Bill Overview
Title: CISA Cyber Exercise Act
Description: This bill establishes the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan and related plans and strategies. (The National Cyber Incident Response Plan outlines the roles and responsibilities, capabilities, and coordinating structures that support how the United States responds to and recovers from significant cyber incidents posing risks to critical infrastructure.) Based on current risk assessments, the exercise program shall be designed to (1) simulate partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident, (2) provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements, and (3) develop after-action reports and plans that can incorporate lessons learned into future operations.
Sponsors: Sen. Rosen, Jacky [D-NV]
Target Audience
Population: Global population relying on critical infrastructure protected by cybersecurity measures
Estimated Size: 332000000
- The bill primarily targets the evaluation and improvement of cyber incident response, which is relevant to entities involved in national cyber infrastructure, including businesses and government agencies.
- Improving cyber response plans would benefit individuals whose data and services depend on the security of government and critical infrastructure networks.
- Critical infrastructure as defined in U.S. policy includes sectors such as healthcare, energy, banking, which nearly all citizens rely on and thus would be indirectly impacted.
Reasoning
- The policy is specifically designed to enhance cybersecurity measures for critical infrastructure, which affects a large portion of the population indirectly. While direct contact is mainly with businesses and governmental agencies, the security of essential services impacts the general public significantly.
- The target population is effectively the entire U.S. population because all rely on critical infrastructure, even if indirectly, through services like water, energy, communications, and banking.
- Given the nature of the policy which is technical and operational, the direct impact on individual wellbeing may be limited to those working directly in cybersecurity and related sectors.
- Projected wellbeing improvements may manifest over time through increased confidence in the security and resilience of critical services.
- Non-affected individuals might not see a change in their day-to-day life, however, their reliance on secure critical services may give them a peace of mind.
Simulated Interviews
Cybersecurity Analyst (San Francisco, CA)
Age: 34 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 5/20
Statement of Opinion:
- The policy is crucial as it ensures that our cybersecurity preparedness can thwart potential threats.
- I'm hopeful that increased funding will mean we can run more comprehensive simulations.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 9 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 9 | 6 |
| Year 20 | 8 | 5 |
Government IT Specialist (Washington, D.C.)
Age: 28 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 8.0 years
Commonness: 3/20
Statement of Opinion:
- This act will heavily support the infrastructure of my work, potentially making my job easier and more effective.
- I think it will also increase job security in our field.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 5 |
Small Business Owner (Houston, TX)
Age: 45 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 8/20
Statement of Opinion:
- As a business owner, knowing that my transactions are secure is invaluable.
- I hope this policy will reduce the risk of cyberattacks on small businesses.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 7 | 4 |
Hospital Administrator (Miami, FL)
Age: 37 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- Cybersecurity is a fundamental part of healthcare management, and this act should help in enhancing data protection protocols.
- Improved security measures can reduce stress related to potential data breaches.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 8 | 5 |
Financial Advisor (Chicago, IL)
Age: 50 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 7.0 years
Commonness: 6/20
Statement of Opinion:
- Clients need assurance that their financial data is secure, so I think this policy could instill greater confidence.
- It's critical for preventing data breaches which can have catastrophic effects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Data Scientist at Tech Firm (New York, NY)
Age: 29 | Gender: other
Wellbeing Before Policy: 8
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- This act is necessary as it bolsters the cybersecurity framework, allowing for more granular and precise threat analysis.
- It'll likely increase the demand for my expertise.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 8 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 7 |
| Year 20 | 8 | 6 |
Electric Company Manager (Denver, CO)
Age: 53 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- Enhanced cybersecurity protocols are critical in our industry to prevent outages.
- This policy could provide us with better guidelines and resources.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 7 | 4 |
University Student in Computer Science (Austin, TX)
Age: 24 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 10/20
Statement of Opinion:
- This policy could reflect more job opportunities in my field once I graduate.
- It emphasizes the growing importance of cybersecurity in all sectors.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 9 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 8 | 7 |
Retired Teacher (Seattle, WA)
Age: 62 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 3.0 years
Commonness: 15/20
Statement of Opinion:
- Cybersecurity is not my specialty, but I depend on the secure operation of internet banking and health services.
- Any policy that increases security and reliability of these services is good for peace of mind.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 6 | 6 |
| Year 5 | 6 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 4 |
Freelance Graphic Designer (Los Angeles, CA)
Age: 41 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 12/20
Statement of Opinion:
- I would expect this policy to lead to more reliable and secure services, which is critical for someone who depends on digital platforms for a living.
- It's comforting to know infrastructure is protected.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 7 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 7 | 6 |
Cost Estimates
Year 1: $150000000 (Low: $125000000, High: $175000000)
Year 2: $160000000 (Low: $130000000, High: $190000000)
Year 3: $170000000 (Low: $140000000, High: $200000000)
Year 5: $190000000 (Low: $160000000, High: $220000000)
Year 10: $240000000 (Low: $200000000, High: $280000000)
Year 100: $500000000 (Low: $400000000, High: $600000000)
Key Considerations
- The scale and complexity of modern cybersecurity threats demand sophisticated and evolving defensive strategies.
- Collaboration across federal, state, and private sectors is crucial for effective response strategies.
- Long-term cost savings are achievable through enhanced preventative cybersecurity measures.