Assembly BillNo. 2200

6

8305.  

The Legislature finds and declares all of the following:

7(a) The State of California’s growing dependence on technology
8has made it increasingly vulnerable to both foreign and domestic
9cyber security attacks. Thus far, there has been a fragmented
10approach to this issue with independent efforts occurring through
11federal, state, and local government, as well as in the state’s
12universities and within private industry. For the purposes of public
13safety and protection of public assets, the state has a role in
14coordinating and improving its overall security and response
15capabilities.

16(b) The market for cyber security is estimated to be more than
17seventy billion dollars ($70,000,000,000) in 2014. Of that amount,
18sixty-seven billion dollars ($67,000,000,000) is estimated to be
19spent nationally by private companies for computer and network
20security and the United States Department of Defense is planning
21to spend four billion six hundred million dollars ($4,600,000,000).
22The United States Department of Defense is planning on spending
23twenty-three billion dollars ($23,000,000,000) over the next five
24years. Overall spending is expected to increase rapidly as
25recognition of threats becomes more ubiquitous. The California
26economy stands to greatly benefit from this industry growth.

27(c) The State of California has already made investments for
28the purpose of cyber security; examples of which are research
29funding for the Lawrence Livermore National Laboratory and
30funding to augment a cyber security assessment and response team
31within the California National Guard.

32(d) The California Cyber Security Task Force was initiated in
33May 2013 for the purposes of identifying critical threats,
34assembling primary stakeholders, and highlighting the growing
35importance of the issue. Among other things, this has increased
36awareness of the state’s compliance with the new federal National
37Institute of Standards and Technology (NIST) standards and the
P3    1Office of Emergency Services establishing Emergency Function
218, created particularly for cyber security.

3(e) Over 50,000 new malicious online activities are identified
4every day, according to the United States Department of Defense.
5Incidents of sophisticated and well-coordinated attacks and data
6breaches are occurring more regularly, the average cost of which
7amounts to more than ten million dollars ($10,000,000). In 2012,
8a data breach to the state of South Carolina required more than
9twenty million dollars ($20,000,000) in response and restitution.
10The State of California is vulnerable technically, legally, and
11financially to these threats.

12

8305.1.  

(a) There is in the state government the California
13Cyber Security Commission. The commission shall consist of the
14following members:

15(1) The Director of Emergency Services and his or her designee
16with knowledge, expertise, and decisionmaking authority with
17respect to the Office of Emergency Services’s information
18technology and information security. The director may designate
19an individual to serve on his or her behalf if the individual has
20knowledge, expertise, and decisionmaking authority with respect
21to the Office of Emergency Services’s information technology and
22information security.

23(2) The Adjutant General of the Military Department and his
24or her designee with knowledge, expertise, and decision making
25authority with respect to the Military Department’s information
26technology and information security. The Adjutant General may
27designate an individual to serve on his or her behalf if the
28individual has knowledge, expertise, and decisionmaking authority
29with respect to the Military Department’s information technology
30and information security.

31(3) The Director of Technology, or his or her designee to serve
32on his or her behalf if the individual has knowledge, expertise, and
33decisionmaking authority with respect to the Department of
34Technology’s information technology and information security.

35(4) The Chief of the Office of Information Security, or his or
36her designee to serve on his or her behalf if the individual has
37knowledge, expertise, and decisionmaking authority with respect
38to the office’s information technology and information security.

39(5) The Commission President of the Public Utilities
40Commission, or his or her designee to serve on his or her behalf
P4    1if the individual has knowledge, expertise, and decisionmaking
2authority with respect to the commission’s information technology
3and information security.

4(6) The Director of Transportation, or his or her designee to
5serve on his or her behalf if the individual has knowledge,
6expertise, and decisionmaking authority with respect to the
7Department of Transportation’s information technology and
8information security.

9(7) The Insurance Commissioner, or his or her designee to serve
10on his or her behalf if the individual has knowledge, expertise, and
11decisionmaking authority with respect to the Department of
12Insurance’s information technology and information security.

13(8) The State Public Health Officer, or his or her designee to
14serve on his or her behalf if the individual has knowledge,
15expertise, and decisionmaking authority with respect to the State
16Department of Public Health’s information technology and
17information security.

18(9) Four representatives appointed by the Governor who meet
19the following requirements:

20(A) A representative of the University of California who has
21done research in the area of information technology and
22information security.

23(B) A representative of the California State University who has
24done research in the area of information technology and
25information security.

26(C) A representative from a private university in California who
27 has done research in the area of information technology and
28information security.

29(D) A representative from the Lawrence Livermore National
30Laboratory or Lawrence Berkeley National Laboratory who has
31done research in the area of information technology and
32information security.

33(10) Three representatives appointed by the Governor who meet
34the following requirements:

35(A) A representative from the Bureau of Investigations or the
36Federal Bureau of Investigation who has knowledge, expertise,
37and experience with enforcement or prosecution of cyber crimes.

38(B) A representative from the Department of the California
39Highway Patrol who has knowledge, expertise, and experience
40with enforcement or prosecution of cyber crimes.

P5    1(C) A representative from the Department of Justice who has
2knowledge, expertise, and experience with enforcement or
3prosecution of cyber crimes.

4(11) Three representatives from local government who have
5knowledge, expertise, and experience with emergency response
6to information security breaches. One representative shall be
7appointed by the Governor, one representative shall be appointed
8by the Speaker of the Assembly, and one representative shall be
9appointed by the Senate Committee on Rules.

10(12) Four representatives from the retail, finance, utilities, health
11care, or technology industries who have knowledge, expertise, and
12experience with information technology and information security.
13Two representatives shall be appointed by the Governor, one
14representative shall be appointed by the Speaker of the Assembly,
15and one representative shall be appointed by the Senate Committee
16on Rules.

17(13) Two representatives who are chairpersons from committees
18of the Assembly that address information technology and
19information security, who shall be appointed by the Speaker of
20the Assembly. These representatives shall serve as nonvoting
21members in an advisory capacity.

22(14) Two representatives who are chairpersons from committees
23of the Senate that address information technology and information
24security, who shall be appointed by the Senate Committee on
25Rules. These representatives shall serve as nonvoting members in
26an advisory capacity.

27(b) The commission may also include two representatives from
28the United States Department of Homeland Security who have
29knowledge, expertise, and experience in the area of information
30technology and information security, who serve in a voluntary
31capacity and as nonvoting members.

32(c) The Director of Emergency Services and the Director of
33Technology, or their designees to serve on their behalves if those
34individuals have knowledge, expertise, and experience with
35information technology and information security, shall serve as
36cochairs of the commission.

37(d) Twenty members shall constitute a quorum for the
38transaction of business, and all official acts of the commission
39shall require the affirmative vote of a majority of its members
40constituting a quorum.

P6    1(e) The members of the commission shall serve without
2compensation, except that each member of the commission shall
3be entitled to receive his or her actual necessary traveling expenses
4while on official business of the commission.

5

8305.2.  

The commission shall meet monthly, commencing in
6January 2015.

7

8305.3.  

(a) The commission shall focus on improving the
8state’s cyber security and cyber response capabilities by developing
9partnerships with the public and private sector as well as the
10academic and nongovernmental world to share cyber security and
11cyber threat information to enable state government to protect and
12secure important information and data, intellectual property,
13financial networks, and critical infrastructure.

14(b) The duties of the commission shall include, but not be limited
15to, the following:

16(1) Working with the United States Department of Homeland
17Security to define a system of information sharing regarding cyber
18threat monitoring and response.

19(2) Recommending minimum security standards for all state
20agencies.

21(3) Researching in conjunction with academia and others to
22expand and improve state cyber security capability.

23(4) Expanding public-private cyber security partnerships.

24(5) Establishing cyber-attack response strategies and defining
25a hierarchy of command within the state for this purpose.

26(6) Providing training for state employees and others to produce
27credentialed cyber security employees.

28(7) Developing with the Department of Insurance a strategy to
29acquire cyber insurance for state agencies and assets.

30(8) Proposing potential governmental reorganization to enhance
31the state’s cyber security and response capabilities.

32(9) Exploring fiscal options to fund the commission and its
33various activities, including the activities of some of its specific
34members, including the California National Guard’s computer
35network defense team (CND).

36(c) The commission shall issue a report on a quarterly basis to
37the Governor’s Office and the Legislature that details the cyber
38security status and progress of the state and makes
39recommendations on how to improve the cyber security of the
P7    1state. The reports shall be submitted in compliance with Section
29795.

3

8305.4.  

This chapter shall become inoperative on January 1,
42020, and shall be repealed as of that date.