Bill Overview
Title: Proactive Cyber Initiatives Act of 2022
Description: This bill addresses proactive cybersecurity initiatives. Specifically, each department or agency must (1) conduct regular penetration testing on the information systems of such department or agency; and (2) provide to the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget a report on the results of such testing, including identifying any risks discovered and describing how cybersecurity may be improved. CISA must issue guidance to facilitate the implementation of such requirements. Further, CISA must report to Congress, including an analysis of whether increased engagement is needed from national laboratories and the private sector to assist with the protection of the information systems of agencies through the use of active defense techniques, deception technologies, and penetration testing; the feasibility and benefits of consolidating within CISA proactive cybersecurity initiatives; and whether CISA requires additional authorities or resources to carry out proactive cybersecurity initiatives for agencies. The bill directs the Office of the National Cyber Director to deconflict overlapping cybersecurity jurisdiction between agencies. The Government Accountability Office must report to Congress on penetration testing and active defense techniques, and study innovative uses of proactive cybersecurity initiatives.
Sponsors: Rep. Swalwell, Eric [D-CA-15]
Target Audience
Population: Individuals whose data is managed by US federal agencies
Estimated Size: 300000000
- The bill focuses on federal departments and agencies, which employ a significant number of individuals in the United States.
- Cybersecurity improvements in federal institutions can prevent breaches that may affect government services used by millions of citizens.
- Enhancing cybersecurity across government agencies increases the personal data safety of all citizens whose data is stored or processed by these agencies.
- Federal cybersecurity initiatives may set standards for private sector cybersecurity, indirectly affecting employees and companies globally.
Reasoning
- Considering the wide-ranging impact of cybersecurity policies on both direct employees of federal agencies and the larger population who utilize federal services, there's a need to include both groups in the simulation.
- The budget limitation implies that the policy could mostly affect immediate cybersecurity improvements within federal institutions before expanding reach due to costs of technology and manpower.
- The target population of about 300 million suggests the policy has a broad impact, thus varied personal experiences and views are important to simulate.
Simulated Interviews
Cybersecurity Analyst (San Jose, CA)
Age: 45 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 12/20
Statement of Opinion:
- The policy is a positive step towards securing sensitive government data.
- Widespread implementation will improve standards across agencies.
- I'm concerned about the adequacy of the budget for such a large-scale operation.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 9 | 5 |
| Year 5 | 9 | 4 |
| Year 10 | 10 | 3 |
| Year 20 | 9 | 2 |
Government Contractor (Washington, D.C.)
Age: 30 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 8/20
Statement of Opinion:
- The centralized approach by CISA is necessary to prevent breaches.
- I believe it will also reduce redundancies across different agencies.
- The long-term benefits are clear, but the immediate effect may be limited by budget constraints.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 8 | 4 |
| Year 5 | 8 | 3 |
| Year 10 | 9 | 2 |
| Year 20 | 8 | 1 |
Private Sector Data Consultant (Chicago, IL)
Age: 50 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 9/20
Statement of Opinion:
- Federal policy can set the tone for private sector improvements.
- I see this move as potentially fostering greater collaboration between government and private companies.
- However, without proper funding, these initiatives might not fully extend benefits to the private sector.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 9 | 6 |
| Year 10 | 9 | 5 |
| Year 20 | 9 | 4 |
Software Engineer (Austin, TX)
Age: 28 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 10/20
Statement of Opinion:
- Our company could benefit from increased demand for cybersecurity services.
- I'm optimistic about increased protection for federal employee data.
- Still, I'm skeptical of the implementation efficiency across all agencies.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 5 |
| Year 3 | 8 | 5 |
| Year 5 | 9 | 5 |
| Year 10 | 9 | 4 |
| Year 20 | 8 | 3 |
Federal Employee (New York, NY)
Age: 55 | Gender: other
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 6/20
Statement of Opinion:
- While I appreciate the efforts to secure our systems, I'm concerned whether it will complicate the processes I rely on.
- The budget sounds high, but cybersecurity is costly and hard to measure success.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 4 |
| Year 2 | 7 | 3 |
| Year 3 | 7 | 3 |
| Year 5 | 8 | 2 |
| Year 10 | 8 | 1 |
| Year 20 | 7 | 1 |
Small Business Owner (Los Angeles, CA)
Age: 42 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 3.0 years
Commonness: 5/20
Statement of Opinion:
- I support anything that protects small businesses like mine from indirect impacts of cyber threats.
- Effective implementation might mean reduced downtime and better federal service availability.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Retired (Phoenix, AZ)
Age: 65 | Gender: male
Wellbeing Before Policy: 4
Duration of Impact: 2.0 years
Commonness: 15/20
Statement of Opinion:
- I worry about my personal information; it's reassuring to know they're working to secure it.
- I don't understand all the technicalities, but I appreciate the effort.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 3 |
| Year 2 | 5 | 3 |
| Year 3 | 6 | 3 |
| Year 5 | 6 | 2 |
| Year 10 | 6 | 1 |
| Year 20 | 5 | 1 |
Federal Agency IT Manager (Miami, FL)
Age: 38 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 7/20
Statement of Opinion:
- The policy is crucial but poses a big challenge given our current resources.
- Coordination among agencies can make or break this initiative.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 5 |
| Year 2 | 8 | 4 |
| Year 3 | 9 | 3 |
| Year 5 | 9 | 3 |
| Year 10 | 10 | 2 |
| Year 20 | 9 | 1 |
University Researcher (Houston, TX)
Age: 26 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 5.0 years
Commonness: 9/20
Statement of Opinion:
- The proactive approach to cybersecurity could become a global model.
- I'm excited to study its ripple effects if executed well.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 4 |
| Year 5 | 7 | 4 |
| Year 10 | 8 | 3 |
| Year 20 | 8 | 3 |
Healthcare Worker (Boston, MA)
Age: 60 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 7.0 years
Commonness: 11/20
Statement of Opinion:
- My job involves lots of sensitive data, so stronger cybersecurity is essential.
- I hope for reduced chances of data breaches affecting patient records.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 5 |
| Year 2 | 8 | 5 |
| Year 3 | 8 | 5 |
| Year 5 | 9 | 4 |
| Year 10 | 9 | 3 |
| Year 20 | 9 | 3 |
Cost Estimates
Year 1: $350000000 (Low: $300000000, High: $400000000)
Year 2: $360000000 (Low: $310000000, High: $410000000)
Year 3: $370000000 (Low: $320000000, High: $420000000)
Year 5: $385000000 (Low: $340000000, High: $430000000)
Year 10: $400000000 (Low: $350000000, High: $450000000)
Year 100: $0 (Low: $0, High: $0)
Key Considerations
- Coordination among federal agencies will be crucial to avoid duplication of efforts.
- Long-term savings from preventing cyber incidents could potentially outweigh initial implementation costs.
- Investments in cybersecurity are part of a broader strategy to protect national interests from cyber threats.