Assembly BillNo. 2200

8574.50.  

The Legislature finds and declares all of the following:

8(a) The State of California’s growing dependence on technology
9has made it increasingly vulnerable to both foreign and domestic
10cyber security attacks. Thus far, there has been a fragmented
11approach to this issue with independent efforts occurring through
12federal, state, and local government, as well as in the state’s
13universities and within private industry. For the purposes of public
14safety and protection of public assets, the state has a role in
15coordinating and improving its overall security and response
16capabilities.

P3    1(b) The market for cyber security is estimated to be more than
2seventy billion dollars ($70,000,000,000) in 2014. Of that amount,
3sixty-seven billion dollars ($67,000,000,000) is estimated to be
4spent nationally by private companies for computer and network
5security and the United States Department of Defense is planning
6to spend four billion six hundred million dollars ($4,600,000,000).
7The United States Department of Defense is planning on spending
8twenty-three billion dollars ($23,000,000,000) over the next five
9years. Overall spending is expected to increase rapidly as
10recognition of threats becomes more ubiquitous. The California
11economy stands to greatly benefit from this industry growth.

12(c) The State of California has already made investments for
13the purpose of cyber security; examples of which are research
14funding for the Lawrence Livermore National Laboratory and
15funding to augment a cyber security assessment and response team
16within the California National Guard.

17(d) The California Cyber Security Task Force was initiated in
18May 2013 for the purposes of identifying critical threats,
19assembling primary stakeholders, and highlighting the growing
20importance of the issue. Among other things, this has increased
21awareness of the state’s compliance with the new federal National
22Institute of Standards and Technology (NIST) standards and the
23Office of Emergency Services establishing Emergency Function
2418, created particularly for cyber security.

25(e) Over 50,000 new malicious online activities are identified
26every day, according to the United States Department of Defense.
27Incidents of sophisticated and well-coordinated attacks and data
28breaches are occurring more regularly, the average cost of which
29amounts to more than ten million dollars ($10,000,000). In 2012,
30a data breach to the state of South Carolina required more than
31twenty million dollars ($20,000,000) in response and restitution.
32The State of California is vulnerable technically, legally, and
33financially to these threats.

34(f) The State of California recognizes that cyber security is both
35a current and future state security issue that requires a
36whole-of-government policy solution, not just a technology one.
37The State of California intends to demonstrate leadership on the
38issue in conjunction with federal and local governments.

P4    1(g) The State of California intends to balance cyber security
2interests of its citizens and public assets with transparency and
3protection of privacy rights.

8574.51.  

(a) There is hereby continued in existence the
5California Cyber Security Task Force, created in 2013 by the
6Governor’s Office of Emergency Services and the Department of
7Technology, in the Governor’s Office of Emergency Services.

8(b) The Governor’s Office of Emergency Services and the
9Department of Technology shall convene stakeholders, both public
10and private, to act in an advisory capacity and compile policy
11recommendations on cyber security for the State of California.
12The California Cyber Security Task Force shall complete and issue
13a report of policy recommendations to the Governor’s office and
14the Legislature. The report shall be completed in compliance with
15Section 9795.

16(c) The California Cyber Security Task Force shall meet
17quarterly, or more often as necessitated by emergency
18circumstances, within existing resources to ensure that the policy
19recommendations from the report are implemented and any
20necessary modifications which may arise are addressed in a timely
21manner.

22(d) The Governor’s Office of Emergency Services and the
23Department of Technology shall collaborate with the Cyber
24Security Steering Committee created pursuant to Section 8574.52
25to use their combined expertise to streamline the implementation
26of policy recommendations set forth in the California Cyber
27Security Task Force’s report. This collaboration shall be guided
28by the priorities set forth in Section 8574.54 and shall timely realize
29the state’s cyber security goals.

30(e) The Governor’s Office of Emergency Services and the
31Department of Technology shall be authorized to conduct the
32strategic direction of risk assessments performed by the Military
33Department’s Computer Network Defense Team as budgeted in
34Item 8940-001-0001 of the Budget Act of 2014.

8574.52.  

(a) There is in the Governor’s Office of Emergency
36Services the Cyber Security Steering Committee, which shall
37consist of the following members:

38(1) The Director of Emergency Services, or his or her designee
39with knowledge, expertise, and decisionmaking authority with
P5    1respect to the Office of Emergency Services’ information
2technology and information security duties.

3(2) The Director of the Department of Technology, or his or her
4designee with knowledge, expertise, and decisionmaking authority
5with respect to the director’s information technology and
6information security duties set forth in Chapter 5.6 (commencing
7with Section 11545).

8(3) The Attorney General, or his or her designee with
9knowledge, expertise, and decisionmaking authority with respect
10to the Department of Justice’s information technology and
11information security.

12(4) The Adjutant General of the Military Department, or his or
13her designee with knowledge, expertise, and decisionmaking
14 authority with respect to the Military Department’s information
15technology and information security.

16(5) The Secretary of Health and Human Services, or his or her
17designee with knowledge, expertise, and decisionmaking authority
18with respect to the California Health and Human Services Agency’s
19information technology and information security.

20(6) The Secretary of the California Transportation Agency, or
21his or her designee with knowledge, expertise, and decisionmaking
22authority with respect to the agency’s information technology and
23information security.

24(7) The Commissioner of the California Highway Patrol, or his
25or her designee with knowledge, expertise, and decisionmaking
26authority with respect to the California Highway Patrol’s
27information technology and information security.

28(8) The Commander of the State Threat Assessment Center, or
29his or her designee with knowledge, expertise, and decisionmaking
30authority with respect to the State Threat Assessment Center’s
31information technology and information security.

32(9) A representative with cybersecurity expertise, who shall be
33appointed by the Governor.

34(10) A representative of the state’s higher education system
35with knowledge, expertise, and decisionmaking authority with
36respect to information technology and information security, who
37shall be appointed by the Governor.

38(11) A representative of the Public Utilities Commission or,
39California Energy Commission with knowledge, expertise, and
P6    1decisionmaking authority with respect to information technology
2and information security, who shall be appointed by the Governor.

3(12) A representative from the private sector in the technology
4or cybersecurity industry, who shall be appointed by the Speaker
5of the Assembly.

6(13) A representative from the utility or energy industry, who
7shall be appointed by the Senate Committee on Rules.

8(b) (1) Each representative appointed by the Governor, Speaker
9of the Assembly, or Senate Committee on Rules shall be appointed
10to serve a two-year term.

11(2) Any representative may serve consecutive terms.

12(c) Any designee shall serve at the pleasure of the official who
13designated them.

14(d) Eight members shall constitute a quorum for the transaction
15of business, and all official acts of the steering committee shall
16require the affirmative vote of a majority of its members
17constituting a quorum.

18(e) The members of the steering committee shall serve without
19compensation, except that each member of the steering committee
20shall be entitled to receive his or her actual necessary traveling
21expenses while on official business of the steering committee.

8574.54.  

The Cyber Security Steering Committee shall seek
23to implement the policy recommendations of the California Cyber
24Security Task Force based on the following priorities:

25(a) Developing within state government cyber prevention,
26defense, and response strategies and defining a hierarchy of
27command within the state for this purpose. This duty includes, but
28is not limited to, the following activities:

29(1) Performing comprehensive risk assessments on state
30information technology systems. The assessments shall be
31performed by such entities as the California National Guard’s
32Computer Defense Network Team and the State Threat Assessment
33Center, with guidance and assistance from other public and private
34sector entities.

35(2)  Using assessment results and other state-level data to create
36a risk profile of public assets, critical infrastructure, public
37networks, and private operations susceptible to cyber attacks. The
38risk profile shall include the development of statewide contingency
39plans including, but not limited to, Emergency Function 18 of the
40State Emergency Plan.

P7    1(b) Partnering with the United States Department of Homeland
2Security to develop an appropriate information sharing system that
3allows for a controlled and secure process to effectively disseminate
4cyber threat and response information and data to relevant private
5and public sector entities. This information sharing system shall
6reflect state priorities and target identified threat and capability
7gaps.

8(c) Providing recommendations for information technology
9security standards for all state agencies using, among other things,
10protocols established by the National Institute for Standards and
11Technology and reflective of appropriate state priorities.

12(d) Compiling and integrating, as appropriate, the research
13conducted by academic institutions, federal laboratories, and other
14cybersecurity experts into state operations and functions.

15(e) Expanding the state’s public-private cybersecurity
16partnership network both domestically and internationally to assist
17in the state’s efforts to prevent and respond to cyber threats and
18cyber attacks as well as enhance overall cyber detection capability.

19(f) Developing and providing training programs with the state’s
20higher education and labor entities to produce a credentialed and
21qualified state cybersecurity workforce. This program should
22include training based on the requirements and protocols outlined
23in models such as Department of Defense Directive 8570.

24(g) Expanding collaboration with the state’s law enforcement
25apparatus assigned jurisdiction to prevent, deter, investigate, and
26prosecute cyber attacks and information technology crime,
27including collaboration with entities like the High-Tech Theft
28Apprehension Program, and its five regional task forces, the
29Department of the California Highway Patrol, and the Attorney
30General’s eCrimes unit. Collaboration will include information
31sharing that will enhance their capabilities including assistance to
32better align their activities with federal and local resources, provide
33additional resources, and extend their efforts into regions of the
34state not currently represented.

35(h) Proposing, where appropriate, potential operational or
36functional enhancement to the state’s cybersecurity assessment
37and response capabilities, as well as investment or spending
38recommendation and guidance for the state’s information
39technology budget and procurement.

P8    1(i) Coordinating the pursuit of fiscal resources including federal
2grants and other funding opportunities to enhance the state’s
3cybersecurity, information technology, data privacy, cyber research,
4and technology-based emergency response capabilities.

8574.55.  

The California Cyber Security Task Force shall take
6all necessary steps to protect personal information, public and
7private sector data, as well as ensure consumer privacy, when
8implementing its duties.

8574.56.  

(a) The California Cyber Security Task Force may
10issue reports, in addition to the report described in subdivision (b)
11of Section 8574.51, to the Governor’s office and the Legislature
12detailing the activities of the task force, including, but not limited
13to, progress on the California Cyber Security Task Force’s various
14tasks and actions taken and recommended in response to an
15incident, as appropriate.

16(b) The reports shall be submitted in compliance with Section
179795.

8574.57.  

The California Cyber Security Task Force may engage
19or accept the services of agency or department personnel, accept
20the services of stakeholder organizations, and accept federal,
21private, or other nonstate funding, to operate, manage, or conduct
22the business of the California Cyber Security Task Force.

8574.58.  

begin deleteThe California Cyber Security Task Force shall
24operate within the current information technology budget of each
25department and agency they serve. end deleteEach department and agency
26shall cooperate with thebegin delete commissionend deletebegin insert California Cyber Security
27Task Forceend insert and furnish it with information and assistance that is
28necessary or useful to further the purposes of this article.

8574.59.  

This article shall become inoperative on January 1,
302020, and shall be repealed as of that date.