Source: US Congressional Budget Office
Under current law, the Cybersecurity and Infrastructure Security Agency (CISA) shares information about cyber threats with owners and operators of critical infrastructure (such as power generation and transmission facilities). In rare instances, the agency cannot do so because it is unable to identify the owners of computers or devices that are vulnerable to malicious activity. S. 3045 would authorize CISA to issue administrative subpoenas in those instances to compel Internet service providers (ISPs) to disclose the identity of owners of such critical infrastructure. The bill also would require CISA to provide annual reports to the Congress on its use of that authority.
ISPs that do not comply with subpoenas could be subject to civil and criminal penalties; therefore, the government might collect additional fines under the legislation. Civil fines are recorded in the budget as revenues. Criminal fines are recorded as revenues, deposited in the Crime Victims Fund, and later spent without further appropriation. CBO expects that few ISPs would be fined for defying subpoenas. Thus, both revenues and direct spending would increase by insignificant amounts over the 2020-2030 period. On net, enacting the bill would reduce the deficit by an insignificant amount, CBO estimates.
On the basis of information from CISA, satisfying the bill’s reporting requirements would cost less than $500,000 over the 2020-2025 period; such spending would be subject to the availability of appropriated funds.
On February 24, 2020, CBO transmitted a cost estimate for H.R. 5680, the Cybersecurity Vulnerability Identification and Notification Act of 2020, as ordered reported by the House Committee on Homeland Security on January 29, 2020. The two pieces of legislation are similar and CBO’s estimate of their budgetary effects is the same.