AB 2200, as amended, John A. Pérez. California Cyber Security Commission.
Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law until January 1, 2015, establishes in state government the Department of Technology within the Government Operations supervised by the Director of Technology.
This bill would create the California Cyber Security Commission in the Department of Technology consisting of 12 members comprised of representatives from state government, appointed representatives from the private sectors in the technology or cybersecurity industry and utility, energy, or telecommunications industry, and an appointed representative of California’s critical infrastructure interests. The bill would also authorize the commission to appoint representatives from state, local, federal, and private entities to form an advisory board in
order to receive input or advice concerning the implementation of the duties of the commission. The duties of the commission would include establishing cyber-attack response strategies andbegin delete defining a hierarchy of command within the state for this purposeend deletebegin insert performing risk assessments on state information technology systemsend insert. The bill would require the commission to meet on a quarterly basis, or as specified, and would require the commission to issue a report onbegin delete a quarterlyend deletebegin insert at least an annualend insert basis to the Governor’s Office and the Legislature that detailsbegin delete the cyber security status and progress of the state and makes recommendations on how to improve the cyber security of the stateend deletebegin insert
the activities of the commission and makes recommendations to improve California’s cybersecurity preparednessend insert.
The bill would abolish the commission, and repeal these provisions, on January 1, 2019.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 5.8 (commencing with Section 11549.50)
2is added to Part 1 of Division 3 of Title 2 of the Government Code,
3to read:
4
The Legislature finds and declares all of the
8following:
9(a) The State of California’s growing dependence on technology
10has made it increasingly vulnerable to both foreign and domestic
11cyber security attacks. Thus far, there has been a fragmented
12approach to this issue with independent efforts occurring through
13federal, state, and local government, as well as in the state’s
14universities and within private industry. For the purposes of public
15safety and protection of public assets, the state has a role in
16coordinating and improving its overall security and response
17
capabilities.
18(b) The market for cyber security is estimated to be more than
19seventy billion dollars ($70,000,000,000) in 2014. Of that amount,
20sixty-seven billion dollars ($67,000,000,000) is estimated to be
21spent nationally by private companies for computer and network
22security and the United States Department of Defense is planning
23to spend four billion six hundred million dollars ($4,600,000,000).
P3 1The United States Department of Defense is planning on spending
2twenty-three billion dollars ($23,000,000,000) over the next five
3years. Overall spending is expected to increase rapidly as
4recognition of threats becomes more ubiquitous. The California
5economy stands to greatly benefit from this industry growth.
6(c) The State of California has already made investments
for
7the purpose of cyber security; examples of which are research
8funding for the Lawrence Livermore National Laboratory and
9funding to augment a cyber security assessment and response team
10within the California National Guard.
11(d) The California Cyber Security Task Force was initiated in
12May 2013 for the purposes of identifying critical threats,
13assembling primary stakeholders, and highlighting the growing
14importance of the issue. Among other things, this has increased
15awareness of the state’s compliance with the new federal National
16Institute of Standards and Technology (NIST) standards and the
17Office of Emergency Services establishing Emergency Function
1818, created particularly for cyber security.
19(e) Over 50,000 new malicious online activities are identified
20every day,
according to the United States Department of Defense.
21Incidents of sophisticated and well-coordinated attacks and data
22breaches are occurring more regularly, the average cost of which
23amounts to more than ten million dollars ($10,000,000). In 2012,
24a data breach to the state of South Carolina required more than
25twenty million dollars ($20,000,000) in response and restitution.
26The State of California is vulnerable technically, legally, and
27financially to these threats.
(a) There is in the Department of Technology the
29California Cyber Security Commission. The commission shall
30consist of the following members:
31(1) The Director of the Department of Technology, or his or her
32designee with knowledge, expertise, and decisionmaking authority
33with respect to the director’s information technology and
34information security duties set forth in Chapter 5.6 (commencing
35with Section 11545).
36(2) The Chief of the Office of Information Security, or his or
37her designee with knowledge, expertise, and decisionmaking
38authority with respect to the chief’s information technology and
39information
security duties set forth in Chapter 5.7 (commencing
40with Section 11549).
P4 1(3) The Director of Emergency Services, or his or her designee
2with knowledge, expertise, and decisionmaking authority with
3respect to the Office of Emergency Services’s information
4technology and information security.
5(4) The Attorney General, or his or her designee with
6knowledge,begin delete expertises,end deletebegin insert expertise,end insert and decisionmaking authority
7with respect to the Department of Justice’s information technology
8and information security.
9(5) The Adjutant General of the Military
Department, or his or
10her designee with knowledge, expertise, and decisionmaking
11authority with respect to the Military Department’s information
12technology and information security.
13(6) The Insurance Commissioner, or his or her designee with
14knowledge, expertise, and decisionmaking authority with respect
15to the Department of Insurance’s information technology and
16information security.
17(7) The Secretary of Health and Human Services, or his or her
18designee with knowledge, expertise, and decisionmaking authority
19with respect to the California Health and Human Services Agency’s
20information technology and information security.
21(8) The Director of Transportation, or his or her designee with
22knowledge,
expertise, and decisionmaking authority with respect
23to the Department of Transportation’s information technology and
24information security.
25(9) The Controller, or his or her designee with knowledge,
26expertise, and decisionmaking authority with respect to the office
27of the Controller’s information technology and information
28security.
29(10) A representative from the private sector in the technology
30or cybersecurity industry, who shall be appointed by the Governor.
31(11) A representative from the private sector in the utility,
32energy, or telecommunications industry, who shall be appointed
33by the Speaker of the Assembly.
34(12) A representative of California’s
critical infrastructure
35interests, such as air traffic control, ports, and water systems, who
36shall be appointed by the Senate Committee on Rules.
37(b) (1) Each representative appointed by the Governor, Speaker
38of the Assembly, or Senate Committee on Rules shall be appointed
39to serve a two-year term.
40(2) Any representative may serve consecutive terms.
P5 1(c) Any designee shall serve at the pleasure of the official who
2designated them.
3(d) Nine members shall constitute a quorum for the transaction
4of business, and all official acts of the commission shall require
5the affirmative vote of a majority of its members constituting a
6quorum.
7(e) The members of the commission shall serve without
8compensation, except that each member of the commission shall
9be entitled to receive his or her actual necessary traveling expenses
10while on official business of the commission.
(a) The commission may appoint representatives
12to form an advisory board in order to receive input or advice
13concerning the implementation of the duties of the commission.
14(b) The advisory board may be comprised of one or more
15representatives from the following:
16(1) The United States Department of Homeland Security.
17(2) The National Institute for Standards and Technology.
18(3) State government.
19(4) Local government.
20(5) California’s utility grid, both private and public.
21(6) Technology firms, cybersecurity firms, critical infrastructure
22operators, utility providers, financial firms, health care providers,
23and other private industries.
24(7) California’s cybersecurity law enforcement apparatus, which
25includes:
26(A) The Attorney General’s eCrimes Unit.
27(B) The five regional task forces of the High Technology Theft
28Apprehension and Prosecution Program.
29(C) The Department of the California Highway Patrol.
30(8) Entities operating with the commission to perform its duties,
31including:
32(A) The State Threat Assessment Center and fusion centers, for
33the purpose of sharing information that informs preventive actions.
34(B) The California National Guard’s Computer Network Defense
35Team, for the purpose of coordinating comprehensive risk
36assessments.
37(C) California’s public and private universities and laboratories
38for the purpose of directing research and best utilizing its results.
P6 1(c) The commission shall appoint each representative by a
2majority vote of its members constituting a quorum. Each
3representative shall serve at the pleasure of the
commission.
The commission shall meet quarterly, or more often
5as determined by a majority vote of its members constituting a
6quorum, or in the event of an emergency.
(a) The commission shall focus on improving the
8state’s cyber security and cyber response capabilities by developing
9partnerships with the public and private sector as well as the
10academic and nongovernmental world to share cyber security and
11cyber threat information to enable state government to protect and
12secure important information and data, intellectual property,
13financial networks, and critical infrastructure.
14(b) The duties of the commission shall include, but not be limited
15to, the following:
16(1) Working with the United States Department of Homeland
17Security to define a system of information sharing regarding cyber
18threat monitoring and response.
19(2) Recommending minimum security standards for all state
20agencies.
21(3) Researching in conjunction with academia and others to
22expand and improve state cyber security capability.
23(4) Expanding public-private cyber security partnerships.
24(5) Establishing cyber-attack response strategies and defining
25a hierarchy of command within the state for this purpose.
26(6) Providing training for state employees and others to produce
27credentialed cyber security employees.
28(7) Developing with the Department of Insurance a strategy to
29acquire cyber insurance for state agencies and assets.
30(8) Proposing potential governmental reorganization to enhance
31the state’s cyber security and response capabilities.
32(9) Exploring fiscal options to fund the commission and its
33various activities, including the activities of some of its specific
34members, including the California National Guard’s computer
35network defense team (CND).
36(c) The commission shall issue a report on a quarterly basis to
37the Governor’s Office and the Legislature that details the cyber
38security status and progress of the state and makes
39recommendations on how to improve the cyber security of the
P7 1state. The reports shall be submitted in compliance with Section
2
9795.
The duties of the commission shall include the
4following:
5(a) Developing within state government cyber prevention,
6defense, and response strategies and defining a hierarchy of
7command within the state for this purpose. This duty includes, but
8is not limited to, the following activities:
9(1) Performing comprehensive risk assessments on state
10information technology systems. The Chief Information Security
11Officer shall coordinate the process of performing risk assessments
12and the assessments shall be performed by such entities as the
13California National Guard’s Computer Defense Network Team
14and the State Threat Assessment Center, in addition to other public
15and private sector entities.
16(2) Creating a risk profile of public assets, critical
17infrastructure, public networks, and private operations susceptible
18to cyber attacks.
19(3) Coordinating efforts to reduce state information technology
20risks and gaps in existing service.
21(b) Partnering with the United States Department of Homeland
22Security to develop an appropriate information sharing system
23that allows for a controlled and secure process to effectively
24disseminate cyber threat and response information and data to
25relevant private and public sector entities. This information sharing
26system shall reflect state priorities and target identified threat and
27capability gaps.
28(c) Providing recommendations for information technology
29security standards for all state agencies using, among other
things,
30protocols established by the National Institute for Standards and
31Technology and reflective of appropriate state priorities.
32(d) Compiling and integrating, as appropriate, the research
33conducted by academic institutions, federal laboratories, and other
34cybersecurity experts into state operations and functions.
35(e) Expanding the state’s public-private cybersecurity
36partnership network both domestically and internationally to assist
37in the state’s efforts to prevent and respond to cyber threats and
38cyber-attacks as well as enhance overall cyber detection capability.
39(f) Developing and providing a training program to produce a
40credentialed and qualified state cybersecurity workforce. This
P8 1program should include training based in whole or in part on the
2requirements and protocols outlined in Department of
Defense
3Directive 8570. The commission shall work with state workforce
4and labor entities as well as the state’s higher education systems,
5federal agencies, and others to provide training and develop
6curriculum.
7(g) Developing, in conjunction with the Department of
8Insurance, a strategy to acquire and incorporate cyber insurance
9into the procurement and administrative processes of state agencies
10to protect state assets and information.
11(h) Expanding collaboration with the state’s law enforcement
12apparatus assigned jurisdiction to prevent, deter, investigate, and
13prosecute cyber-attacks and information technology crime,
14including collaboration with entities like the High-Tech Theft
15Apprehension Program, and its five regional task forces, the
16Department of the California Highway Patrol, and the Attorney
17General’s eCrimes unit. Collaboration will include information
18sharing that will
enhance their capabilities including assistance
19to better align their activities with federal and local resources,
20provide additional resources, and extend their efforts into regions
21of the state not currently represented.
22(i) Proposing, where appropriate, potential governmental
23reorganization options to enhance the state’s cybersecurity
24assessment and response capabilities.
25(j) Coordinating the pursuit of fiscal resources including federal
26grants and other funding opportunities to enhance the state’s
27cybersecurity, information technology, data privacy, cyber
28research, and technology-based emergency response capabilities.
The commission shall take all necessary steps to
30protect personal information, public and private sector data, as
31well as ensure consumer privacy, when implementing its duties.
(a) The commission shall issue an annual report to
33the Governor’s office and the Legislature, or more often if needed
34due to an emergency situation or time sensitive nature of a cyber
35event, that contains the following information:
36(1) Details on the activities of the commission, including, but
37not limited to, progress on the commission’s various tasks and
38actions taken and recommended in response to an incident, as
39appropriate.
P9 1(2) Policy, organizational, and investment recommendations to
2improve the cybersecurity preparedness of the state.
3(b) The reports shall be submitted in compliance with Section
4
9795.
This chapter shall become inoperative on January
61, 2019, and shall be repealed as of that date.
O
97