BILL ANALYSIS                                                                                                                                                                                                    



                                                                    AB 1172


                                                                    Page  1





          Date of Hearing:  April 30, 2015


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                  Mike Gatto, Chair


          AB 1172  
          (Chau) - As Introduced February 27, 2015


          SUBJECT:  California cyber security


          SUMMARY:  Creates a California Cyber Security Task Force (Task  
          Force) within the Governor's Office of Emergency Services (OES)  
          to act in an advisory capacity and make policy recommendations  
          on cyber security for the State of California. Specifically,  
          this bill:  


          1)Codifies the existence of the Task Force within OES.

          2)Specifies that the membership of the Task Force shall consist  
            of:



             a)   The Director of OES, or his or her qualified designee;

             b)   The Director of the Department of Technology (CalTech),  
               or his or her qualified designee; 



             c)   The Attorney General, or his or her qualified designee;









                                                                    AB 1172


                                                                    Page  2







             d)   The Adjutant General of the Military Department, or his  
               or her qualified designee; 



             e)   The Commissioner of the California Highway Patrol, or  
               his or her qualified designee;



             f)   A qualified representative of the Public Utilities  
               Commission or California Energy Commission, who shall be  
               appointed by the Governor;



             g)   An individual with cyber security expertise, who shall  
               be appointed by the Governor;



             h)   An individual with cyber security expertise, who shall  
               be appointed by the Senate Committee on Rules; and



             i)   An individual with cyber security expertise, who shall  
               be appointed by the Speaker of the Assembly.





          3)Authorizes the Task Force to convene public and private  
            stakeholders to act in an advisory capacity and compile policy  
            recommendations on cyber security for the State of California.  









                                                                    AB 1172


                                                                    Page  3








          4)Requires the Task Force to complete and issue a report of  
            policy recommendations to the Governor's office and the  
            Legislature on an annual basis, as specified.



          5)Requires the Task Force to meet quarterly, or more often as  
            necessitated by emergency circumstances, to ensure that the  
            policy recommendations from the report are implemented and any  
            necessary modifications that may arise are addressed in a  
            timely manner. 



          6)Authorizes OES and CalTech to conduct the strategic direction  
            of risk assessments performed by the Military Department's  
            Computer Network Defense Team.

          7)Creates within OES the position of a State Director of Cyber  
            Security, who shall:



             a)   Serve as the Executive Director of the Task Force;



             b)   Provide strategic direction for risk assessments  
               performed with state resources;



             c)   Complete a risk profile of state assets and capabilities  
               for the purpose of compiling statewide contingency plans  
               including, but not limited to, Emergency Function 18 of the  
               State Emergency Plan.








                                                                    AB 1172


                                                                    Page  4








             d)   Act as a point of contact to the federal government and  
               private entities within the state in the event of a  
               declared emergency.

             e)   Be the Governor's OES and CalTech [point person] on  
               cyber security.





          8)Requires the Task Force to perform the following functions  
            based on the following priorities:



             a)   Develop cyber prevention, defense, and response  
               strategies and define a hierarchy of command within the  
               state for this purpose, including:

                i.     Ensuring the continual performance of risk  
                 assessments on state information technology (IT) systems,  
                 including penetration tests, vulnerability scans, and  
                 other industry-standard methods that identify potential  
                 risk;



                ii.    Creating a risk profile of public assets, critical  
                 infrastructure, public networks, and private operations  
                 susceptible to cyber-attacks using assessment results and  
                 other data; and  



                iii.   Developing statewide contingency plans including,  








                                                                    AB 1172


                                                                    Page  5





                 but not limited to, Emergency Function 18 of the State  
                 Emergency Plan.



             b)   Partner with the United States Department of Homeland  
               Security to develop an appropriate information sharing  
               system that allows for a controlled and secure process to  
               effectively disseminate cyber threat and response  
               information and data to relevant private and public sector  
               entities;  



             c)   Provide recommendations for IT security standards for  
               all state agencies using, among other things, protocols  
               established by the National Institute for Standards and  
               Technology (NIST);



             d)   Compile and integrate research conducted by academic  
               institutions, federal laboratories, and other cyber  
               security experts into state operations and functions;



             e)   Expand the state's public-private cyber security  
               partnership network; 



             f)   Expand collaboration with the state's law enforcement  
               apparatus assigned jurisdiction to prevent, deter,  
               investigate, and prosecute cyber-attacks and  IT crime,  
               including collaboration with entities like the High-Tech  
               Theft Apprehension Program under the Department of Justice,  
               and its five regional task forces, the Department of the  
               California Highway Patrol, and the Attorney General's  








                                                                    AB 1172


                                                                    Page  6





               eCrimes unit; and  



             g)   Propose potential operational or functional enhancements  
               to the state's cyber security assessment and response  
               capabilities, as well as investment or spending  
               recommendations and guidance for the state's  IT budget and  
               procurement.

          1)Requires the Task Force to take all necessary steps to protect  
            personal information and privacy, public and private sector  
            data, and the constitutional rights and liberties of  
            individuals, when implementing its duties.

          2)Authorizes the Task Force to issue reports to the Governor's  
            office and the Legislature detailing the activities of the  
            task force.



          9)Authorizes the Task Force to engage or accept the services of  
            agency or department personnel, accept the services of  
            stakeholder organizations, and accept federal, private, or  
            other non-state funding, to operate, manage, or conduct the  
            business of the Task Force.

          3)Requires each state department and agency to cooperate with  
            the Task Force and furnish it with information and assistance  
            that is necessary or useful.



          10)Declares the provisions enacted by this bill to be  
            inoperative and repealed as of January 1, 2020.
          EXISTING LAW:  


          1)Establishes CalTech within the Government Operations Agency,  








                                                                    AB 1172


                                                                    Page  7





            headed by the Director of Technology who is also known as the  
            State Chief Information Officer.  CalTech is responsible for  
            the approval and oversight of IT projects by, among other  
            things, consulting with agencies during initial project  
            planning to ensure that project proposals are based on  
            well-defined programmatic needs. (Government Code (GC)  
            Sections 11545, 12803.2)


          2)Requires each state agency to have a chief information officer  
            who is appointed by the head of the state entity, and is  
            responsible for supervising all IT, including information  
            security.  (GC 11546.1)


          3)Establishes the Office of Information Security (OIS) within  
            DOT, which is responsible for ensuring the confidentiality,  
            integrity, and availability of state systems and applications.  
            The law requires the OIS to develop an information security  
            program and establish policies, standards, and procedures  
            directing state agencies to effectively manage security and  
            risk.  (GC 11549, et seq.)



          4)Establishes an information security program within OIS, which  
            is responsible for information security and privacy policies  
            for state agencies in the State Administrative Manual, and for  
            policies that pertain to security and risk management,  
            tracking of security and privacy incidents, agency disaster  
            recovery plans, coordination with other agencies, agency  
            compliance, promotion of risk management and privacy programs,  
            and representation of the state on matters related to  
            information security and privacy. (GC 11549.3(a-b))



          5)Authorizes OIS to conduct, or require to be conducted,  
            independent security assessments of any state agency,  








                                                                    AB 1172


                                                                    Page  8





            department, or office, the cost of which shall be funded by  
            the state agency, department or office being assessed. (GC  
            11549.3(c))





          6)Authorizes OIS to require an audit of information security to  
            ensure program compliance, the cost of which shall be funded  
            by the state agency, department, or office being audited, and  
            requires the office to report to CalTech any state agency  
            found to be noncompliant with information security program  
            requirements. (GC 11549.3(d-e))



          FISCAL EFFECT:  Unknown


          COMMENTS:  


           1)Purpose of this bill  .  This bill is intended to set forth in  
            statute a formal structure and responsibilities for the Task  
            Force, which is currently functioning as an ad hoc advisory  
            body under OES.  AB 1172 is author-sponsored. 


           2)Author's statement  .  According to the author, "As our state's  
            operations become more digitally connected, [the state] is  
            more vulnerable to both foreign and domestic cyber-attacks.   
            Recent cyber-attacks on private and public entities have shown  
            that these attacks are growing in number and are becoming  
            increasingly sophisticated.  These attacks can originate not  
            just from individual hackers, but from crime networks, foreign  
            governments, and even terrorist[s].  Such attacks, if  
            successful, could wreak havoc on the state by shutting down  
            critical infrastructure, crippling public and private  








                                                                    AB 1172


                                                                    Page  9





            industries, and causing widespread economic harm and  
            potentially loss of life. 





            "Unfortunately, the state's overall capability to coordinate  
            and respond to cyber-attacks in both the public and private  
            sector is fragmented.  Currently, the state's cybersecurity  
            responsibilities are administered by the Department of  
            Technology's Information Security Office.  In addition, the  
            Office of Emergency Services is responsible for critical  
            infrastructure protection and related emergency response  
            matters.  



            "AB 1172 would codify the Governor's existing Cybersecurity  
            Task force under the Governor's Office of Emergency Services.   
            The bill creates a State Director of Cyber Security to oversee  
            the taskforce.  The taskforce will meet quarterly and consist  
            of members from government, private industries, and academia.   
            The taskforce will develop a comprehensive cybersecurity  
            strategy to asses and enhance the state's preparedness and  
            response capabilities to cyber-attacks."



           3)California and the cyber security threat.   According to the  
            California Military Department, California's size and  
            prominence makes it vulnerable to cyber incidents that disrupt  
            business, shutdown critical infrastructure, and compromise  
            intellectual property or national security.  In 2012, 17 % of  
            the data breaches recorded in the United States took place in  
            California - more than any other state; and the number of  
            reported breaches in California increased by 28 % in 2013.   
            California leads the nation in high tech employment and cyber  
            innovation with 40 % of all U.S. venture capital investment in  








                                                                    AB 1172


                                                                    Page  10





            cyber residing here.     

          CMD calls cybercrime "a growth industry" causing $400 billion in  
            negative impacts annually on the global economy.  Thirty  
            percent of all cyber-attacks and other malicious activity are  
            targeted at the government, making these networks and systems  
            the most vulnerable target of cybercrime.  

          According to CMD, the State of California is extremely  
            vulnerable to cyber incidents that can disrupt industry,  
            compromise personal information, shutdown critical  
            infrastructure and compromise intellectual property or  
            national security.  A targeted attack on critical  
            infrastructure and key resources could cause up to $1 billion  
            dollars of economic impact to California each day until  
            services are restored.  



            However, successful attacks against state government networks  
            have not been overwhelming, at least not yet.  According to a  
            March 5, 2015, article by the Brookings Institute, "[a]t  
            present, government has been less affected by security  
            breaches than the private sector.  By late 2014, The Privacy  
            Rights Clearinghouse (which maintains a list of all publicly  
            reported data breaches) recorded only 27 incidents involving  
            government entities which included a data breach involving  
            800,000 employees and 2.9 million customers at the U.S. Postal  
            Service, 850,000 job seekers in Oregon, and background data on  
            25,000 underground investigators at the U.S. Department of  
            Homeland Security."





            Nevertheless, there have substantial efforts at the federal  
            level and across the country to better prepare for  
            cyber-attacks.  In February 2013, President Obama signed  








                                                                    AB 1172


                                                                    Page  11





            Executive Order 13636, which calls for the development of what  
            NIST called "a voluntary risk-based Cybersecurity Framework -  
            a set of industry standards and best practices to help  
            organizations manage cybersecurity risks.  The resulting  
            Framework, created through collaboration between government  
            and the private sector, uses a common language to address and  
            manage cybersecurity risk in a cost-effective way based on  
            business needs without placing additional regulatory  
            requirements on businesses."  In response, NIST issued its  
            policy recommendations in February 2014. 



            Shortly after the release of EO 13636, Governor Brown convened  
            the California Cyber Security Task Force in May 2013 to assess  
            departmental technology systems and assemble key stakeholders  
            to discuss cyber security issues to ensure that the state was  
            adequately prepared to protect and respond to potential  
            cyber-attacks on the state's systems.  The Task Force was  
            created by executive action with no corresponding basis in  
            statute, and remains in operation today. 



           4)The work of the existing Task Force.   OES and CalTech, acting  
            at the direction of Governor Brown, created the Task Force to  
            be "a statewide partnership comprised of key stakeholders,  
            subject matter experts, [federal agencies], and cyber security  
            professionals from California's public sector, private  
            industry, academia, and law enforcement.  The Task Force  
            serves as an advisory body to the State of California Senior  
            Administration Officials in matters related to Cybersecurity."  
             The Task Force holds public meetings once per quarter.  Its  
            express mission is to "enhance the security of California  
            digital infrastructure and to create a culture of  
            cybersecurity through collaboration, information sharing, and  
            education and awareness."

          The Task Force operates as an advisory body only - it has no  








                                                                    AB 1172


                                                                    Page  12





            formal authority, it takes no votes, it has no budget, and its  
            membership is open and voluntary.  It is currently comprised  
            of seven subcommittees: risk mitigation; information sharing;  
            workforce development and education; economic development;  
            emergency preparedness; legislation and funding; and high tech  
            and digital forensics. 

          According to an October 2013 article in Techwire, "[i]n the few  
            months since the task force formed, approximately 50 entities  
            have joined the effort, including representatives from the  
            National Fusion Center Association (NFCA), the FBI, the  
            Sacramento Utility District, Cyber Watch West (CWW), and  
            private companies such as Verizon, Bank of America and  
            Symantec."

           5)Practical considerations for the Committee  .  Practically  
            speaking, this bill would codify a structure and set of  
            responsibilities for a Cyber Security Task Force that are  
            slightly different from the way the Task Force currently  
            operates.  



          As noted above, the major provisions of this bill are the  
            specification of the membership; the creation of a State  
            Director of Cyber Security; explication of seven major sets of  
            responsibilities, meeting and report requirements; and a  
            sunset date of January 1, 2020. 
            This bill does not grant the Task Force specific powers  
            vis--vis other executive agencies, and the question of voting  
            power is not addressed.  Presumably then, the Task Force would  
            remain advisory in nature and without authority to take action  
            beyond what is delegated to it by other agencies.  However,  
            this point is not entirely clear, as the bill does require  
            state agencies and departments to "cooperate" with the Task  
            Force and "furnish it with information and assistance that is  
            necessary or useful to further the purposes" of the bill.   










                                                                    AB 1172


                                                                    Page  13






            Furthermore, if the Task Force does not exercise power or take  
            votes, then there is some question as to the utility of  
            specifying membership, which would appear to exclude other  
            parties from being formal members of the Task Force (the  
            current Task Force has over 300 members ranging from  
            representatives of state and federal agencies to private  
            individuals).     

            It is important to note that this bill is not sponsored by any  
            executive branch agency associated with the existing Task  
            Force, and no executive-branch agency has taken a formal  
            position on the bill.  There is also no formal support or  
            opposition, although the California State Sheriffs'  
            Association (CSSA) has taken a 'support if amended' position  
            if the bill is changed to add a representative to the Task  
            Force who is selected by CSSA.      
           6)Related legislation  .  AB 670 (Irwin) would require CalTech to  
            conduct security assessments of the IT resources of every  
            state agency, department or office at least once every two  
            years.  AB 670 is currently pending in the Assembly  
            Appropriations Committee.


            AB 739 (Irwin) would require the Attorney General to create a  
            registry of private entities that intend to engage in  
            communication of cyber security-threat information, and would  
            further provide that there is no civil or criminal liability  
            for a registered entity based upon its communication of cyber  
            security-threat information to another public or private  
            entity.  AB 739 is currently pending in the Assembly Judiciary  
            Committee.  


           7)Prior legislation  .  AB 2200 (Perez) of 2014 would have created  
            a thirteen member California Cyber Security Steering Committee  
            within OES, and would have continued the existence of the  
            California Cyber Security Task Force until January 1, 2020.   
            This bill was held at the Assembly Desk.








                                                                    AB 1172


                                                                    Page  14







            SB 1286 (Corbett) of 2014 would have raised from $35 million  
            to $65 million the amount that the Public Utilities Commission  
            may devote to research and development projects for the  
            purposes of cyber security and grid integration.  This bill  
            was held in the Senate Rules Committee. 


            AB 1620 (Rodriguez) of 2014 would have established in state  
            government the California Emergency Management and Disaster  
            Preparedness Commission as a statewide executive-level  
            commission to assess and improve the condition of the state's  
            emergency preparedness, management, and disaster recovery  
            capabilities. This bill was vetoed by Governor Brown.



          REGISTERED SUPPORT / OPPOSITION:




          Support


          None on file. 




          Opposition


          None on file. 












                                                                    AB 1172


                                                                    Page  15





          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200