeting or discussion described in subsection (a)
|     from the antitrust laws to the extent necessary to allow the person
|     to proceed with the activities approved in the order.

Antitrust provisions are waived.

The above gives full rein to groups such as the CPRM to operate in
secrecy, without accountability, and with no public oversite, despite
the impacts their actions will have on hundreds of millions of
Americans, and by extension, the billions of inhabitants of this planet.

|     (d)  ANTITRUST LAWS DEFINED. -- In this section, the term "antitrust
|     laws" has the meaning given that term in the first section of the
|     Clayton Act (15 U.S.C. 12).
| 
| 
| 
| Sec. 108.  ENFORCEMENT.
| 
|     The provisions of section 1203 and 1204 of title 17, United States
|     Code, shall apply to any violation of this title as if --
| 
| 	(1) a violation of section 101 or 103(a)(1) of this Act were a
| 	violation of section 1201 of title 17, United States Code; and
| 
| 	(2) a violation of section 102 or section 103(a)(2) of this Act
| 	were a violation of section 1202 of that title.

You remember that outrageous shit we slipped by you in the DMCA?
Bend over, here it comes again.

| 
| 
| Sec. 109.  DEFINITIONS.
| 
|     In this title:
| 
| 	(1) CERTIFIED SECURITY TECHNOLOGY. -- The term "certified
| 	security technology" means a security technology certified by the
| 	Secretary of Commerce under section 105.

We say what's safe.  You'll believe us.  You have no choice.

| 	(2) INTERACTIVE COMPUTER SERVICE. -- The term "interactive
| 	computer service" has the meaning given that term in section
| 	230(f) of the Communications Act of 1984 (47 U.S.C 230(f)).

Viz:

    http://www4.law.cornell.edu/uscode/47/230.text.html 

    The term ''interactive computer service'' means any information
    service, system, or access software provider that provides or
    enables computer access by multiple users to a computer server,
    including specifically a service or system that provides access to
    the Internet and such systems operated or services offered by
    libraries or educational institutions.


| 
| 	(3)  INTERACTIVE DIGITAL DEVICE. --  The term "interactive
| 	digital device" means any machine, device, product, software, or
| 	technology, whether or not included with or as a part of some
| 	other machine, device, product, software, or technology, that is
| 	designed, marketed or used for the primary purpose of, and that
| 	is capable of, storing, retrieving, processing, performing,
| 	transmitting, receiving, or copying information in digital form.

Eg, anything that slings bits.  Including your PC, laptop, handheld,
cell phone, and, incidentally, Linux and all other free software.

| 	(4) SECRETARY. -- The term "Secretary" means the Secretary of
| 	Commerce.

Seig Heil!

| 
| 
| Sec. 110.  EFFECTIVE DATE.
| 
|     This title shall take effect on the date of enactment of this Act,
|     except that sections 101, 102, and 103 shall take effect on the day
|     on which the final rule published under section 104(c) or (d) takes
|     effect.
| 
| 
| 	    TITLE II -- INTERNET SECURITY INITIATIVES
| 
| 
| 
| Sec. 201.  FINDINGS.
| 
|     The Congress finds the following:
| 
| 	(1) Good computer security practices are an underpinning of any
| 	privacy protection.  The operator of a computer system should
| 	protect the system from unauthorized use and secure any sensitive
| 	information.

...and Mom and apple pie...

| 	(2) The Federal Government should be a role model in securing
| 	its computer systems and should ensure the protection of
| 	sensitive information controlled by Federal agencies.

...and, press notwithstanding, the Governement tends to do a relatively
decent job.  I didn't say perfect, or even admirable.  I said relatively
decent.  This is in large part due to the fact that it's easier to
publicize problems involving Government sites than those effecting
commercial ones.  Sunshine is good.

| 	(3) The National Institute of Standards and Technology has the
| 	responsibility for developing standards and guidelines needed to
| 	ensure the cost-effective security and privacy of sensitive
| 	information in Federal computer systems.

...but there are many other means of establishing standards, including,
as an example, the IETF.

| 	(4) This Nation faces a shortage of trained, qualified
| 	information technology workers, including computer security
| 	professionals.  As the demand for information technology workers
| 	grows, the Federal government will have an increasingly
| 	difficult time attracting such workers into the Federal
| 	workforce.

It does?  [Hollings:  Memo to Self:  must rewrite draft to reflect
current economic conditions.  Naw, everyone's eyes will be sufficiently
glazed over at this point they'll never notice].

But the finding does point to the fact that you've got to pay people
commensurate with the responsibilities of their work.  H1-B or no H1-B.

| 	(5) Some commercial off-the-shelf hardware and off-the-shelf
| 	software components to protect computer systems are widely
| 	available.  There is still a need for long-term computer
| 	security research, particularly in the area of infrastructure
| 	protection.

...many of which are, in fact, free...and will be adversely effected by
the proposed legislation.

| 	(6) The Nation's information infrastructures are owned, for the
| 	most part, by the private sector, and partnerships and
| 	cooperation will be needed for the security of these
| 	infrastructures.
| 
| 	(7) There is little financial incentive for private companies to
| 	enhance the security of the Internet and other infrastructures
| 	as a whole.  The Federal government will need to make
| 	investments in this area to address issues and concerns not
| 	addressed by the private sector.
| 
| 
| 
| Sec. 202.  COMPUTER SECURITY PARTNERSHIP COUNSEL.

In which The Cabal is formed.

One wonders if they too will have black cats?

|     (a) ESTABLISHMENT. -- The Secretary of Commerce, in consultation
|     with the Presidents Information Technology Advisory Committee
|     established by Executive Order No. 13035 of February 11, 1997 (62
|     F.R. 7281), shall establish a 25-member Computer Security
|     Partnership Council the membership of which shall be drawn from
|     Federal, State, and local governments, universities, and businesses.
| 
|     (b) PURPOSE. -- The purpose of the Council is to collect and share
|     information about, and to increase public awareness of, information
|     security practices and programs, threats to information security,
|     and responses to those threats.
| 
|     (c) STUDY. -- Within 12 months after the date of enactment of this
|     Act, the Council shall publish a report which evaluates and
|     describes areas of computer security research and development that
|     are not adequately developed or funded.
| 
| 
| 
| Sec. 203.  RESEARCH AND DEVELOPMENT.
| 
|     Section 20 of The National Institute of Standards and Technology Act
|     (15 U.S.C. 278g-3) is amended --
| 
| 	    (1) by redesignating subsections (c) and (d) as subsections
| 	    (d) and (e), respectively; and
| 
| 	    (2) by inserting after subsection (b) the following:
| 
| 		"(c) RESEARCH AND DEVELOPMENT OF PROTECTION
| 		TECHNOLOGIES. --
| 
| 		    "(1) IN GENERAL. -- The Institute shall establish a
| 		    program at The National Institute of Standards and
| 		    Technology to conduct, or to fund the conduct of,
| 		    research and development of technology and
| 		    techniques to provide security for advanced
| 		    communications and computing systems and networks
| 		    including the Next Generation Internet, the
| 		    underlying structure of the Internet, and networked
| 		    computers.
| 
| 		    "(2) PURPOSE. -- A purpose of the program
| 		    established under paragraph(1) is to address issues
| 		    or problems that are not addressed by market-driven,
| 		    private sector information security research.  This
| 		    may include research --
| 
| 			"(A) to identify internet security problems
| 			which are not adequately addressed by current
| 			security technologies;
| 
| 			"(B) to develop interactive tools to analyze
| 			security risks in an easy-to-understand manner;
| 
| 			"(C) to enhance the security and reliability of
| 			the underlying Internet infrastructure while
| 			minimizing other operational impacts such as
| 			speed; and
| 
| 			"(D) to allow networks to become self-healing
| 			and provide for better analysis of the state of
| 			Internet and infrastructure operations and
| 			security.
| 
| 		    "(3) MATCHING GRANTS. -- A grant awarded by the
| 		    Institute under the program established under
| 		    paragraph (1) to a commercial enterprise may not
| 		    exceed 50 percent of the cost of the project to be
| 		    funded by the grant.
| 
| 		    "(4) AUTHORIZATION OF APPROPRIATIONS. -- There are
| 		    authorized to be appropriated to the Institute to
| 		    carry out this subsection --
| 
| 			"(A) $50,000,000 for fiscal year 2001;
| 			"(B) $60,000,000 for fiscal year 2002;
| 			"(C) $70,000,000 for fiscal year 2003;
| 			"(D) $80,000,000 for fiscal year 2004;
| 			"(E) $90,000,000 for fiscal year 2005; and
| 			"(F) $100,000,000 for fiscal year 2006;"
| 
| 
| 
| 
| Sec. 204.  COMPUTER SECURITY TRAINING PROGRAMS.
| 
|     (a)  IN GENERAL. -- The Secretary of Commerce, in consultation with
|     appropriate Federal agencies, shall establish a program to support
|     the training of individuals in computer security, Internet security,
|     and related fields at institutions of higher education located in
|     the United States.
| 
|     (b)  SUPPORT AUTHORIZED. -- Under the program established under
|     subsection (a), the Secretary may provide scholarships, loans, and
|     other forms of financial aid to students at institutions of higher
|     education.  The Secretary shall require a recipient of a scholarship
|     under this program to provide a reasonable period of service as an
|     employee of the United States government after graduation as a
|     condition of the scholarship, and may authorize full or partial
|     forgiveness of indebtedness for loans made under this program in
|     exchange for periods of employment by the United Sates government.
| 
|     (c)  AUTHORIZATION OF APPROPRIATENESS. -- There are authorized to be
|     appropriated to the Secretary such sums as may be necessary to carry
|     out this section --
| 
| 	(A) $15,000,000 for fiscal year 2001;
| 	(A) $17,000,000 for fiscal year 2002;
| 	(A) $20,000,000 for fiscal year 2003;
| 	(A) $25,000,000 for fiscal year 2004;
| 	(A) $30,000,000 for fiscal year 2005; and
| 	(A) $35,000,000 for fiscal year 2006;
| 
| 
| 
| Sec. 205.  GOVERNMENT INFORMATION SECURITY STANDARDS.
| 
|     (a)  IN GENERAL. -- Section 20(b) of The National Institute of
|     Standards and Technology Act (15 U.S.C. 278g-3(b)) is amended --
| 
| 	(1) by striking "and" after the semicolon in paragraph (4);
| 
| 	(2) by redesignating paragraph (5) as paragraph (6); and
| 
| 	(3) by inserting after paragraph (4) the following;
| 
| 	    "(5) to provide guidance and assistance to Federal agencies
| 	    in the protection of interconnected computer systems and to
| 	    coordinate Federal response efforts related to unauthorized
| 	    access to Federal computer systems; and".
| 
|     (b)  FEDERAL COMPUTER SYSTEM SECURITY TRAINING. -- Section 5(b) of
|     the Computer Security Act of 1987 (49 U.S.C. 759 note) is amended --
| 
| 	(1) by striking "and" at the end of paragraph (1);
| 
| 	(2) by striking the period at the end of paragraph (2) and
| 	inserting in lieu thereof "; and"; and
| 
| 	(3) by adding at the end of the following new paragraph;
| 
| 	    "(3) to include emphasis on protecting the availability of
| 	    Federal electronic citizen services and protecting sensitive
| 	    information in Federal databases and Federal computer sites
| 	    that are accessible through public networks.".
| 
| 
| 
| Sec. 206.  RECOGNITION OF QUALITY IN COMPUTER SECURITY PRACTICES.
| 
|     Section 20 of The National Institute of Standards and Technology Act
|     (15 U.S.C. 279g-3), as amended by section 203, is further amended --
| 
| 	(1) by redesignating subsections (d) and (e) as subsections (e)
| 	and (f), respectively; and
| 
| 	(2) by inserting after subsection (c), the following;
| 
| 	    "(d) AWARD PROGRAM. -- The Institute may establish a program
| 	    for the recognition of excellence in Federal computer system
| 	    security practices, including the development of a goal,
| 	    symbol, mark, or logo that could be displayed on the website
| 	    maintained by the operator of such a system recognized under
| 	    the program.  In order to be recognized under the program,
| 	    the operator --
| 
| 		"(1) shall have implemented exemplary processes for the
| 		protection of its systems and the information stored on
| 		that system;
| 
| 		"(2) shall have met any standard established under
| 		subsection (a);
| 
| 		"(3) shall have a process in place for updating the
| 		system security procedures; and
| 
| 		"(4) shall meet such other criteria as the Institute ma
| 		require.".
| 
| 
| 
| Sec. 207.  DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.
| 
| 
|     Section 20 of The National Institute of Standards and Technology Act
|     (15 U.S.C. 278g-3), as amended by section 206, is further amended --
| 
| 	(1) by redesignating subsection (f) as subsection (g); and
| 
| 	(2) by inserting after subsection (e) the following:
| 
| 	    "(f) DEVELOPMENT OF INTERNET PRIVACY PROGRAM. -- The
| 	    Institute shall encourage and support the development of one
| 	    or more computer programs, protocols, or other software,
| 	    such as the World Wide Web Consortium's P3P program, capable
| 	    of being installed on computers, or computer networks, with
| 	    Internet access that would reflect the user's preferences
| 	    for protecting personally-identifiable or other sensitive,
| 	    privacy-related information, and automatically executes the
| 	    program, once activated, without requiring user
| 	    intervention.".

-- 
Karsten M. Self <kmself@ix.netcom.com>          http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             There is no K5 cabal
  http://gestalt-system.sourceforge.net/               http://www.kuro5hin.org
   Free Dmitry! Boycott Adobe! Repeal the DMCA!    http://www.freesklyarov.org
Geek for Hire                        http://kmself.home.netcom.com/resume.html



["application/pgp-signature" not shown]