AB 2200, as amended, John A. Pérez. California Cyber Security Commission.
Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities.begin insert Existing law until January 1, 2015, establishes in state government the Department of Technology within the Government Operations supervised by the Director of Technology.end insert
This bill would create the California Cyber Security Commissionbegin insert in the Department of Technologyend insert consisting ofbegin insert 12end insert members comprised of representatives from statebegin delete, local, and federal government, the Legislature, and private industries, as specified.end deletebegin insert
government, appointed representatives from the private sectors in the technology or cybersecurity industry and utility, energy, or telecommunications industry, and an appointed representative of California’s critical infrastructure interests.end insertbegin insert The bill would also authorize the commission to appoint representatives from state, local, federal, and private entities to form an advisory board in order to receive input or advice concerning the implementation of the duties of the commission.end insert The duties of the commission would include establishing cyber-attack response strategies and defining a hierarchy of command within the state for this purpose. The bill would require the commission to meet on abegin delete monthlyend deletebegin insert
quarterlyend insert
basis,begin insert or as specified,end insert and would require the commission to issue a report on a quarterly basis to the Governor’s Office and the Legislature that details the cyber security status and progress of the state and makes recommendations on how to improve the cyber security of the state.
This
end delete
begin insertTheend insert bill would abolish the commission, and repeal these provisions, on January 1,begin delete 2020end deletebegin insert
2019end insert.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapterbegin delete 4.5end deletebegin insert 5.8end insert (commencing with Sectionbegin delete 8305)end delete
2begin insert 11549.50)end insert
is added tobegin delete Divisionend deletebegin insert Partend insert 1 ofbegin delete Title 2end deletebegin insert Division 3end insert ofbegin insert Title
32 ofend insert the Government Code, to read:
4
The Legislature finds and declares all of the
9following:
10(a) The State of California’s growing dependence on technology
11has made it increasingly vulnerable to both foreign and domestic
12cyber security attacks. Thus far, there has been a fragmented
13approach to this issue with independent efforts occurring through
14federal, state, and local government, as well as in the state’s
15universities and within private industry. For the purposes of public
16safety and protection of public assets, the state has a role in
17coordinating and improving its overall security and response
18
capabilities.
19(b) The market for cyber security is estimated to be more than
20seventy billion dollars ($70,000,000,000) in 2014. Of that amount,
21sixty-seven billion dollars ($67,000,000,000) is estimated to be
22spent nationally by private companies for computer and network
23security and the United States Department of Defense is planning
24to spend four billion six hundred million dollars ($4,600,000,000).
25The United States Department of Defense is planning on spending
P3 1twenty-three billion dollars ($23,000,000,000) over the next five
2years. Overall spending is expected to increase rapidly as
3recognition of threats becomes more ubiquitous. The California
4economy stands to greatly benefit from this industry growth.
5(c) The State of California has already made investments for
6the purpose of cyber security; examples of which are research
7funding for the Lawrence Livermore National
Laboratory and
8funding to augment a cyber security assessment and response team
9within the California National Guard.
10(d) The California Cyber Security Task Force was initiated in
11May 2013 for the purposes of identifying critical threats,
12assembling primary stakeholders, and highlighting the growing
13importance of the issue. Among other things, this has increased
14awareness of the state’s compliance with the new federal National
15Institute of Standards and Technology (NIST) standards and the
16Office of Emergency Services establishing Emergency Function
1718, created particularly for cyber security.
18(e) Over 50,000 new malicious online activities are identified
19every day, according to the United States Department of Defense.
20Incidents of sophisticated and well-coordinated attacks and data
21breaches are occurring more regularly, the average cost of which
22amounts to more than ten million
dollars ($10,000,000). In 2012,
23a data breach to the state of South Carolina required more than
24twenty million dollars ($20,000,000) in response and restitution.
25The State of California is vulnerable technically, legally, and
26financially to these threats.
(a) There is in thebegin delete state governmentend deletebegin insert Department
29of Technologyend insert the California Cyber Security Commission. The
30commission shall consist of the following members:
31(1) The Director of the Department of Technology, or his or
32her designee with knowledge, expertise, and
decisionmaking
33authority with respect to the director’s information technology
34and information security duties set forth in Chapter 5.6
35(commencing with Section 11545).
36(2) The Chief of the Office of Information Security, or his or
37her designee with knowledge, expertise, and decisionmaking
38authority with respect to the chief’s information technology and
39information security duties set forth in Chapter 5.7 (commencing
40with Section 11549).
P4 1(1)
end delete
2begin insert(3)end insert The Director of Emergencybegin delete Services andend deletebegin insert
Services, orend insert
his or
3her designee with knowledge, expertise, and decisionmaking
4authority with respect to the Office of Emergency Services’s
5information technology and information security.begin delete The director
6may designate an individual to serve on his or her behalf if the
7individual has knowledge, expertise, and decisionmaking authority
8with respect to the Office of Emergency Services’s information
9technology and information security.end delete
10(4) The Attorney General, or his or her designee with knowledge,
11expertises, and decisionmaking authority with respect to the
12Department of Justice’s information technology and information
13security.
14(2)
end delete
15begin insert(5)end insert The Adjutant General of the Military Departmentbegin delete andend deletebegin insert, orend insert
16 his or her designee with knowledge, expertise, andbegin delete decision makingend delete
17begin insert decisionmakingend insert authority with respect to the Military Department’s
18information technology and information security.begin delete The Adjutant
19General may designate an individual to serve on his or her behalf
20if the individual has knowledge, expertise, and decisionmaking
21authority with respect to the Military Department’s information
22technology and information security.end delete
23(3) The Director of Technology, or his or her designee to serve
24on his or her behalf if the individual has knowledge, expertise, and
25decisionmaking authority with respect to the Department of
26Technology’s information technology and information security.
27(4) The Chief of the Office of Information Security, or his or
28her designee to serve on his or her behalf if the individual has
29knowledge, expertise, and decisionmaking authority with respect
30to the office’s information technology and information
security.
31(5) The Commission President of the Public Utilities
32Commission, or his or her designee to serve on his or her behalf
33if the individual has knowledge, expertise, and decisionmaking
34authority with respect to the commission’s information technology
35and information security.
36(6) The Director of Transportation, or his or her designee to
37serve on his or her behalf if the individual has knowledge,
38expertise, and decisionmaking authority with respect to the
39Department of Transportation’s information technology and
40information security.
P5 1(7)
end delete
2begin insert(6)end insert The Insurance Commissioner, or his or her designeebegin delete to serve begin insert withend insert knowledge, expertise,
3on his or her behalf if the individual hasend delete
4and decisionmaking authority with respect to the Department of
5Insurance’s information technology and information security.
6(8) The State Public Health Officer, or his or her designee to
7serve on his or her behalf if the individual has knowledge,
8expertise, and decisionmaking authority with respect to the State
9Department of Public Health’s information technology and
10information security.
11(9) Four representatives appointed by the Governor who meet
12the following requirements:
13(A) A representative of the University of California who has
14done research in the area of information technology and
15information security.
16(B) A representative of the California State University who has
17done research in the area of information technology and
18information security.
19(C) A representative from a private university in California who
20
has done research in the area of information technology and
21information security.
22(D) A representative from the Lawrence Livermore National
23Laboratory or Lawrence Berkeley National Laboratory who has
24done research in the area of information technology and
25information security.
26(10) Three representatives appointed by the Governor who meet
27the following requirements:
28(A) A representative from the Bureau of Investigations or the
29Federal Bureau of Investigation who has knowledge, expertise,
30and experience with enforcement or prosecution of cyber crimes.
31(B) A representative from the Department of the California
32Highway Patrol who has
knowledge, expertise, and experience
33with enforcement or prosecution of cyber crimes.
34(C) A representative from the Department of Justice who has
35knowledge, expertise, and experience with enforcement or
36prosecution of cyber crimes.
37(11) Three representatives from local government who have
38knowledge, expertise, and experience with emergency response
39to information security breaches. One representative shall be
40appointed by the Governor, one representative shall be appointed
P6 1by the Speaker of the Assembly, and one representative shall be
2appointed by the Senate Committee on Rules.
3(12) Four representatives from the retail, finance, utilities, health
4care, or technology industries who have knowledge, expertise, and
5experience
with information technology and information security.
6Two representatives shall be appointed by the Governor, one
7representative shall be appointed by the Speaker of the Assembly,
8and one representative shall be appointed by the Senate Committee
9on Rules.
10(13) Two representatives who are chairpersons from committees
11of the Assembly that address information technology and
12information security, who shall be appointed by the Speaker of
13the Assembly. These representatives shall serve as nonvoting
14members in an advisory capacity.
15(14) Two representatives who are chairpersons from committees
16of the Senate that address information technology and information
17security, who shall be appointed by the Senate Committee on
18Rules. These representatives shall serve as nonvoting members in
19an
advisory capacity.
20(b) The commission may also include two representatives from
21the United States Department of Homeland Security who have
22knowledge, expertise, and experience in the area of information
23technology and information security, who serve in a voluntary
24capacity and as nonvoting members.
25(c) The Director of Emergency Services and the Director of
26Technology, or their designees to serve on their behalves if those
27individuals have knowledge, expertise, and experience with
28information technology and information security, shall serve as
29cochairs of the commission.
30(7) The Secretary of
Health and Human Services, or his or her
31designee with knowledge, expertise, and decisionmaking authority
32with respect to the California Health and Human Services Agency’s
33information technology and information security.
34(8) The Director of Transportation, or his or her designee with
35knowledge, expertise, and decisionmaking authority with respect
36to the Department of Transportation’s information technology and
37information security.
38(9) The Controller, or his or her designee with knowledge,
39expertise, and decisionmaking authority with respect to the office
P7 1of the Controller’s information technology and information
2security.
3(10) A representative from the private sector in the technology
4or cybersecurity
industry, who shall be appointed by the Governor.
5(11) A representative from the private sector in the utility,
6energy, or telecommunications industry, who shall be appointed
7by the Speaker of the Assembly.
8(12) A representative of California’s critical infrastructure
9interests, such as air traffic control, ports, and water systems, who
10shall be appointed by the Senate Committee on Rules.
11(b) (1) Each representative appointed by the Governor, Speaker
12of the Assembly, or Senate Committee on Rules shall be appointed
13to serve a two-year term.
14(2) Any representative may serve consecutive terms.
end insertbegin insert
15(c) Any designee shall serve at the pleasure of the official who
16designated
them.
17(d) begin deleteTwenty end deletebegin insertNine end insertmembers shall constitute a quorum for the
18transaction of business, and all official acts of the commission
19shall require the affirmative vote of a majority of its members
20constituting a quorum.
21(e) The members of the commission shall serve without
22compensation, except that each member of the commission shall
23be entitled to receive his or her actual necessary traveling expenses
24while on official business of the commission.
(a) The commission may appoint representatives
26to form an advisory board in order to receive input or advice
27concerning the implementation of the duties of the commission.
28(b) The advisory board may be comprised of one or more
29representatives from the following:
30(1) The United States Department of Homeland Security.
31(2) The National Institute for Standards and Technology.
32(3) State government.
33(4) Local government.
34(5) California’s utility grid, both private and public.
35(6) Technology firms, cybersecurity firms, critical infrastructure
36operators, utility providers, financial firms, health care providers,
37and other private industries.
38(7) California’s cybersecurity law enforcement apparatus, which
39includes:
40(A) The Attorney General’s eCrimes Unit.
P8 1(B) The five regional task forces of the High Technology Theft
2Apprehension and Prosecution Program.
3(C) The Department of the California Highway Patrol.
4(8) Entities operating with the commission to perform its duties,
5including:
6(A) The State Threat Assessment Center and fusion centers, for
7the purpose of sharing information that informs preventive actions.
8(B) The California National Guard’s Computer Network Defense
9Team, for the purpose of coordinating comprehensive risk
10assessments.
11(C) California’s public and private universities and laboratories
12for the purpose of directing research and best utilizing its results.
13(c) The commission shall appoint each representative by a
14majority vote of its members constituting a quorum. Each
15representative shall serve at the pleasure of the commission.
The commission shall meetbegin delete monthly, commencing begin insert quarterly, or more often as determined by a
18in January 2015.end delete
19majority vote of its members constituting a quorum, or in the event
20of an emergency.end insert
(a) The commission shall focus on improving the
23state’s cyber security and cyber response capabilities by developing
24partnerships with the public and private sector as well as the
25academic and nongovernmental world to share cyber security and
26cyber threat information to enable state government to protect and
27secure important information and data, intellectual property,
28financial networks, and critical infrastructure.
29(b) The duties of the commission shall include, but not be limited
30to, the following:
31(1) Working with the United States Department of Homeland
32Security to define a system of information sharing regarding cyber
33threat monitoring and response.
34(2) Recommending minimum security standards for all state
35agencies.
36(3) Researching in conjunction with academia and others to
37expand and improve state cyber security capability.
38(4) Expanding public-private cyber security partnerships.
39(5) Establishing cyber-attack response strategies and defining
40a hierarchy of command within the state for this purpose.
P9 1(6) Providing training for state employees and others to produce
2credentialed cyber security employees.
3(7) Developing with the Department of Insurance a strategy to
4acquire cyber insurance for state agencies and assets.
5(8) Proposing potential governmental reorganization to enhance
6the state’s cyber security and response capabilities.
7(9) Exploring fiscal options to fund the commission and its
8various activities, including the activities of some of its specific
9members, including the California National Guard’s computer
10network defense team (CND).
11(c) The commission shall issue a report on a quarterly basis to
12the Governor’s Office and the Legislature that details the cyber
13security status and progress of the state and makes
14recommendations on how to improve the cyber security of the
15state. The reports shall be submitted in compliance with Section
16
9795.
This chapter shall become inoperative on January
191,begin delete 2020,end deletebegin insert 2019,end insert and shall be repealed as of that date.
O
98