Bill Overview
Title: Cyber Incident Reporting Act of 2021
Description: This bill requires reporting and other actions to address cybersecurity incidents, including ransomware attacks. Entities that own or operate critical infrastructure must report cyber incidents and ransom payments within specified time frames while other entities may voluntarily report incidents. The Cybersecurity and Infrastructure Security Agency (CISA) must establish an office to receive and analyze such reports. The bill limits the use and disclosure of reported information. The information may be shared (subject to protections) with federal agencies or to address cybersecurity threats. However, shared information may not be used as a basis for certain regulatory enforcement. Additionally, an entity may not be liable for submitting required reports. Further, reports do not constitute waivers of applicable protections against disclosure (e.g., attorney-client privilege) and are not subject to laws governing release of federal records. The bill authorizes CISA to take specified action (e.g., issuing subpoenas) if an entity fails to submit a required report. CISA may share subpoenaed information with a regulator or the Department of Justice for regulatory enforcement or criminal prosecution. A federal agency must share any information it receives about cyber attacks with CISA. The bill also establishes (1) an interagency council to standardize federal reporting of cybersecurity threats, (2) a task force on ransomware attacks, and (3) a pilot program to identify information systems vulnerable to ransomware attacks.
Sponsors: Sen. Peters, Gary C. [D-MI]
Target Audience
Population: People related to entities operating critical infrastructure
Estimated Size: 8000000
- The bill specifically targets entities that own or operate critical infrastructure, which covers a wide range of industries and sectors.
- Critical infrastructure can include sectors such as energy, healthcare, finance, transportation, and telecommunications, among others.
- The bill also affects federal agencies tasked with cybersecurity responsibilities, particularly the Cybersecurity and Infrastructure Security Agency (CISA).
- Employees within these entities may be indirectly impacted through changes in reporting practices and cybersecurity protocols.
- CISA's establishment of an office and other actions may lead to employment and operational shifts in relevant sectors.
- The general public indirectly benefits from improved cybersecurity and reduced cyber threats to critical services.
Reasoning
- The population distribution considers sectors defined as critical infrastructure such as energy, healthcare, finance, transportation, and telecommunications.
- Given the primarily institutional focus of the policy, individual citizens not working in these sectors will have indirect impacts related to improved safety and security.
- The budget constraints suggest a focus on significant organizational compliance expenses and CISA's operational costs.
- We expect variable impacts across different positions, such as managers overseeing cybersecurity and IT staff enacting changes.
Simulated Interviews
Cybersecurity Manager (Phoenix, AZ)
Age: 45 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- The policy adds more reporting work, which could be stressful but necessary.
- It should help prevent large-scale incidents with better information flow.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 6 | 5 |
IT Specialist (Atlanta, GA)
Age: 34 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 3.0 years
Commonness: 7/20
Statement of Opinion:
- The extra measures and reports will be time-consuming, but knowing we're more secure is a relief.
- Hopefully, this means fewer incidents that disrupt hospital services.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 6 | 6 |
| Year 20 | 6 | 6 |
Finance Executive (Minneapolis, MN)
Age: 52 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 4.0 years
Commonness: 6/20
Statement of Opinion:
- I think it will increase transparency and accountability, which is positive.
- Might increase compliance costs in the initial phase.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 5 |
Network Security Analyst (Houston, TX)
Age: 29 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 9/20
Statement of Opinion:
- More reports means better data but also more work on top of current duties.
- Hopefully, the policy leads to faster threat mitigation.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 6 |
Consultant (San Francisco, CA)
Age: 40 | Gender: other
Wellbeing Before Policy: 9
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- I think this policy will create more consulting opportunities.
- Concerned about client overload leading to delays in other projects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 9 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 8 | 7 |
| Year 10 | 9 | 7 |
| Year 20 | 8 | 6 |
Operations Officer (Miami, FL)
Age: 37 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 3.0 years
Commonness: 8/20
Statement of Opinion:
- It's good to see proactive steps being taken in cybersecurity.
- The reporting might identify more issues needing immediate resources.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 6 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 5 | 5 |
Lawyer (Chicago, IL)
Age: 55 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 2.0 years
Commonness: 3/20
Statement of Opinion:
- Concerns over the legal challenges posed by increased reporting requirements.
- Clients might face uncertainty regarding privileged information.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 5 | 5 |
| Year 10 | 5 | 5 |
| Year 20 | 5 | 5 |
Chief Information Officer (New York, NY)
Age: 60 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 7.0 years
Commonness: 2/20
Statement of Opinion:
- Having clear guidelines can mean better-prepared responses, though initial rollout may be complex.
- Worry about added bureaucracy slowing down innovation.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 7 |
| Year 3 | 9 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 9 | 6 |
| Year 20 | 7 | 6 |
Federal Employee (Boston, MA)
Age: 36 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 1/20
Statement of Opinion:
- This is an exciting yet challenging phase, as setting up the new processes is a task of high importance.
- Mentally prepared for the increased workload in the initial years.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 9 | 5 |
| Year 10 | 9 | 5 |
| Year 20 | 8 | 5 |
Policy Advisor (Washington, D.C.)
Age: 42 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 20.0 years
Commonness: 1/20
Statement of Opinion:
- The bill is crucial for the security of our critical infrastructure.
- Complexities in implementation might delay other policy rollouts.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 6 |
| Year 10 | 9 | 6 |
| Year 20 | 8 | 5 |
Cost Estimates
Year 1: $150000000 (Low: $120000000, High: $180000000)
Year 2: $155000000 (Low: $125000000, High: $185000000)
Year 3: $160000000 (Low: $130000000, High: $190000000)
Year 5: $165000000 (Low: $135000000, High: $195000000)
Year 10: $170000000 (Low: $140000000, High: $200000000)
Year 100: $175000000 (Low: $145000000, High: $205000000)
Key Considerations
- There could be compliance costs for critical infrastructure entities reporting incidents.
- The establishment of new governance and operating procedures for the collection and analysis of cyber incidents is essential.
- Changes to the cybersecurity landscape could require further legislative adjustment.