California Legislature—2015–16 Regular Session

Assembly BillNo. 1172


Introduced by Assembly Member Chau

February 27, 2015


An act to add and repeal Article 3.9 (commencing with Section 8574.50) of Chapter 7 of Division 1 of Title 2 of the Government Code, relating to cyber security.

LEGISLATIVE COUNSEL’S DIGEST

AB 1172, as introduced, Chau. California cyber security.

Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law establishes in state government the Governor’s Office of Emergency Services and the Department of Technology.

This bill would continue in existence the California Cyber Security Task Force, consisting of specified members, previously created by the Governor’s Office of Emergency Services and the Department of Technology, in the Governor’s Office of Emergency Services. This bill would authorize the task force to convene stakeholders to act in an advisory capacity and compile policy recommendations on cyber security for the state. The bill would require the task force to meet quarterly, or more often as necessitated by emergency circumstances. This bill would require the task force to complete and issue a report of policy recommendations to the Governor’s office and the Legislature. This bill would also require the task force to perform specified functions relating to cyber security. This bill would create a State Director of Cyber Security with specified duties within the Governor’s Office of Emergency Services. This bill would repeal these provisions on January 1, 2020.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Article 3.9 (commencing with Section 8574.50)
2is added to Chapter 7 of Division 1 of Title 2 of the Government
3Code
, to read:

4 

5Article 3.9.  California Cyber Security
6

 

7

8574.50.  

(a) There is hereby continued in existence the
8California Cyber Security Task Force, created in 2013 by the
9Governor’s Office of Emergency Services and the Department of
10Technology, in the Governor’s Office of Emergency Services.

11(b) The California Cyber Security Task Force shall consist of
12the following members:

13(1) The Director of Emergency Services, or his or her designee
14with knowledge, expertise, and decisionmaking authority with
15respect to the Office of Emergency Services’ information
16technology and information security duties.

17(2) The Director of the Department of Technology, or his or her
18designee with knowledge, expertise, and decisionmaking authority
19with respect to the director’s information technology and
20information security duties set forth in Chapter 5.6 (commencing
21with Section 11545).

22(3) The Attorney General, or his or her designee with
23knowledge, expertise, and decisionmaking authority with respect
24to the Department of Justice’s information technology and
25information security.

26(4) The Adjutant General of the Military Department, or his or
27her designee with knowledge, expertise, and decisionmaking
28authority with respect to the Military Department’s information
29technology and information security.

30(5) The Commissioner of the California Highway Patrol, or his
31or her designee with knowledge, expertise, and decisionmaking
32authority with respect to the Department of the California Highway
33Patrol’s information technology and information security.

34(6) A representative of the Public Utilities Commission or
35California Energy Commission with knowledge, expertise, and
P3    1decisionmaking authority with respect to information technology
2and information security, who shall be appointed by the Governor.

3(7) An individual with cyber security expertise, who shall be
4appointed by the Governor.

5(8) An individual with cyber security expertise, who shall be
6appointed by the Senate Committee on Rules.

7(9) An individual with cyber security expertise, who shall be
8appointed by the Speaker of the Assembly.

9(c) The California Cyber Security Task Force may convene
10stakeholders, both public and private, to act in an advisory capacity
11and compile policy recommendations on cyber security for the
12state of California. The California Cyber Security Task Force shall
13complete and issue a report of policy recommendations to the
14Governor’s office and the Legislature on an annual basis. The
15report shall be completed in compliance with Section 9795.

16(d) The California Cyber Security Task Force shall meet
17quarterly, or more often as necessitated by emergency
18circumstances, within existing resources to ensure that the policy
19recommendations from the report are implemented and any
20necessary modifications that may arise are addressed in a timely
21manner.

22(e) The Governor’s Office of Emergency Services and the
23Department of Technology may conduct the strategic direction of
24risk assessments performed by the Military Department’s Computer
25Network Defense Team as budgeted in Item 8940-001-0001 of
26the Budget Act of 2014.

27

8574.51.  

There is within the Governor’s Office of Emergency
28Services a State Director of Cyber Security, who shall do all of
29the following:

30(a) Be the Executive Director of the California Cyber Security
31Task Force.

32(b) Provide strategic direction of risk assessments performed
33with state resources.

34(c) Complete a risk profile of state assets and capabilities for
35the purpose of compiling statewide contingency plans including,
36but not limited to, Emergency Function 18 of the State Emergency
37Plan.

38(d) Act as point of contact to the federal government and private
39entities within the state in the event of a relevant emergency as
40declared by the Governor.

P4    1(e) Be the Governor’s Office of Emergency Services and the
2Department of Technology on cyber security.

3

8574.52.  

The Cyber Security Task Force shall perform the
4following functions based on the following priorities:

5(a) Develop within state government cyber prevention, defense,
6and response strategies and defining a hierarchy of command
7within the state for this purpose. This duty includes, but is not
8limited to, the following activities:

9(1) Ensuring the continual performance of risk assessments on
10state information technology systems. The assessments shall
11include penetration tests, vulnerability scans, and other
12industry-standard methods that identify potential risk.

13(2) Using assessment results and other state-level data to create
14a risk profile of public assets, critical infrastructure, public
15networks, and private operations susceptible to cyber-attacks. The
16risk profile shall include the development of statewide contingency
17plans including, but not limited to, Emergency Function 18 of the
18State Emergency Plan.

19(b) Partner with the United States Department of Homeland
20Security to develop an appropriate information sharing system that
21allows for a controlled and secure process to effectively disseminate
22cyber threat and response information and data to relevant private
23and public sector entities. This information sharing system shall
24reflect state priorities and target identified threat and capability
25gaps.

26(c) Provide recommendations for information technology
27security standards for all state agencies using, among other things,
28protocols established by the National Institute for Standards and
29Technology and reflective of appropriate state priorities.

30(d) Compile and integrate, as appropriate, the research conducted
31by academic institutions, federal laboratories, and other cyber
32security experts into state operations and functions.

33(e) Expand the state’s public-private cyber security partnership
34network.

35(f) Expand collaboration with the state’s law enforcement
36apparatus assigned jurisdiction to prevent, deter, investigate, and
37prosecute cyber attacks and information technology crime,
38including collaboration with entities like the High-Tech Theft
39Apprehension Program, and its five regional task forces, the
40Department of the California Highway Patrol, and the Attorney
P5    1General’s eCrimes unit. Collaboration shall include information
2sharing that will enhance their capabilities including assistance to
3better align their activities with federal and local resources, provide
4additional resources, and extend their efforts into regions of the
5state not currently represented.

6(g) Propose, where appropriate, potential operational or
7functional enhancement to the state’s cyber security assessment
8and response capabilities, as well as investment or spending
9recommendation and guidance for the state’s information
10technology budget and procurement.

11

8574.53.  

The California Cyber Security Task Force shall take
12all necessary steps to protect personal information and privacy,
13public and private sector data, and the constitutional rights and
14liberties of individuals, when implementing its duties.

15

8574.54.  

(a) The California Cyber Security Task Force may
16issue reports, in addition to the report described in subdivision (c)
17of Section 8574.51, to the Governor’s office and the Legislature
18detailing the activities of the task force, including, but not limited
19to, progress on the California Cyber Security Task Force’s various
20tasks and actions taken and recommended in response to an
21incident, as appropriate.

22(b) The reports shall be submitted in compliance with Section
239795.

24

8574.55.  

The California Cyber Security Task Force may engage
25or accept the services of agency or department personnel, accept
26the services of stakeholder organizations, and accept federal,
27private, or other nonstate funding, to operate, manage, or conduct
28the business of the California Cyber Security Task Force.

29

8574.56.  

Each department and agency shall cooperate with the
30California Cyber Security Task Force and furnish it with
31information and assistance that is necessary or useful to further
32the purposes of this article.

33

8574.57.  

This article shall become inoperative on January 1,
342020, and shall be repealed as of that date.



O

    99