Amended in Senate July 2, 2015

California Legislature—2015–16 Regular Session

Assembly BillNo. 1172


Introduced by Assembly Member Chau

begin insert

(Coauthor: Assembly Member Cooper)

end insert

February 27, 2015


An act to add and repeal Article 3.9 (commencing with Section 8574.50) of Chapter 7 of Division 1 of Title 2 of the Government Code, relating to cyber security.

LEGISLATIVE COUNSEL’S DIGEST

AB 1172, as amended, Chau. California cyber security.

Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law establishes in state government the Governor’s Office of Emergency Services and the Department of Technology.

This bill would continue in existence the California Cyber Security Task Force, consisting of specified members, previously created by the Governor’s Office of Emergency Services and the Department of Technology, in the Governor’s Office of Emergency Services. This bill would authorize the task force to convene stakeholders to act in an advisory capacity and compile policy recommendations on cyber security for the state. The bill would require the task force to meet quarterly, or more often as necessitated by emergency circumstances. This bill would require the task force to complete and issue a report of policy recommendations to the Governor’s office and the Legislature. This bill would also require the task force to perform specified functions relating to cyber security. This bill would create a State Director of Cyber Security with specified duties within the Governor’s Office of Emergency Services. This bill would repeal these provisions on January 1, 2020.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Article 3.9 (commencing with Section 8574.50)
2is added to Chapter 7 of Division 1 of Title 2 of the Government
3Code
, to read:

4 

5Article 3.9.  California Cyber Security
6

 

7

8574.50.  

(a) There is hereby continued in existence the
8California Cyber Security Task Force, created in 2013 by the
9Governor’s Office of Emergency Services and the Department of
10Technology, in the Governor’s Office of Emergency Services.

11(b) The California Cyber Security Task Force shall consist of
12the following members:

13(1) The Director of Emergency Services, or his or her designee
14with knowledge, expertise, and decisionmaking authority with
15respect to the Office of Emergency Services’ information
16technology and information security duties.

17(2) The Director of the Department of Technology, or his or her
18designee with knowledge, expertise, and decisionmaking authority
19with respect to the director’s information technology and
20information security duties set forth in Chapter 5.6 (commencing
21with Section 11545).

22(3) The Attorney General, or his or her designee with
23knowledge, expertise, and decisionmaking authority with respect
24to the Department of Justice’s information technology and
25information security.

26(4) The Adjutant General of the Military Department, or his or
27her designee with knowledge, expertise, and decisionmaking
28authority with respect to the Military Department’s information
29technology and information security.

30(5) The Commissioner of the California Highway Patrol, or his
31or her designee with knowledge, expertise, and decisionmaking
32authority with respect to the Department of the California Highway
33Patrol’s information technology and information security.

P3    1(6) A representative of the Public Utilities Commission or
2California Energy Commission with knowledge, expertise, and
3decisionmaking authority with respect to information technology
4and information security, who shall be appointed by the Governor.

5(7) begin deleteAn individual with cyber security expertise, end deletebegin insertA representative
6from the utility or energy industry, end insert
who shall be appointed by the
7Governor.

8(8) begin deleteAn individual with cyber security expertise, end deletebegin insertA representative
9from law enforcement, end insert
who shall be appointed by thebegin delete Senate
10Committee on Rules.end delete
begin insert Governor.end insert

11(9) begin deleteAn individual end deletebegin insertThree individuals end insertwith cyber security
12expertise, who shall bebegin delete appointedend deletebegin insert appointed, one each,end insert bybegin insert the
13Governor, the Senate Rules Committee, andend insert
the Speaker of the
14Assembly.

15(c) The California Cyber Security Task Force may convene
16stakeholders, both public and private, to act in an advisory capacity
17and compile policy recommendations on cyber security for the
18State of California. The California Cyber Security Task Force shall
19complete and issue a report of policy recommendations to the
20Governor’s office and the Legislature on an annual basis. The
21report shall be completed in compliance with Section 9795.

22(d) The California Cyber Security Task Force shall meet
23quarterly, or more often as necessitated by emergency
24circumstances, within existing resources to ensure that the policy
25recommendations from the report are implemented and any
26necessary modifications that may arise are addressed in a timely
27manner.

28(e) The Governor’s Office of Emergency Services and the
29Department of Technology may conduct the strategic direction of
30risk assessments performed by the Military Department’s Computer
31Network Defense Team as budgeted in Item 8940-001-0001 of
32the Budget Act of 2014.

33

8574.51.  

There is within the Governor’s Office of Emergency
34Services a State Director of Cyber Security,begin insert appointed by the
35Governor and confirmed by the Senate,end insert
who shall do all of the
36following:

37(a) Be the Executive Director of the California Cyber Security
38Task Force.

39(b) Provide strategic direction of risk assessments performed
40with state resources.

P4    1(c) Complete a risk profile of state assets and capabilities for
2the purpose of compiling statewide contingency plans including,
3but not limited to, Emergency Function 18 of the State Emergency
4Plan.

5(d) Act as point of contact to the federal government and private
6entities within the state in the event of a relevant emergency as
7declared by the Governor.

8(e) Bebegin insert an adviser toend insert the Governor’s Office of Emergency
9Services and the Department of Technology on cyber security.

10

8574.52.  

The Cyber Security Task Force shall perform the
11following functions based on the following priorities:

12(a) Develop within state government cyber prevention, defense,
13and response strategies andbegin delete definingend deletebegin insert defineend insert a hierarchy of command
14within the state for this purpose. This duty includes, but is not
15limited to, the following activities:

16(1) Ensuring the continual performance of risk assessments on
17state information technology systems. The assessments shall
18include penetration tests, vulnerability scans, and other
19 industry-standard methods that identify potential risk.

20(2) Using assessment results and other state-level data to create
21a risk profile of public assets, critical infrastructure, public
22networks, and private operations susceptible to cyber-attacks. The
23risk profile shall include the development of statewide contingency
24plans including, but not limited to, Emergency Function 18 of the
25State Emergency Plan.

26(b) Partner with the United States Department of Homeland
27Security to develop an appropriate information sharing system that
28allows for a controlled and secure process to effectively disseminate
29cyber threat and response information and data to relevant private
30and public sector entities. This information sharing system shall
31reflect state priorities and target identified threat and capability
32gaps.

33(c) Provide recommendations for information technology
34security standards for all state agencies using, among other things,
35protocols established by the National Institute for Standards and
36Technology and reflective of appropriate state priorities.

37(d) Compile and integrate, as appropriate, the research conducted
38by academic institutions, federal laboratories, and other cyber
39security experts into state operations and functions.

P5    1(e) Expand the state’s public-private cyber security partnership
2network.

3(f) Expand collaboration with the state’s law enforcement
4apparatus assigned jurisdiction to prevent, deter, investigate, and
5prosecute cyber attacks and information technology crime,
6including collaboration with entities like the High-Tech Theft
7Apprehension Program, and its five regional task forces, the
8Department of the California Highway Patrol, and the Attorney
9General’s eCrimes unit. Collaboration shall include information
10sharing that will enhance their capabilities including assistance to
11better align their activities with federal and local resources, provide
12additional resources, and extend their efforts into regions of the
13state not currently represented.

14(g) Propose, where appropriate, potential operational or
15functional enhancement to the state’s cyber security assessment
16and response capabilities, as well as investment or spending
17recommendation and guidance for the state’s information
18technology budget and procurement.

19

8574.53.  

The California Cyber Security Task Force shall take
20all necessary steps to protect personal information and privacy,
21public and private sector data, and the constitutional rights and
22liberties of individuals, when implementing its duties.

23

8574.54.  

(a) The California Cyber Security Task Force may
24issue reports, in addition to the report described in subdivision (c)
25of Section 8574.51, to the Governor’s office and the Legislature
26detailing the activities of the task force, including, but not limited
27to, progress on the California Cyber Security Task Force’s various
28tasks and actions taken and recommended in response to an
29incident, as appropriate.

30(b) The reports shall be submitted in compliance with Section
319795.

32

8574.55.  

The California Cyber Security Task Force may engage
33or accept the services of agency or department personnel, accept
34the services of stakeholder organizations, and accept federal,
35private, or other nonstate funding, to operate, manage, or conduct
36the business of the California Cyber Security Task Force.

37

8574.56.  

Each department and agency shall cooperate with the
38California Cyber Security Task Force and furnish it with
39information and assistance that is necessary or useful to further
40the purposes of this article.

P6    1

8574.57.  

This article shall become inoperative on January 1,
22020, and shall be repealed as of that date.



O

    98