The U.S. Congress, federal regulators and the White House routinely consider and implement policies that impact our nation’s cybersecurity through legislation, regulation and executive orders. International and state governing entities also take actions that impact others outside of the immediate area, such as companies that operate in multiple jurisdictions. The action may be direct, such as legislation on a cyber issue, or indirect, such as non-cyber-specific legislation containing provisions that might impact cybersecurity. In either case, unforeseen ramifications require careful, technically informed analysis to fully assess any first- and second-order consequences of their enactment.

The R Street Institute’s Cybersecurity and Emerging Threats team launched the Cybersecurity Score Project to analyze legislation and regulation on an ongoing basis to evaluate their potential cybersecurity impact. We will apply a uniform set of criteria to ensure our audiences understand the range of cybersecurity impacts of government actions, and we will present our findings in a streamlined format that is easy for non-experts to understand. Analyses will delve into access provisions, applicability, business impact, accounting for different entities, data privacy and security, update mechanisms, exemptions and exceptions, and enforcement mechanisms to determine if the action is cyber positive, cyber neutral or cyber concerning. Recommendations will be provided as appropriate.

Cybersecurity should not be a partisan issue. Our analyses offer a nonpartisan perspective on the cybersecurity aspects of a given action without taking a stance on the underlying policy issue in cases where it is not cyber-focused. The intended audiences for these analyses are members of Congress, federal policymakers and their staff. We drew inspiration for this evaluation project from the Congressional Budget Office’s Cost Estimates.

The team will proactively select legislation and regulation for analysis and welcomes policymakers and staff to email requests to Policy Director Brandon Pugh. International and state products will occasionally be developed when they have the potential for significant impact, either directly or through emulation. Analyses will appear on this page in an ongoing repository.