119-HR-2659 Data-Driven Journalist Impact Analysis

Summary

What the bill does and why it matters

H.R. 2659 would establish and task a CISA‑chaired interagency task force to coordinate Sector Risk Management Agencies (SRMAs) against PRC state‑sponsored cyber actors (including Volt Typhoon), require an initial classified report with an unclassified executive summary, and produce annual updates. The House passed the bill on November 17, 2025 (402–8); the Senate has not yet acted. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)[2]Congress.gov — H.R. 2659 – Congress.gov overview and latest actions (Passed Hou…

Authoritative advisories document persistent compromise and pre‑positioning by PRC actors across U.S. communications, energy, transportation systems, and water sectors—implicating both economic continuity and public safety. The bill’s coordination and reporting focus targets these cross‑sector risks without new mandates on private owners/operators. [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…

• Fiscal exposure is modest: CBO estimates roughly $5 million (FY2025–2030) to operate the task force and under $0.5 million for reports, subject to appropriation. [5]govinfo (GPO) — House Report 119-230 with CBO Cost Estimate for H.R. 2659
• Execution risks include duplication with existing efforts and long‑standing gaps in federal cyber threat information sharing performance measures. [6]Web search · turn 2 #4[4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…
• Transparency trade‑offs arise because the bill exempts the task force from FACA and the Paperwork Reduction Act (PRA), which ordinarily add public‑input and burden‑review guardrails. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)[7]U.S. General Services Administration — GSA – Federal Advisory Committee Act (FA…[8]U.S. EPA — EPA – Summary of the Paperwork Reduction Act (44 U.S.C. §3501 et seq…

Economic Effects

Budgetary costs, private‑sector burden, and market‑level consequences

CBO projects approximately $5 million over five years to stand up and run the task force, with reporting costs under $0.5 million—small relative to DHS/CISA toplines. [5]govinfo (GPO) — House Report 119-230 with CBO Cost Estimate for H.R. 2659

• Direct private‑sector burden appears limited: the bill organizes federal coordination and requires reports/briefings; it does not impose new security controls on owners/operators. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)
• Potential economic benefits derive from avoided disruption in critical functions (e.g., power, comms, water/transport). Federal advisories identify PRC pre‑positioning in these sectors, implying significant downside risk if coordination fails. [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…
• Water sector exposure is a salient example: EPA reports rising attacks, widespread noncompliance with basic risk/response planning, and numerous critical/high vulnerabilities—suggesting high expected value for federal coordination and outreach. [9]U.S. EPA — EPA News Release – Enforcement Measures to Prevent Cybersecurity Att…[10]U.S. EPA — EPA Enforcement Alert – Drinking Water Systems to Address Cybersecur…[11]U.S. EPA OIG — EPA OIG – Cybersecurity Concerns Related to Drinking Water Syste…
• Process trade‑off: PRA exemption may speed government information collection for the task force but bypasses OMB/OIRA burden review that typically vets cost and utility of collections. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)[8]U.S. EPA — EPA – Summary of the Paperwork Reduction Act (44 U.S.C. §3501 et seq…
• Execution risk: GAO flags that federal cyber information sharing lacks clear performance measures and optimal method mix (centralized vs. federated). Poor execution would dilute the bill’s expected economic benefits. [4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…

Social Effects

Implications for communities and vulnerable populations

• Continuity of essential services: PRC actors’ activity in communications, energy, transportation, and water sectors raises the prospect of outages affecting hospitals, emergency response, and daily life; enhanced federal coordination could reduce outage likelihood/duration. [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…
• Public health: EPA warns cyberattacks on water systems can manipulate treatment processes and chemical dosing, posing acute health risks—issues that disproportionately affect smaller and under‑resourced communities. [10]U.S. EPA — EPA Enforcement Alert – Drinking Water Systems to Address Cybersecur…
• National defense mobility: the bill mandates a classified assessment of adversary ability to hinder U.S. force movements via rail, aviation, and ports—recognizing downstream community impacts if transport networks are disrupted. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)

Environmental Effects

Sustainability and ecological risk pathways

• Direct environmental mandates: none. The bill does not change environmental standards or require physical infrastructure upgrades. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)
• Risk mitigation externality: EPA notes adversaries could alter operational technology to damage pumps/valves and change chemical levels to hazardous amounts; improved detection/response coordination could reduce spill/contamination risk. [10]U.S. EPA — EPA Enforcement Alert – Drinking Water Systems to Address Cybersecur…

Temporal Analysis

Short‑term versus long‑term effects and statutory timing

• Short term (Year 1): organizational costs and planning; early wins depend on rapid sharing of indicators/mitigations against “living‑off‑the‑land” techniques highlighted in advisories. [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…
• Medium term (Years 1–3): potential reduction in incident dwell time and improved sector‑specific playbooks if agencies close GAO‑identified gaps in sharing methods and performance measures. [4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…
• Long term (Years 3–6): institutionalized coordination aligned with NSM‑22’s critical infrastructure framework; benefits scale with adherence to risk‑management plans and SRMA roles. [12]Reuters — Biden signs new memo to boost security of U.S. critical infrastructur…

Unintended Consequences and Risks

Secondary effects and governance trade‑offs to monitor

• Duplication/overlap: GAO annually flags opportunities to reduce fragmentation and better coordinate cyber information sharing across CISA, FBI, and SRMAs; new structures risk adding layers unless clearly integrated. [6]Web search · turn 2 #4
• Information‑sharing efficacy: GAO finds agencies lack outcome measures and an assessment of whether the current mix of centralized vs. federated sharing is optimal—critical for this task force’s success. [4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…
• Operational technology (OT) focus: GAO highlights challenges in delivering CISA’s OT services; without addressing these, benefits to cyber‑physical safety (e.g., water treatment, grid operations) may be muted. [13]U.S. GAO — GAO-24-106576 – Cybersecurity: Addressing Risks to Operational Techn…

Assessment

Overall analytical stance

Net effect: neutral. The bill targets a documented, high‑consequence threat with modest federal cost and minimal direct private‑sector burden. Realizing benefits depends on execution—specifically, measurable improvements in cyber information sharing, practical OT support to sectors, and meaningful unclassified outputs that owners/operators can act on. [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…[5]govinfo (GPO) — House Report 119-230 with CBO Cost Estimate for H.R. 2659[4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…[13]U.S. GAO — GAO-24-106576 – Cybersecurity: Addressing Risks to Operational Techn…

Sourcing and Method Notes

• Authorities and status: bill text and Congress.gov action history. [3]Congress.gov — H.R. 2659 – Bill Text (Reported in House)[2]Congress.gov — H.R. 2659 – Congress.gov overview and latest actions (Passed Hou…
• Threat landscape: CISA’s joint advisory on PRC state‑sponsored actors (Volt Typhoon). [1]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…
• Budgetary impact: CBO estimate embedded in House Report 119‑230 (govinfo). [5]govinfo (GPO) — House Report 119-230 with CBO Cost Estimate for H.R. 2659
• Sector exposure (water): EPA press alert, enforcement alert, and OIG assessment. [9]U.S. EPA — EPA News Release – Enforcement Measures to Prevent Cybersecurity Att…[10]U.S. EPA — EPA Enforcement Alert – Drinking Water Systems to Address Cybersecur…[11]U.S. EPA OIG — EPA OIG – Cybersecurity Concerns Related to Drinking Water Syste…
• Governance context: GAO reports on SRMA responsibilities, cyber info sharing metrics/methods, and OT support challenges. [14]U.S. GAO — GAO-23-106720 – Critical Infrastructure Protection: CISA Efforts and…[4]U.S. GAO — GAO-23-105468 – National Cybersecurity Strategy: Information Sharing…[13]U.S. GAO — GAO-24-106576 – Cybersecurity: Addressing Risks to Operational Techn…
• Policy backdrop: NSM‑22 on critical infrastructure security and resilience. [12]Reuters — Biden signs new memo to boost security of U.S. critical infrastructur…
• Process trade‑offs: FACA and PRA overviews (GSA, EPA). [7]U.S. General Services Administration — GSA – Federal Advisory Committee Act (FA…[8]U.S. EPA — EPA – Summary of the Paperwork Reduction Act (44 U.S.C. §3501 et seq…