Amended in Senate August 31, 2015

Amended in Senate July 2, 2015

California Legislature—2015–16 Regular Session

Assembly BillNo. 1172


Introduced by Assembly Member Chau

(Coauthor: Assembly Member Cooper)

February 27, 2015


An act to add and repeal Article 3.9 (commencing with Section 8574.50) of Chapter 7 of Division 1 of Title 2 of the Government Code, relating to cyber security.

LEGISLATIVE COUNSEL’S DIGEST

AB 1172, as amended, Chau. California cyber security.

Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law establishes in state government the Governor’s Office of Emergency Services and the Department of Technology.

This bill would continue in existence the California Cyber Security Task Force, consisting of specified members, previously created by the Governor’s Office of Emergency Services and the Department of Technology, in the Governor’s Office of Emergency Services.begin delete Thisend deletebegin insert Theend insert bill would authorize the task force to convene stakeholders to act in an advisory capacity and compile policy recommendations on cyber security for the state. The bill would require the task force to meet quarterly, or more often as necessitated by emergency circumstances.begin delete Thisend deletebegin insert Theend insert bill would require the task force to complete and issue a report of policy recommendations to the Governor’s office and the Legislature.begin delete Thisend deletebegin insert Theend insert bill would also require the task force to perform specified functions relating to cyber security.begin delete Thisend deletebegin insert Theend insert bill would create a State Director of Cyber Security with specified duties within the Governor’s Office of Emergency Services.begin delete Thisend deletebegin insert Theend insert bill would repeal these provisions on January 1, 2020.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Article 3.9 (commencing with Section 8574.50)
2is added to Chapter 7 of Division 1 of Title 2 of the Government
3Code
, to read:

4 

5Article 3.9.  California Cyber Security
6

 

7

8574.50.  

(a) There is hereby continued in existence the
8California Cyber Security Task Force, created in 2013 by the
9Governor’s Office of Emergency Services and the Department of
10Technology, in the Governor’s Office of Emergency Services.

11(b) The California Cyber Security Task Force shall consist of
12the following members:

13(1) The Director of Emergency Services, or his or her designee
14with knowledge, expertise, and decisionmaking authority with
15respect to the Office of Emergency Services’ information
16technology and information security duties.

17(2) The Director of the Department of Technology, or his or her
18designee with knowledge, expertise, and decisionmaking authority
19with respect to the director’s information technology and
20information security duties set forth in Chapter 5.6 (commencing
21with Section 11545).

22(3) The Attorney General, or his or her designee with
23knowledge, expertise, and decisionmaking authority with respect
24to the Department of Justice’s information technology and
25information security.

26(4) The Adjutant General of the Military Department, or his or
27her designee with knowledge, expertise, and decisionmaking
28authority with respect to the Military Department’s information
29technology and information security.

30(5) The Commissioner of the California Highway Patrol, or his
31or her designee with knowledge, expertise, and decisionmaking
P3    1authority with respect to the Department of the California Highway
2Patrol’s information technology and information security.

3(6) A representative of the Public Utilities Commission or
4California Energy Commission with knowledge, expertise, and
5decisionmaking authority with respect to information technology
6and information security, who shall be appointed by the Governor.

7(7) A representative from the utility or energy industry, who
8shall be appointed by the Governor.

9(8) A representative from law enforcement, who shall be
10appointed by the Governor.

11(9) Three individuals with cyber security expertise, who shall
12be appointed, one each, by the Governor, the Senate Rules
13Committee, and the Speaker of the Assembly.

14(c) The California Cyber Security Task Force may convene
15stakeholders, both public and private, to act in an advisory capacity
16and compile policy recommendations on cyber security for the
17State of California. The California Cyber Security Task Force shall
18complete and issue a report of policy recommendations to the
19Governor’s office and the Legislature on an annual basis. The
20report shall be completed in compliance with Section 9795.

21(d) The California Cyber Security Task Force shall meet
22quarterly, or more often as necessitated by emergency
23circumstances, within existing resources to ensure that the policy
24recommendations from the report are implemented and any
25necessary modifications that may arise are addressed in a timely
26manner.

27(e) The Governor’s Office of Emergency Services and the
28Department of Technology may conduct the strategic direction of
29risk assessments performed by the Military Department’s Computer
30Network Defense Team as budgeted in Item 8940-001-0001 of
31the Budget Act of 2014.

32

8574.51.  

There is within the Governor’s Office of Emergency
33Services a State Director of Cyber Security, appointed by the
34Governor andbegin delete confirmed by the Senate,end deletebegin insert subject to Senate
35confirmation,end insert
who shall do all of the following:

36(a) Be the Executive Director of the California Cyber Security
37Task Force.

38(b) Provide strategic direction of risk assessments performed
39with state resources.

P4    1(c) Complete a risk profile of state assets and capabilities for
2the purpose of compiling statewide contingency plans including,
3but not limited to, Emergency Function 18 of the State Emergency
4Plan.

5(d) Act as point of contact to the federal government and private
6entities within the state in the event of a relevant emergency as
7declared by the Governor.

8(e) Be an adviser to the Governor’s Office of Emergency
9Services and the Department of Technology on cyber security.

10

8574.52.  

The Cyber Security Task Force shall perform the
11following functions based on the following priorities:

12(a) Develop within state government cyber prevention, defense,
13and response strategies and define a hierarchy of command within
14the state for this purpose. This duty includes, but is not limited to,
15the following activities:

16(1) Ensuring the continual performance of risk assessments on
17state information technology systems. The assessments shall
18include penetration tests, vulnerability scans, and other
19 industry-standard methods that identify potential risk.

20(2) Using assessment results and other state-level data to create
21a risk profile of public assets, critical infrastructure, public
22networks, and private operations susceptible to cyber-attacks. The
23risk profile shall include the development of statewide contingency
24plans including, but not limited to, Emergency Function 18 of the
25State Emergency Plan.

26(b) Partner with the United States Department of Homeland
27Security to develop an appropriate information sharing system that
28allows for a controlled and secure process to effectively disseminate
29cyber threat and response information and data to relevant private
30and public sector entities. This information sharing system shall
31reflect state priorities and target identified threat and capability
32gaps.

33(c) Provide recommendations for information technology
34security standards for all state agencies using, among other things,
35protocols established by the National Institute for Standards and
36Technology and reflective of appropriate state priorities.

37(d) Compile and integrate, as appropriate, the research conducted
38by academic institutions, federal laboratories, and other cyber
39security experts into state operations and functions.

P5    1(e) Expand the state’s public-private cyber security partnership
2network.

3(f) Expand collaboration with the state’s law enforcement
4apparatus assigned jurisdiction to prevent, deter, investigate, and
5prosecute cyber attacks and information technology crime,
6including collaboration with entities like the High-Tech Theft
7Apprehension Program, and its five regional task forces, the
8Department of the California Highway Patrol, and the Attorney
9General’s eCrimes unit. Collaboration shall include information
10sharing that will enhance their capabilities including assistance to
11better align their activities with federal and local resources, provide
12additional resources, and extend their efforts into regions of the
13state not currently represented.

14(g) Propose, where appropriate, potential operational or
15functional enhancement to the state’s cyber security assessment
16and response capabilities, as well as investment or spending
17recommendation and guidance for the state’s information
18technology budget and procurement.

19

8574.53.  

The California Cyber Security Task Force shall take
20all necessary steps to protect personal information and privacy,
21public and private sector data, and the constitutional rights and
22liberties of individuals, when implementing its duties.

23

8574.54.  

(a) The California Cyber Security Task Force may
24issue reports, in addition to the report described in subdivision (c)
25of Section 8574.51, to the Governor’s office and the Legislature
26detailing the activities of the task force, including, but not limited
27to, progress on the California Cyber Security Task Force’s various
28tasks and actions taken and recommended in response to an
29incident, as appropriate.

30(b) The reports shall be submitted in compliance with Section
319795.

32

8574.55.  

The California Cyber Security Task Force may engage
33or accept the services of agency or department personnel, accept
34the services of stakeholder organizations, and accept federal,
35private, or other nonstate funding, to operate, manage, or conduct
36the business of the California Cyber Security Task Force.

37

8574.56.  

Each department and agency shall cooperate with the
38California Cyber Security Task Force and furnish it with
39information and assistance that is necessary or useful to further
40the purposes of this article.

P6    1

8574.57.  

This article shall become inoperative on January 1,
22020, and shall be repealed as of that date.



O

    97