Bill Overview
Title: Building Cyber Resilience After SolarWinds Act of 2022
Description: This bill requires evaluations of the impact of the SolarWinds cyber incident and the activities of the Cyber Safety Review Board. Specifically, the bill directs the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to evaluate and report to Congress on the impact of the SolarWinds cyber incident on information systems owned and operated by federal departments and agencies and other critical infrastructure. Additionally, the Government Accountability Office must evaluate the activities of the Cyber Safety Review Board and assess whether the board has the authorities, resources, and expertise necessary to carry out its mission of reviewing and assessing significant cyber incidents.
Sponsors: Rep. Torres, Ritchie [D-NY-15]
Target Audience
Population: Global Information System Users
Estimated Size: 331000000
- The bill focuses on cybersecurity incidents affecting federal departments and agencies, making government employees a key impacted group.
- It also affects private sector entities and contractors that manage IT and infrastructure for government agencies, as their operations and security protocols may require adjustment based on evaluations.
- The bill indirectly influences the general public whose data might be stored on or processed by these federal systems, potentially affecting privacy and security.
- Cybersecurity professionals will be impacted as the need for assessments could lead to an increased demand for their expertise.
- The resilience of critical infrastructure, which impacts nearly everyone in society, means that the broader population can be affected by improvements made in response to the bill's requirements.
Reasoning
- The Building Cyber Resilience After SolarWinds Act primarily impacts government employees, contractors, and private sector companies working with government IT systems, as well as the general public indirectly through data security impacts. Given these groups, I selected a range of individuals representing different segments of these populations.
- Government employees expect direct benefits from increased cybersecurity, which will impact their work environment and operations. This could moderately improve their wellbeing due to increased job security and reduced risk of data breaches.
- Private sector cybersecurity professionals may see increased demand for their services, potentially improving their job satisfaction and financial wellbeing.
- General public members could feel more secure regarding their personal data if the policy succeeds in enhancing cyber resilience, although the effect on wellbeing might be moderate due to the indirect nature of the impact.
- The general assumption is that the policy's budget is sufficient to address the main vulnerabilities identified in the SolarWinds incident, covering evaluations across most impacted departments initially and over a decade.
Simulated Interviews
Federal Government IT Specialist (Washington, D.C.)
Age: 30 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 5/20
Statement of Opinion:
- I think this bill is crucial because it highlights the importance of cybersecurity in government operations.
- With the evaluations, we might receive more focused resources to prevent future incidents.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 4 |
| Year 20 | 8 | 4 |
Private IT contractor (New York, NY)
Age: 45 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 10/20
Statement of Opinion:
- This bill could lead to more business for my company, which is positive.
- However, it adds complexity as we need to adjust protocols based on the evaluations.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 4 |
Infrastructure Security Consultant (Ohio)
Age: 50 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 3.0 years
Commonness: 7/20
Statement of Opinion:
- Increased focus on cybersecurity is beneficial, but I'm concerned about potential regulatory burdens.
- The evaluations might make compliance more stringent, influencing workload.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 6 | 4 |
| Year 10 | 5 | 4 |
| Year 20 | 5 | 3 |
Data Privacy Advocate (California)
Age: 35 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 8/20
Statement of Opinion:
- I'm hopeful that this bill will enhance federal data security and, by extension, public privacy.
- However, the transparency of the process will be key to its success.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 9 | 7 |
| Year 3 | 9 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 9 | 6 |
| Year 20 | 8 | 5 |
Cybersecurity Student (Texas)
Age: 25 | Gender: other
Wellbeing Before Policy: 6
Duration of Impact: 4.0 years
Commonness: 12/20
Statement of Opinion:
- It's encouraging to see legislation focusing on cybersecurity issues.
- This could lead to more internship and job opportunities for students like myself.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 7 | 4 |
Retired Government Employee (Virginia)
Age: 60 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 3.0 years
Commonness: 15/20
Statement of Opinion:
- While I no longer work in IT, I appreciate efforts to protect government data.
- I hope this helps prevent incidents similar to SolarWinds in the future.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 5 |
Small Business Owner (Florida)
Age: 40 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 2.0 years
Commonness: 12/20
Statement of Opinion:
- The policy seems focused on government systems, but downstream effects on security measures can help businesses like mine.
- I do worry about indirect costs resulting from new compliance standards.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 4 |
| Year 3 | 6 | 4 |
| Year 5 | 6 | 4 |
| Year 10 | 5 | 3 |
| Year 20 | 5 | 3 |
Software Developer (Colorado)
Age: 28 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 4.0 years
Commonness: 10/20
Statement of Opinion:
- I'm optimistic that this policy could drive innovation in cybersecurity.
- It might increase the workload temporarily, but it's a good challenge.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 5 |
| Year 3 | 8 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 4 |
Public School Administrator (Illinois)
Age: 52 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 3.0 years
Commonness: 14/20
Statement of Opinion:
- Ensuring the security of student data is a priority.
- This policy might eventually lead to updated guidelines that can benefit educational institutions.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 5 | 4 |
| Year 3 | 5 | 4 |
| Year 5 | 5 | 4 |
| Year 10 | 6 | 4 |
| Year 20 | 6 | 4 |
Healthcare IT Manager (Georgia)
Age: 33 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 9/20
Statement of Opinion:
- This bill stresses the importance of protecting information systems and could influence healthcare IT standards.
- We're always looking for ways to enhance our security posture.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Cost Estimates
Year 1: $500000000 (Low: $450000000, High: $600000000)
Year 2: $480000000 (Low: $420000000, High: $550000000)
Year 3: $470000000 (Low: $400000000, High: $530000000)
Year 5: $460000000 (Low: $390000000, High: $500000000)
Year 10: $500000000 (Low: $400000000, High: $600000000)
Year 100: $0 (Low: $0, High: $0)
Key Considerations
- The significant cost associated with building cybersecurity resilience is necessary to prevent more costly cyber incidents in the future.
- Coordination across multiple agencies may present logistical challenges that can affect the timing and total cost.
- Evaluations must be thorough to ensure meaningful improvements in cyber resilience.
- While upfront costs are significant, the long-term savings from preventing cyber incidents could outweigh these costs.