AB 2200,
as amended, John A. Pérez. California Cyberbegin delete Security Commission.end deletebegin insert Security.end insert
Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law establishes in state government the Governor’s office of Emergency Servicesbegin insert and the Department of Technologyend insert.
This bill would create the California Cyber Security Commission in the Governor’s Office of Emergency Services, consisting of 15 members comprised of representatives from state government, appointed representatives from the technology or cybersecurity industry and the utility or energy industry, and an appointed representative of California’s critical infrastructure interests. The bill would also authorize the commission to appoint representatives from state, local, federal, and private entities to form an advisory board in order to receive input or advice concerning the implementation of the duties of the commission. The duties of the commission would include establishing cyber-attack response strategies and performing risk assessments on state information technology systems. The bill would require the commission to meet on a quarterly basis, or as specified, and would allow the commission to issue a report to the Governor’s Office and the Legislature that details the activities of the commission and makes recommendations to improve California’s cybersecurity preparedness.
end deleteThis bill would continue in existence the California Cyber Security Task Force, previously created by the Governor’s Office of Emergency Services and the Department of Technology, in the Governor’s Office of Emergency Services. This bill would require the office and the department to convene stakeholders to act in an advisory capacity and compile policy recommendations on cyber security for the state. The bill would require the task force to meet quarterly, or more often as necessitated by emergency circumstances. This bill would require the task force to complete and issue a report of policy recommendations to the Governor’s office and the Legislature by January 1, 2015.
end insertbegin insertThis bill would create the California Cyber Security Steering Committee in the Governor’s Office of Emergency Services, consisting of 13 members comprised of representatives from state government, and appointed representatives with specific expertise or from the technology or cybersecurity industry and the utility or energy industry. This bill would require the steering committee to seek to implement the policy recommendations of the task force based on specified priorities. This bill would require the office and the department to collaborate with the steering committee.
end insertbegin insertThis bill would authorize the Governor’s Office of Emergency Services and the Department of Technology to conduct the strategic direction of risk assessments performed by the Military Department’s Computer Network Defense Team.
end insertThe bill would abolish the begin deletecommissionend deletebegin insert California Cyber Security Task Force and the California Cyber Security Steering Committeeend insert, and repeal these provisions, on January 1,begin delete 2019end deletebegin insert 2020end insert.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Article 3.9 (commencing with Section 8574.50)
2is added to Chapter 7 of Division 1 of Title 2 of the Government
3Code, to read:
4
The Legislature finds and declares all of the following:
8(a) The State of California’s growing dependence on technology
9has made it increasingly vulnerable to both foreign and domestic
10cyber security attacks. Thus far, there has been a fragmented
11approach to this issue with independent efforts occurring through
12federal, state, and local government, as well as in the state’s
13universities and within private industry. For the purposes of public
14safety and protection of public assets, the state has a role in
15coordinating and improving its overall security and response
16capabilities.
17(b) The market for cyber security is estimated to be more than
18seventy billion dollars ($70,000,000,000) in 2014. Of that
amount,
19sixty-seven billion dollars ($67,000,000,000) is estimated to be
20spent nationally by private companies for computer and network
21security and the United States Department of Defense is planning
22to spend four billion six hundred million dollars ($4,600,000,000).
23The United States Department of Defense is planning on spending
24twenty-three billion dollars ($23,000,000,000) over the next five
25years. Overall spending is expected to increase rapidly as
26recognition of threats becomes more ubiquitous. The California
27economy stands to greatly benefit from this industry growth.
28(c) The State of California has already made investments for
29the purpose of cyber security; examples of which are research
30funding for the Lawrence Livermore National Laboratory and
31funding to augment a cyber security assessment and response team
32within the California National Guard.
33(d) The California Cyber
Security Task Force was initiated in
34May 2013 for the purposes of identifying critical threats,
35assembling primary stakeholders, and highlighting the growing
36importance of the issue. Among other things, this has increased
37awareness of the state’s compliance with the new federal National
38Institute of Standards and Technology (NIST) standards and the
P4 1Office of Emergency Services establishing Emergency Function
218, created particularly for cyber security.
3(e) Over 50,000 new malicious online activities are identified
4every day, according to the United States Department of Defense.
5Incidents of sophisticated and well-coordinated attacks and data
6breaches are occurring more regularly, the average cost of which
7amounts to more than ten million dollars ($10,000,000). In 2012,
8a data breach to the state of South Carolina required more than
9twenty million dollars ($20,000,000) in response and restitution.
10The State of California is vulnerable
technically, legally, and
11financially to these threats.
12(f) The State of California recognizes that cyber security is both
13a current and future state security issue that requires a
14whole-of-government policy solution, not just a technology one.
15The State of California intends to demonstrate leadership on the
16issue in conjunction with federal and local governments.
17(g) The State of California intends to balance cyber security
18interests of its citizens and public assets with transparency and
19protection of privacy rights.
(a) There is hereby continued in existence the
21California Cyber Security Task Force, created in 2013 by the
22Governor’s Office of Emergency Services and the Department of
23Technology, in the Governor’s Office of Emergency Services.
24(b) The Governor’s Office of Emergency Services and the
25Department of Technology shall convene stakeholders, both public
26and private, to act in an advisory capacity and compile policy
27recommendations on cyber security for the State of California.
28The California Cyber Security Task Force shall complete and issue
29a report of policy recommendations to the Governor’s office and
30the Legislature. The report shall be completed in compliance with
31Section 9795.
32(c) The California Cyber Security Task Force shall meet
33quarterly, or more often as necessitated by emergency
34circumstances, within existing resources to ensure that the policy
35recommendations from the report are implemented and any
36necessary modifications which may arise are addressed in a timely
37manner.
38(d) The Governor’s Office of Emergency Services and the
39Department of Technology shall collaborate with the Cyber
40Security Steering Committee created pursuant to Section 8574.52
P5 1to use their combined expertise to streamline the implementation
2of policy recommendations set forth in the California Cyber
3Security Task Force’s report. This collaboration shall be guided
4by the priorities set forth in Section 8574.54 and shall timely realize
5the state’s cyber security goals.
6(e) The Governor’s Office of Emergency Services and the
7Department of Technology shall be
authorized to conduct the
8strategic direction of risk assessments performed by the Military
9Department’s Computer Network Defense Team as budgeted in
10Item 8940-001-0001 of the Budget Act of 2014.
(a) There is in the Governor’s Office of Emergency
13Services thebegin delete Californiaend delete Cyber Securitybegin delete Commission. The begin insert Steering Committee, whichend insert shall consist of the
14commissionend delete
15following members:
16(1) The Director of Emergency Services, or his or her designee
17with knowledge, expertise, and
decisionmaking authority with
18respect to the Office of Emergency Services’ information
19technology and information security duties.
20(2) The Chief of the Office of Information Security, or his or
21her designee with knowledge, expertise, and decisionmaking
22authority with respect to the chief’s information technology and
23information
security duties set forth in Chapter 5.7 (commencing
24with Section 11549) of Part 1 of Division 3.
25(2) The Director of the Department of Technology, or his or
26her designee with knowledge, expertise, and decisionmaking
27authority with respect to the director’s information technology
28and information security duties set forth in Chapter 5.6
29(commencing with Section 11545).
30(3) The Attorney General, or his or her designee with
31knowledge, expertise, and decisionmaking authority with respect
32to the Department of Justice’s information technology and
33information security.
34(4) The Adjutant General of the Military Department, or his or
35her designee with knowledge, expertise, and decisionmaking
36
authority with respect to the Military Department’s information
37technology and information security.
38(5) The Insurance Commissioner, or his or her designee with
39knowledge, expertise, and decisionmaking authority with respect
P6 1to the Department of Insurance’s information technology and
2information
security.
3(6)
end delete
4begin insert(5)end insert The Secretary of Health and Human Services, or his or her
5designee with knowledge, expertise, and decisionmaking authority
6with respect to the California Health and Human Services Agency’s
7information technology and information security.
8(7)
end delete
9begin insert(6)end insert The Secretary of the California Transportation Agency, or
10his or her designee with knowledge, expertise, and decisionmaking
11authority with
respect to the agency’s information technology and
12information security.
13(8) The Controller, or his or her designee with knowledge,
14expertise, and decisionmaking authority with respect to the office
15of the Controller’s information technology and information
16security.
17(9)
end delete
18begin insert(7)end insert The Commissioner of the California Highway Patrol, or his
19or her designee with knowledge, expertise, and decisionmaking
20authority with respect to the California Highway Patrol’s
21information technology and information security.
22(10)
end delete
23begin insert(8)end insert The Commander of the State Threat Assessment Center, or
24his or her designee with knowledge, expertise, and decisionmaking
25authority with respect to the State Threat Assessment Center’s
26information technology and information security.
27(11)
end delete
28begin insert(9)end insert A representativebegin delete from the private sector in the technology begin insert with
cybersecurity expertiseend insert, who shall
29or cybersecurity industryend delete
30be appointed by the Governor.
31(12)
end delete
32begin insert(10)end insert A representative of the state’s higher education system
33with knowledge, expertise, and decisionmaking authority with
34respect to information technology and information security, who
35shall be appointed by the Governor.
36(13)
end delete
37begin insert(11)end insert A representative
of the Public Utilities Commissionbegin insert orend insert,
38California Energybegin delete Commission, or California Independent System begin insert
Commissionend insert with knowledge, expertise, and
39Operatorend delete
P7 1decisionmaking authority with respect to information technology
2and information security, who shall be appointed by the Governor.
3(14)
end delete
4begin insert(12)end insert A representative from thebegin delete utility or energy industryend deletebegin insert private
5sector in the technology or cybersecurity industryend insert, who shall be
6appointed by the Speaker of the Assembly.
7(15)
end delete
8begin insert(13)end insert A representativebegin delete of California’s critical infrastructure begin insert from
9interests, such as air traffic control, ports, and water systemsend delete
10the utility or energy industryend insert, who shall be appointed by the Senate
11Committee on Rules.
12(b) (1) Each representative appointed by the Governor, Speaker
13of the Assembly, or Senate Committee on Rules shall be appointed
14to serve a two-year term.
15(2) Any representative may serve consecutive terms.
16(c) Any designee
shall serve at the pleasure of the official who
17designated them.
18(d) Eight members shall constitute a quorum for the transaction
19of business, and all official acts of thebegin delete commissionend deletebegin insert steering
20committeeend insert shall require the affirmative vote of a majority of its
21members constituting a quorum.
22(e) The members of thebegin delete commissionend deletebegin insert steering committeeend insert shall
23serve without compensation, except that each member of the
24begin delete commissionend deletebegin insert
steering committeeend insert shall be entitled to receive his or
25her actual necessary traveling expenses while on official business
26of thebegin delete commissionend deletebegin insert steering committeeend insert.
(a) The commission may appoint representatives to
28form an advisory board in order to receive input or advice
29concerning the implementation of the duties of the commission.
30The commission may expand, as needed, the advisory board to
31accommodate the representation necessary to inform and advance
32the duties of the commission.
33(b) The advisory board may be comprised of one or more
34representatives from the following:
35(1) The United States Department of Homeland Security.
36(2) The National Institute for Standards and Technology.
37(3) State government.
38(4) Local government.
39(5) California’s utility grid, both private and public.
P8 1(6) Technology firms, cybersecurity firms, critical infrastructure
2operators, utility providers, financial firms, health care providers,
3and other private industries.
4(7) California’s cybersecurity law enforcement apparatus, which
5includes:
6(A) The Attorney General’s eCrimes Unit.
7(B) The five regional task forces of the High Technology Theft
8Apprehension and Prosecution
Program.
9(C) The Department of the California Highway Patrol.
10(8) Entities operating with the commission to perform its duties,
11including:
12(A) The State Threat Assessment Center and fusion centers, for
13the purpose of sharing information that informs preventive actions.
14(B) The California National Guard’s Computer Network Defense
15Team, for the purpose of coordinating comprehensive risk
16assessments.
17(C) California’s public and private universities and laboratories
18for the purpose of directing research and best utilizing its results.
19(c) The commission shall appoint each representative by a
20majority vote of its members constituting a quorum. Each
21representative shall serve at the pleasure of the commission.
The commission shall meet quarterly, or more often
23as determined by a majority vote of its members constituting a
24quorum, or in the event of an emergency.
Thebegin delete duties of the commission shall include the begin insert Cyber Security Steering Committeeend insertbegin insert shall seek to
26following:end delete
27implement the policy recommendations of the California Cyber
28Security Task Force based on the following priorities:end insert
29(a) Developing within state government cyber prevention,
30defense, and response strategies and defining a hierarchy of
31command within the state for this purpose. This duty includes, but
32is not limited to, the following activities:
33(1) Performing comprehensive risk assessments on state
34information technology systems. Thebegin delete Chief Information Security assessments shall be performed by such entities as the
35Officer shall coordinate the process of performing risk assessments
36and theend delete
37California National Guard’s Computer Defense Network Team
38and the State Threat Assessment Center,begin delete in addition toend deletebegin insert with
39guidance and assistance fromend insert other public and private sector
40entities.
P9 1(2) begin deleteCreatingend deletebegin insert
Using assessment results and other state-level data
2to createend insert a risk profile of public assets, critical infrastructure, public
3networks, and private operations susceptible to cyber attacks.begin insert The
4risk profile shall include the development of statewide contingency
5plans including, but not limited to, Emergency Function 18 of the
6State Emergency Plan.end insert
7(3) Coordinating efforts to reduce state information technology
8risks and gaps in existing service.
9(b) Partnering with the United States Department of Homeland
10Security to develop an appropriate information sharing system that
11allows for a
controlled and secure process to effectively disseminate
12cyber threat and response information and data to relevant private
13and public sector entities. This information sharing system shall
14reflect state priorities and target identified threat and capability
15gaps.
16(c) Providing recommendations for information technology
17security standards for all state agencies using, among other things,
18protocols established by the National Institute for Standards and
19Technology and reflective of appropriate state priorities.
20(d) Compiling and integrating, as appropriate, the research
21conducted by academic institutions, federal laboratories, and other
22cybersecurity experts into state operations and functions.
23(e) Expanding the state’s public-private cybersecurity
24partnership network both domestically and internationally to assist
25in
the state’s efforts to prevent and respond to cyber threats and
26cyber attacks as well as enhance overall cyber detection capability.
27(f) Developing and providingbegin delete aend delete trainingbegin delete programend deletebegin insert programs with
28the state’s higher education and labor entitiesend insert to produce a
29credentialed and qualified state cybersecurity workforce. This
30program should include training based on the requirements and
31protocols outlined in models such as Department of Defense
32Directive 8570.begin delete The commission shall work with state workforce
33and labor entities as well as the state’s higher education systems,
34federal agencies, and others to provide training and develop
35curriculum.end delete
36(g) Analyzing, in conjunction with the Department of Insurance,
37the development of a strategy to acquire and incorporate cyber
38insurance into the procurement and administrative processes of
39state agencies to protect state assets and information.
40(h)
end delete
P10 1begin insert(g)end insert Expanding collaboration with the state’s law enforcement
2apparatus assigned jurisdiction to prevent, deter, investigate, and
3prosecute cyber attacks and information technology crime,
4including collaboration with entities like the High-Tech Theft
5Apprehension Program, and its five regional task forces, the
6Department of the California Highway Patrol, and the Attorney
7General’s eCrimes unit. Collaboration will include information
8sharing that will enhance their capabilities including assistance to
9better align their activities with federal and local resources, provide
10additional resources, and extend their efforts into regions of the
11state not currently represented.
12(i)
end delete
13begin insert(h)end insert Proposing, where appropriate, potential operational or
14functional enhancement to the state’s cybersecurity assessment
15and response capabilities, as well as investment or spending
16recommendation and guidance for the state’s information
17technology budget and procurement.
18(j)
end delete
19begin insert(i)end insert Coordinating the pursuit of fiscal resources including federal
20grants and other funding opportunities to enhance the state’s
21cybersecurity, information technology, data privacy, cyber research,
22and technology-based emergency response
capabilities.
Thebegin delete commissionend deletebegin insert end insertbegin insertCalifornia Cyber Security Task
24Forceend insert shall take all necessary steps to protect personal information,
25public and private sector data, as well as ensure consumer privacy,
26when implementing its duties.
(a) Thebegin delete commissionend deletebegin insert end insertbegin insertCalifornia Cyber Security Task
28Forceend insert may issuebegin delete a reportend deletebegin insert reports, in addition to the report
29described in subdivision (b) of Section 8574.51,end insert to the Governor’s
30office and the Legislature detailing the activities of thebegin delete commissionend delete
31begin insert
task forceend insert, including, but not limited to, progress on the
32begin delete commission’send deletebegin insert California Cyber Security Task Force’send insert various
33tasks and actions taken and recommended in response to an
34incident, as appropriate.
35(b) The reports shall be submitted in compliance with Section
369795.
Thebegin delete commissionend deletebegin insert end insertbegin insertCalifornia Cyber Security Task
38Forceend insert may engage or accept the services of agency or department
39personnel, accept the services of stakeholder organizations, and
40accept federal, private, or other nonstate funding, to operate,
P11 1manage, or conduct the business of thebegin delete commissionend deletebegin insert end insertbegin insertCalifornia
2
Cyber Security Task Forceend insert.
Thebegin delete commissionend deletebegin insert end insertbegin insertCalifornia Cyber Security Task
4Forceend insert shall operate within the current information technology
5budget of each department and agency they serve. Each department
6and agency shall cooperate with the commission and furnish it
7with information and assistance that is necessary or useful to further
8the purposes of this article.
This article shall become inoperative on January 1,
10begin delete 2019,end deletebegin insert 2020,end insert and shall be repealed as of that date.
O
95