Measure to regularize funding for five-university consortium including Norwich works way through Congress
A bill the U.S. Senate passed late last month could put Norwich University and the rest of a national cybersecurity consortium closer to receiving consistent annual federal contracts for developing a national cybersecurity training program for governments and private industry.
On Nov. 22, the Senate, by unanimous consent, passed Senate Bill 333, the National Cybersecurity Preparedness Consortium Act of 2019. U.S. Sens. Patrick Leahy, D-Vt., and John Cornyn and Ted Cruz, R-Texas, introduced the bill Feb. 5. (Cornyn had introduced a version of the bill in 2017 that died in committee).
SB 333 was referred Dec. 4 to the House Committee on Homeland Security for further review. The bill would have to pass in the House of Representatives and get President Donald Trump’s signature to become law.
“Norwich University has methodically built expertise and national recognition as a national center in the crucial field of cybersecurity training to counter these growing threats.”U.S. Sen Patrick Leahy, D-Vt.
SB 333 would let the consortium, a cooperative of five universities with strong cybersecurity focuses — Norwich, Texas A&M Engineering Extension Service, the University of Arkansas, the University of Memphis, and the University of Texas, San Antonio — work with the Homeland Security Department to develop multiyear plans to improve cyberreadiness. The five universities formed the consortium in 2004.
In a Nov. 22 statement, Leahy’s office said the bill authorizes the consortium to:
- Train state and local first responders and officials.
- Conduct cybersecurity training and simulations for state and local governments and private industry.
- Help states and communities develop cybersecurity information sharing programs.
- Help incorporate cybersecurity risk and incident prevention and response into existing state and local emergency plans.
The senator also emphasized Norwich University’s role in training and educating not just students but also state governments and first responders in cybersecurity.
“Norwich University has methodically built expertise and national recognition as a national center in the crucial field of cybersecurity training to counter these growing threats,” Leahy said in his Nov. 22 statement. “Passage of our bill is a bipartisan victory in advancing these efforts to the next levels.
“I support the National Cybersecurity Preparedness Consortium because we know that cyberthreats become more manageable when state and local responders have quality training,” Leahy added. “Norwich will continue to take a leading role in making that happen.”
In a brief describing Senate Bill 333, the Congressional Budget Office said the Homeland Security Department has granted $13 million to consortium members since 2014 to deliver cybersecurity training and technical assistance to state and local governments. Forecasting no change in the average annual funding allocation, the office estimated implementing the law would yield $18 million in annual contracts through 2024.
If the House passes the bill, Trump could sign it into law. If he doesn’t sign it and Congress is in session, it would become law after 10 days; if he doesn’t sign and Congress is on recess, it’s considered a “pocket veto” and the bill would die. Trump could also veto the bill outright, which would also kill it.
Phil Susmann ’81, who leads the Norwich University Applied Research Institutes, said if SB 333 doesn’t become law by Dec. 31, 2020, the end of the congressional biennium, it will die, as similarly named measures introduced in 2018, 2017 and 2016 died.
In a late-November interview, Susmann said he was encouraged that SB 333 passed and said it offered hope that the measure could succeed at last. Because SB 333 is a slight technical tweak from a version of the bill, HR 4743 passed the House in 2016, Susmann said there’s a chance SB 333 might pass the House quickly, perhaps by simple voice vote.
But getting the bill on the House floor will require work, Susmann said, adding that he is talking continually with U.S. Rep. Peter Welch, D-Vt., to get the measure to the House floor.
Training for cyberpreparedness
On its website, the consortium said that since its 2004 formation, members have partnered with Homeland Security and the Federal Emergency Management Agency to develop online and in-person cybersecurity and cyberterrorism preparedness training for local jurisdictions, states, counties and national agencies.
The website said consortium members had trained 82,730 people in cybersecurity through September 2018. Norwich has received cybersecurity training grants since 2013 and issued the grant request on the consortium’s behalf in 2014 and 2017.
With funding year to year, Susmann said, the consortium has focused on addressing the pressing cybersecurity issue of the moment. This year, for example, Norwich and Texas A&M are creating an internet of things (IoT) cybersecurity training program that would address security for devices like relatively cheap and increasingly popular internet-enabled home camera networks and doorbell cameras. Left unsecured, these camera networks can be prime cyberhacker targets, Susmann said.
A hacker who compromised enough devices at once could use the collectively hijacked bandwidth to disrupt or deny key civic services, Susmann suggested. On March 5, as Wired magazine online reported, hackers used firewall vulnerabilities to cause periodic “blind spots” for Western United States electrical grid operators for about 10 hours.
Having SB 333 signed into law would have the Federal Emergency Management Agency allocate continuing grant money to the consortium that Susmann said could go toward creating an orderly national cybersecurity training program.
“Whether you’re in a big town or a small town, there’s just a lack of resources to become trained and respond and that’s holistically what we’ve been working on for 15 years,” Susmann said. “What signing this bill into law would do would change the conversation.”
Senator's continued support
Susmann said Leahy continued his longstanding support for Norwich’s cybersecurity programs by sponsoring SB 333.
“The most important part about the whole thing is the announcement from (Sen.) Leahy and the kind words that he gave us,” Susmann said.
Leahy’s office, in its statement, noted the senator has long championed Norwich’s position as a cybersecurity training leader. After the Sept. 11, 2001, terror attacks on New York and Washington, D.C., for example, Leahy, then the Senate Judiciary Committee chairman, introduced and secured passage of legislation to designate Norwich as a National Center for Counterterrorism and Cybercrime. The designation came with continued federal support and funding.
In 2002, Leahy sponsored legislation to federally charter the Norwich University Applied Research Institutes, which are partly funded by the Defense and Homeland Security departments. The institutes have a national center to address cyberincident management through research, training programs and technology development.
For more than a decade, the research institutes have been a global leader in developing cyberwar gaming, distributed learning technology, distributed simulation technology, critical infrastructure exercises, and cybersecurity curriculum.
Leahy earlier this year helped land three contracts totaling $7.3 million to support cybersecurity education and research at Norwich.
The contracts include:
- Army Energy Resilience contract, $499,000: Norwich University Applied Research Institutes and Center for Global Resilience and Security will work with U.S. Army Engineer Research and Development Center and Cold Regions Research and Engineering Laboratory to develop an energy-resilience research track to address cybersecurity issues.
- Reserve Forces Scholarship Program, $905,000: To fund education of National Guard and Reserve Forces through Norwich’s College of Continuing and Graduate Studies (CGCS) online programs in response and recovery of cybersecurity issues.
- DECIDE Energy Contract, $5.9 million: Funded by Homeland Security Department Science and Technology and supported by the U.S. Air Force. The grant will expand development of this simulation-based cyberexercise tool originally developed by Norwich University Applied Research Institutes to strengthen decision-making and communications that build a resilient energy sector prepared to respond to cybersecurity threats.
- Norwich University Regimental Band to perform at Carnegie Hall
- The road to ribbons
- Many happy returns (on investment)