BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2200|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2200
Author: John A. Pérez (D)
Amended: 8/4/14 in Senate
Vote: 21
SENATE GOVERNMENTAL ORGANIZATION COMMITTEE : 8-1, 6/24/14
AYES: Correa, Cannella, De León, Galgiani, Hernandez, Lieu,
Padilla, Torres
NOES: Vidak
NO VOTE RECORDED: Berryhill, Vacancy
SENATE APPROPRIATIONS COMMITTEE : 5-0, 8/14/14
AYES: De León, Hill, Lara, Padilla, Steinberg
NO VOTE RECORDED: Walters, Gaines
ASSEMBLY FLOOR : 74-3, 5/28/14 - See last page for vote
SUBJECT : California Cyber Security Commission
SOURCE : Author
DIGEST : This bill creates, until January 1, 2019, a 12-member
California Cyber Security Commission (CCSC), within the
Department of Technology (DOT), as an advisory body to discuss
strategies for improving the state's cybersecurity and cyber
response capabilities.
ANALYSIS :
Existing law:
CONTINUED
�
AB 2200
Page
2
1. Establishes the DOT within the Government Operations Agency,
responsible for establishing and enforcing state information
technology strategic plans, policies, standards, and
enterprise architecture. The Director of DOT is the State
Chief Information Officer, and is responsible for enhancing
the security, reliability, and quality of information
technology networks, services, and systems.
2. Requires each state agency to have a chief information
officer who is appointed by the head of the state entity, and
is responsible for supervising all information technology,
including information security.
3. Establishes the Office of Information Security (OIS), within
DOT, which is responsible for ensuring the confidentiality,
integrity, and availability of state systems and
applications. Requires the OIS to develop an information
security program and establish policies, standards, and
procedures directing state agencies to effectively manage
security and risk.
This bill:
1. Makes various legislative findings and declarations relative
to the state's growing dependence on technology which has
made it increasingly vulnerable technically, legally, and
financially to both foreign and domestic cybersecurity
attacks and that for the purposes of public safety and
protection of public assets, the state has a role in
coordinating and improving its overall security and response
capabilities.
2. Creates the CCSC within the Governor's Office of Emergency
Services (OES) consisting of the following members:
A. The Director of OES.
B. The Chief of the OIS.
C. The Attorney General.
D. The Adjutant General of the Military Department.
CONTINUED
�
AB 2200
Page
3
E. The Commissioner of the Department of Insurance.
F. The Secretary of the Health and Human Services Agency.
G. The Secretary of the California Transportation Agency.
H. The State Controller.
I. The Commissioner of the California Highway Patrol.
J. The Commander of the State Threat Assessment Center.
K. A representative from the private sector in the
technology or cybersecurity industry appointed by the
Governor.
L. A representative of the state's higher education system
appointed by the Governor.
M. A representative of the Public Utilities Commission,
California Energy Commission, or California Independent
System Operator appointed by the Governor.
N. A representative from the utility or energy industry
appointed by the Speaker of the Assembly.
O. A representative of California's critical
infrastructure interests (e.g., air traffic control,
ports, and water systems) appointed by the Senate Rules
Committee.
3. Stipulates that members of the CCSC will meet at least
quarterly and serve without compensation, except that members
will be entitled to receive actual and necessary travel
expenses while on official business of the CCSC. Provides
that representatives appointed by the Governor, Speaker of
the Assembly, or Senate Rules Committee shall serve a
two-year term; any designee shall serve at the pleasure of
the official who designated them; and provides that eight
members will constitute a quorum.
4. Authorizes the CCSC to form an advisory board comprised of
one or more representatives from the following who will serve
at the pleasure of the CCSC and permits the CCSC to expand,
CONTINUED
�
AB 2200
Page
4
as needed, the advisory board:
A. The United States Department of Homeland Security.
B. The National Institute for Standards and Technology.
C. State and local government.
D. California's utility grid, both private and public.
E. Technology firms, cybersecurity firms, critical
infrastructure operators, utility providers, financial
firms, health care providers, and other private
industries.
F. California's cybersecurity law enforcement apparatus
(the Attorney General's eCrimes Unit, the California
Highway Patrol, and the five regional task forces of the
High Technology Theft Apprehension and Prosecution
Program).
G. Entities operating with the CCSC to perform its duties
include the State Threat Assessment Center and fusion
centers, the California National Guard's Computer Network
Defense Team, and California's public/private universities
and labs.
5. Stipulates that the duties of the CCSC shall include:
A. Developing cyber prevention, defense, and response
strategies and defining a hierarchy of command within
the state.
B. Partnering with the United States Department of
Homeland Security to develop an appropriate information
sharing system to effectively disseminate cyber threat
and response information and data to relevant private
and public sector entities.
C. Providing recommendations for information technology
security standards.
D. Compiling and integrating the research conducted by
academic institutions, federal laboratories, and other
CONTINUED
�
AB 2200
Page
5
cybersecurity experts.
E. Expanding the state's public-private cybersecurity
partnership network both domestically and
internationally.
F. Developing and providing a training program to
produce a credentialed and qualified state cybersecurity
taskforce.
G. Analyzing, in conjunction with the Department of
Insurance, a development of a strategy to acquire and
incorporate cyber insurance into the procurement and
administrative processes of state agencies to protect
state assets and information.
H. Expanding collaboration with the state's law
enforcement apparatus.
I. Proposing potential operational or functional
enhancement, as well as investment or spending
recommendation and guidance.
J. Coordinating the pursuit of fiscal resources to
enhance the state's cybersecurity, information
technology, data privacy, cyber research, and
technology-based emergency response capabilities.
6. Authorizes the CCSC to issue a report to the Governor and the
Legislature detailing the activities of the CCSC, including,
but not limited to, progress on the CCSC's tasks and actions
taken and recommended in response to an incident, as
appropriate.
7. Requires the CCSC to engage or accept (a) the services of
agency or department personnel, (b) the services of
stakeholder organizations, and (c) federal, private, or other
nonstate funding, to operate, manage, or conduct the business
of the CCSC.
8. Requires the CCSC to operate within the current information
technology budget of each department and agency they serve.
9. Requires each department and agency to cooperate with the
CONTINUED
�
AB 2200
Page
6
CCSC and furnish it with information and assistance necessary
or useful to further the purposes of this bill.
10.Contains a January 1, 2019 sunset provision.
Background
The OIS is the primary state office charged with protecting
state information and ensuring confidentiality, integrity, and
availability of state systems and applications. In short, OIS
is responsible, along with other agencies, for ensuring the
state's cybersecurity. However, various other programs and
agencies have roles related to managing the state's
cybersecurity.
This bill creates the 12-member CCSC to focus on improving the
state's cybersecurity and cyber response capabilities. Members,
consisting of various state agency department leaders as well as
representatives from private sector industries and other
interests such as air traffic control, ports, and water systems,
would share information to enable state government to protect
and secure important information, data, intellectual property,
financial networks, and critical infrastructure.
Comments
According to the author's office, this bill advances the state's
overall cybersecurity assessment, preparedness, and response
systems, promote cybersecurity information sharing and the use
of best practices among the private and public sectors, and
identify funding and research opportunities. The author's
office contends that different elements of the state's
cybersecurity are currently fragmented and the CCSC will help
the state form a coordinated strategy.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
According to the Senate Appropriations Committee:
Ongoing costs in the hundreds of thousands per year to provide
staff support to the CCSC and to undertake the programmatic
CONTINUED
�
AB 2200
Page
7
responsibilities assigned to the CCSC (General Fund).
Potential costs in the low millions to provide additional
training on cybersecurity issues to specified state employees
(General Fund).
This bill requires the CCSC to operate within the information
technology budget of each department served. Given the
significant programmatic responsibilities that this bill assigns
to the CCSC, it does not seem likely that other state agencies
would be able to absorb the costs to support the CCSC.
In recent years, the federal government has made a significant
amount of grant funding available to the states for programs and
projects relating to cybersecurity. It is not known the extent
to which some of the requirements of this bill could be funded
with existing or new federal grant funds.
SUPPORT : (Verified 8/11/14)
Bay Area Council
League of California Cities
PG&E
Risk and Insurance Management Society
San Diego Regional Economic Development Corporation
SMUD
Southern California Edison
OPPOSITION : (Verified 8/11/14)
Office of the San Diego County District Attorney
ARGUMENTS IN SUPPORT : The League of California Cities writes
that this bill places cybersecurity on more solid footing, with
enhanced visibility and importance within the state policymaking
arena. This is an issue of rapidly increasing importance that
not only affects the financial data of businesses and personal
data of private individuals, but has national security
implications - as evidenced by the fact that the U.S. Defense
Department has taken a leading role, in part due to concerns
about potential cyber-attacks launched by other nations. Closer
to home, California municipalities, to the degree they are
digitizing their financial and other data and engaging in
electronic transactions, are also at risk, so this is and will
CONTINUED
�
AB 2200
Page
8
remain a critical issue for many of our larger cities.
ARGUMENTS IN OPPOSITION : The Office of the San Diego County
District Attorney writes, "we believe this proposal is misguided
and will have a deleterious effect on the work that is currently
being done in this region served by our Computer and Technology
Crime High-Tech Response Team (CATCH). For the past several
years, the legislature has decreased our funding, leading to
budget uncertainty that jeopardized the very existences of these
critical teams. The state even disbanded the Advanced Training
Division (ATC), which provided critical training for these task
forces. Incredibly, despite the state's damaging actions over
the past several years, our task force has increased
investigations and prosecutions. Now, AB 2200 seeks to deliver
what can only be described as life-threatening blow to the very
law enforcement groups who are the most knowledgeable about one
of the fastest growing and economically threatening criminal
trends in our communities."
ASSEMBLY FLOOR : 74-3, 5/28/14
AYES: Achadjian, Alejo, Allen, Ammiano, Bigelow, Bloom,
Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian
Calderon, Campos, Chau, Chesbro, Conway, Cooley, Dababneh,
Dahle, Daly, Dickinson, Eggman, Fong, Fox, Garcia, Gatto,
Gomez, Gonzalez, Gordon, Gorell, Gray, Grove, Hagman, Hall,
Harkey, Roger Hernández, Holden, Jones, Jones-Sawyer, Levine,
Linder, Logue, Lowenthal, Maienschein, Medina, Melendez,
Mullin, Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson,
Perea, John A. Pérez, V. Manuel Pérez, Quirk, Quirk-Silva,
Rendon, Ridley-Thomas, Rodriguez, Salas, Skinner, Stone, Ting,
Wagner, Waldron, Weber, Wieckowski, Wilk, Williams, Yamada,
Atkins
NOES: Donnelly, Beth Gaines, Mansoor
NO VOTE RECORDED: Chávez, Frazier, Vacancy
MW:d 8/16/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED
�
AB 2200
Page
9
CONTINUED