The Congressional Budget Office (CBO) found that the Cybersecurity Vulnerability Identification and Notification Act of 2020 (H.R. 5680) could slightly lower the deficit, but not by a significant amount.
The bill, introduced by Rep. Jim Langevin, D-R.I. on Jan. 27, would authorize the Cybersecurity and Infrastructure Security Agency (CISA) to issue administrative subpoenas in rare instances in which an agency cannot share information about cyber threats with owners and operators of critical infrastructure. The subpoenas would compel internet service providers (ISPs) to disclose the identity of the owners and operators of the critical infrastructure. The Director would also have to make “reasonable efforts” to identify at-risk entities before issuing a subpoena.
“CBO expects that few ISPs would be fined for defying subpoenas,” the CBO wrote. “Thus, both revenues and direct spending would increase by insignificant amounts over the 2020-2030 period.”
Furthermore, CBO estimated that “enacting the bill would reduce the deficit by an insignificant amount” and satisfying the bill’s reporting requirements would cost less than $500,000 over a five-year period from 2020-2025, based on information provided by CISA.
H.R. 5680 is cosponsored by Reps. John Katko, R-N.Y., Cedric Richmond, D-La., Bennie Thompson, D-Miss., Sheila Jackson Lee, D-Texas, and John Ratcliffe, R-Texas.