AB 2200, as amended, John A. Pérez. California Cyber Security Commission.
Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing lawbegin delete until January 1, 2015,end delete establishes in state government thebegin delete Department of Technology within the Government Operations supervised by the Director of Technology.end deletebegin insert Governor’s Office of Emergency Services.end insert
This bill would create the California Cyber Security Commission in thebegin delete Department of Technologyend deletebegin insert
Governor’s Office of Emergency Services,end insert consisting ofbegin delete 12end deletebegin insert
15end insert members comprised of representatives from state government, appointed representatives frombegin delete the private sectors inend delete the technology or cybersecurity industry andbegin delete utility, energy, or telecommunicationsend deletebegin insert the utility or energyend insert industry, and an appointed representative of California’s critical infrastructure interests. The bill would also authorize the commission to appoint representatives from state, local, federal, and private entities to form an advisory board in order to receive input or advice concerning the implementation of the duties of the commission. The duties of the commission would include establishing cyber-attack response strategies and performing risk assessments on state information technology
systems. The bill would require the commission to meet on a quarterly basis, or as specified, and wouldbegin delete requireend deletebegin insert allowend insert the commission to issue a reportbegin delete on at least an annual basisend delete to the Governor’s Office and the Legislature that details the activities of the commission and makes recommendations to improve California’s cybersecurity preparedness.
The bill would abolish the commission, and repeal these provisions, on January 1, 2019.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
begin deleteChapter 5.8 end deletebegin insertArticle 3.9 end insert(commencing with Section
2begin delete 11549.50)end deletebegin insert
8574.50)end insertis added tobegin delete Part 1end deletebegin insert Chapter 7end insert of Divisionbegin delete 3end deletebegin insert 1end insert
3 of Title 2 of the Government Code, to read:
4
7
begin insert
The Legislature finds and declares all of the following:
12(a) The State of California’s growing dependence on technology
13has made it increasingly vulnerable to both foreign and domestic
14cyber security attacks. Thus far, there has been a fragmented
15approach to this issue with independent efforts occurring through
16federal, state, and local government, as well as in the state’s
17universities and within private industry. For the purposes of public
18safety and protection of public assets, the state has a role in
19coordinating and improving its overall security and response
20
capabilities.
21(b) The market for cyber security is estimated to be more than
22seventy billion dollars ($70,000,000,000) in 2014. Of that amount,
23sixty-seven billion dollars ($67,000,000,000) is estimated to be
P3 1spent nationally by private companies for computer and network
2security and the United States Department of Defense is planning
3to spend four billion six hundred million dollars ($4,600,000,000).
4The United States Department of Defense is planning on spending
5twenty-three billion dollars ($23,000,000,000) over the next five
6years. Overall spending is expected to increase rapidly as
7recognition of threats becomes more ubiquitous. The California
8economy stands to greatly benefit from this industry growth.
9(c) The State of California has already made investments for
10the purpose of cyber security; examples of which are research
11funding for the Lawrence Livermore National
Laboratory and
12funding to augment a cyber security assessment and response team
13within the California National Guard.
14(d) The California Cyber Security Task Force was initiated in
15May 2013 for the purposes of identifying critical threats,
16assembling primary stakeholders, and highlighting the growing
17importance of the issue. Among other things, this has increased
18awareness of the state’s compliance with the new federal National
19Institute of Standards and Technology (NIST) standards and the
20Office of Emergency Services establishing Emergency Function
2118, created particularly for cyber security.
22(e) Over 50,000 new malicious online activities are identified
23every day, according to the United States Department of Defense.
24Incidents of sophisticated and well-coordinated attacks and data
25breaches are occurring more regularly, the average cost of which
26amounts to more than ten million
dollars ($10,000,000). In 2012,
27a data breach to the state of South Carolina required more than
28twenty million dollars ($20,000,000) in response and restitution.
29The State of California is vulnerable technically, legally, and
30financially to these threats.
(a) There is in thebegin delete Department of Technologyend delete
33begin insert Governor’s Office of Emergency Servicesend insert the California Cyber
34Security Commission. The commission shall consist of the
35following members:
36(1) The Director ofbegin delete the Department of Technology,end deletebegin insert
Emergency
37Services,end insert or his or her designee with knowledge, expertise, and
38decisionmaking authority with respect to thebegin delete director’send deletebegin insert Office of
39Emergency Service’send insert information technology and information
P4 1security dutiesbegin delete set forth in Chapter 5.6 (commencing with Section .
211545)end delete
3(2) The Chief of the Office of Information Security, or his or
4her designee with knowledge, expertise, and decisionmaking
5authority with respect to the chief’s information technology and
6information security duties set forth in Chapter 5.7 (commencing
7with Section 11549)begin insert
of Part 1 of Division 3end insert.
8(3) The Director of Emergency Services, or his or her designee
9with knowledge, expertise, and decisionmaking authority with
10respect to the Office of Emergency Services’s information
11technology and information security.
12(4)
end delete
13begin insert(3)end insert The Attorney General, or his or her designee with
14knowledge, expertise, and decisionmaking authority with respect
15to the Department of Justice’s information technology and
16information security.
17(5)
end delete
18begin insert(4)end insert The Adjutant General of the Military Department, or his or
19her designee with knowledge, expertise, and decisionmaking
20authority with respect to the Military Department’s information
21technology and information security.
22(6)
end delete
23begin insert(5)end insert The Insurance Commissioner, or his or her designee with
24knowledge, expertise, and decisionmaking authority with respect
25to the Department of Insurance’s information technology and
26information security.
27(7)
end delete
28begin insert(6)end insert The Secretary of Health and Human Services, or his or her
29designee with knowledge, expertise, and decisionmaking authority
30with respect to the California Health and Human Services Agency’s
31information technology and information security.
32(8)
end delete
33begin insert(7)end insert Thebegin delete Director of Transportation,end deletebegin insert
Secretary of the California
34Transportation Agency,end insert or his or her designee with knowledge,
35expertise, and decisionmaking authority with respect to the
36begin delete Department of Transportation’send deletebegin insert agency’send insert information technology
37and information security.
38(9)
end delete
39begin insert(8)end insert The Controller, or his or her designee with knowledge,
40expertise, and decisionmaking authority with respect to the office
P5 1of the Controller’s information technology and information
2security.
3(9) The Commissioner of the California Highway Patrol, or his
4or her designee with knowledge, expertise, and decisionmaking
5authority with respect to the California Highway Patrol’s
6information technology and information security.
7(10) The Commander of the State Threat Assessment Center,
8or his or her designee with knowledge, expertise, and
9decisionmaking authority with respect to the State Threat
10Assessment Center’s information technology and information
11security.
12(10)
end delete
13begin insert(11)end insert A representative from the private sector in the technology
14or cybersecurity industry, who shall be appointed by the Governor.
15(12) A representative of the state’s higher education system
16with knowledge, expertise, and decisionmaking authority with
17respect to information technology and information security, who
18shall be appointed by the Governor.
19(13) A representative of the Public Utilities Commission,
20California Energy Commission, or California Independent System
21Operator with knowledge, expertise, and decisionmaking authority
22with respect to information technology and information security,
23who shall be appointed by the Governor.
24(11)
end delete
25begin insert(14)end insert A representative from thebegin delete private sector in the utility, begin insert
utility or energyend insert
industry, who shall
26energy, or telecommunicationsend delete
27be appointed by the Speaker of the Assembly.
28(12)
end delete
29begin insert(15)end insert A representative of California’s critical infrastructure
30interests, such as air traffic control, ports, and water systems, who
31shall be appointed by the Senate Committee on Rules.
32(b) (1) Each representative appointed by the Governor, Speaker
33of the Assembly, or Senate Committee on Rules shall be appointed
34to serve a two-year term.
35(2) Any representative may serve consecutive terms.
36(c) Any designee shall serve at the pleasure of the official who
37designated them.
38(d) begin deleteNine end deletebegin insertEight end insertmembers shall constitute a quorum for the
39transaction of business, and all official acts of the commission
P6 1shall require the affirmative vote of a majority of its members
2constituting a quorum.
3(e) The members of the commission shall serve without
4compensation, except that each member of the commission shall
5be entitled to receive his or her actual necessary traveling expenses
6while on official business of the commission.
(a) The commission may appoint representatives to
9form an advisory board in order to receive input or advice
10concerning the implementation of the duties of the commission.
11begin insert The commission may expand, as needed, the advisory board to
12accommodate the representation necessary to inform and advance
13the duties of the commission.end insert
14(b) The advisory board may be comprised of one or more
15representatives from the following:
16(1) The United States Department of Homeland Security.
17(2) The National Institute for Standards and Technology.
18(3) State government.
19(4) Local government.
20(5) California’s utility grid, both private and public.
21(6) Technology firms, cybersecurity firms, critical infrastructure
22operators, utility providers, financial firms, health care providers,
23and other private industries.
24(7) California’s cybersecurity law enforcement apparatus, which
25includes:
26(A) The Attorney General’s eCrimes Unit.
27(B) The five regional task forces of the High Technology Theft
28Apprehension and Prosecution Program.
29(C) The Department of the California Highway Patrol.
30(8) Entities operating with the commission to perform its duties,
31including:
32(A) The State Threat Assessment Center and fusion centers, for
33the purpose of sharing information that informs preventive actions.
34(B) The California National Guard’s Computer Network Defense
35Team, for the purpose of coordinating comprehensive risk
36assessments.
37(C) California’s public and private universities and laboratories
38for the purpose of directing research and best utilizing its results.
P7 1(c) The commission shall appoint each representative by a
2majority vote of its members constituting a quorum. Each
3representative shall serve at the pleasure of the commission.
The commission shall meet quarterly, or more often
6as determined by a majority vote of its members constituting a
7quorum, or in the event of an emergency.
The duties of the commission shall include the
10following:
11(a) Developing within state government cyber prevention,
12defense, and response strategies and defining a hierarchy of
13command within the state for this purpose. This duty includes, but
14is not limited to, the following activities:
15(1) Performing comprehensive risk assessments on state
16information technology systems. The Chief Information Security
17Officer shall coordinate the process of performing risk assessments
18and the assessments shall be
performed by such entities as the
19California National Guard’s Computer Defense Network Team
20and the State Threat Assessment Center, in addition to other public
21and private sector entities.
22(2) Creating a risk profile of public assets, critical infrastructure,
23public networks, and private operations susceptible to cyber attacks.
24(3) Coordinating efforts to reduce state information technology
25risks and gaps in existing service.
26(b) Partnering with the United States Department of Homeland
27Security to develop an appropriate information sharing system that
28allows for a controlled and secure process to effectively disseminate
29cyber threat and response information and data to relevant private
30and public sector entities. This information sharing system shall
31reflect state priorities and target identified threat and
capability
32gaps.
33(c) Providing recommendations for information technology
34security standards for all state agencies using, among other things,
35protocols established by the National Institute for Standards and
36Technology and reflective of appropriate state priorities.
37(d) Compiling and integrating, as appropriate, the research
38conducted by academic institutions, federal laboratories, and other
39cybersecurity experts into state operations and functions.
P8 1(e) Expanding the state’s public-private cybersecurity
2partnership network both domestically and internationally to assist
3in the state’s efforts to prevent and respond to cyber threats and
4cyber attacks as well as enhance overall cyber detection capability.
5(f) Developing and providing a training program
to produce a
6credentialed and qualified state cybersecurity workforce. This
7program should include training basedbegin delete in whole or in partend delete on the
8requirements and protocols outlined inbegin insert models such asend insert Department
9of Defense Directive 8570. The commission shall work with state
10workforce and labor entities as well as the state’s higher education
11systems, federal agencies, and others to provide training and
12develop curriculum.
13(g) begin deleteDeveloping, end deletebegin insertAnalyzing, end insertin conjunction with the Department
14of Insurance,begin insert
the development ofend insert a strategy to acquire and
15incorporate cyber insurance into the procurement and
16administrative processes of state agencies to protect state assets
17and information.
18(h) Expanding collaboration with the state’s law enforcement
19apparatus assigned jurisdiction to prevent, deter, investigate, and
20prosecute cyber attacks and information technology crime,
21including collaboration with entities like the High-Tech Theft
22Apprehension Program, and its five regional task forces, the
23Department of the California Highway Patrol, and the Attorney
24General’s eCrimes unit. Collaboration will include information
25sharing that will enhance their capabilities including assistance to
26better align their activities with federal and local resources, provide
27additional resources, and extend their efforts into regions of the
28state not currently represented.
29(i) Proposing, where appropriate, potentialbegin delete governmental begin insert operational or functional
30reorganization options to enhanceend delete
31enhancement toend insert the state’s cybersecurity assessment and response
32capabilitiesbegin insert, as well as investment or spending recommendation
33and guidance for the state’s information technology budget and
34procurementend insert.
35(j) Coordinating the pursuit of fiscal resources including federal
36grants and other funding opportunities to enhance the state’s
37cybersecurity, information technology, data privacy, cyber research,
38and technology-based emergency response capabilities.
The commission shall take all necessary steps to
3protect personal information, public and private sector data, as
4well as ensure consumer privacy, when implementing its duties.
(a) The commissionbegin delete shallend deletebegin insert mayend insert issuebegin delete an annualend deletebegin insert aend insert
7 report to the Governor’s office and thebegin delete Legislature, or more often
8if needed due to an emergency situation or time sensitive nature
9of a cyber event, that contains the following information:end delete
10begin insert
Legislature detailing the activities of the commission, including,
11but not limited to, progress on the commission’s various tasks and
12actions taken and recommended in response to an incident, as
13appropriate.end insert
14(1) Details on the activities of the commission, including, but
15not limited to, progress on the commission’s various tasks and
16actions taken and recommended in response to an incident, as
17appropriate.
18(2) Policy, organizational, and investment recommendations to
19improve the cybersecurity preparedness of the state.
20(b) The reports shall be submitted in compliance with
Section
219795.
The commission may engage or accept the services
23of agency or department personnel, accept the services of
24stakeholder organizations, and accept federal, private, or other
25nonstate funding, to operate, manage, or conduct the business of
26the commission.
The commission shall operate within the current
28information technology budget of each department and agency
29they serve. Each department and agency shall cooperate with the
30commission and furnish it with information and assistance that is
31necessary or useful to further the purposes of this article.
Thisbegin delete chapterend deletebegin insert articleend insert shall become inoperative on
34January 1, 2019, and shall be repealed as of that date.
O
96