BILL ANALYSIS �Ó
AB 1172
Page 1
Date of Hearing: April 30, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 1172
(Chau) - As Introduced February 27, 2015
SUBJECT: California cyber security
SUMMARY: Creates a California Cyber Security Task Force (Task
Force) within the Governor's Office of Emergency Services (OES)
to act in an advisory capacity and make policy recommendations
on cyber security for the State of California. Specifically,
this bill:
1)Codifies the existence of the Task Force within OES.
2)Specifies that the membership of the Task Force shall consist
of:
a) The Director of OES, or his or her qualified designee;
b) The Director of the Department of Technology (CalTech),
or his or her qualified designee;
c) The Attorney General, or his or her qualified designee;
�
AB 1172
Page 2
d) The Adjutant General of the Military Department, or his
or her qualified designee;
e) The Commissioner of the California Highway Patrol, or
his or her qualified designee;
f) A qualified representative of the Public Utilities
Commission or California Energy Commission, who shall be
appointed by the Governor;
g) An individual with cyber security expertise, who shall
be appointed by the Governor;
h) An individual with cyber security expertise, who shall
be appointed by the Senate Committee on Rules; and
i) An individual with cyber security expertise, who shall
be appointed by the Speaker of the Assembly.
3)Authorizes the Task Force to convene public and private
stakeholders to act in an advisory capacity and compile policy
recommendations on cyber security for the State of California.
�
AB 1172
Page 3
4)Requires the Task Force to complete and issue a report of
policy recommendations to the Governor's office and the
Legislature on an annual basis, as specified.
5)Requires the Task Force to meet quarterly, or more often as
necessitated by emergency circumstances, to ensure that the
policy recommendations from the report are implemented and any
necessary modifications that may arise are addressed in a
timely manner.
6)Authorizes OES and CalTech to conduct the strategic direction
of risk assessments performed by the Military Department's
Computer Network Defense Team.
7)Creates within OES the position of a State Director of Cyber
Security, who shall:
a) Serve as the Executive Director of the Task Force;
b) Provide strategic direction for risk assessments
performed with state resources;
c) Complete a risk profile of state assets and capabilities
for the purpose of compiling statewide contingency plans
including, but not limited to, Emergency Function 18 of the
State Emergency Plan.
�
AB 1172
Page 4
d) Act as a point of contact to the federal government and
private entities within the state in the event of a
declared emergency.
e) Be the Governor's OES and CalTech [point person] on
cyber security.
8)Requires the Task Force to perform the following functions
based on the following priorities:
a) Develop cyber prevention, defense, and response
strategies and define a hierarchy of command within the
state for this purpose, including:
i. Ensuring the continual performance of risk
assessments on state information technology (IT) systems,
including penetration tests, vulnerability scans, and
other industry-standard methods that identify potential
risk;
ii. Creating a risk profile of public assets, critical
infrastructure, public networks, and private operations
susceptible to cyber-attacks using assessment results and
other data; and
iii. Developing statewide contingency plans including,
�
AB 1172
Page 5
but not limited to, Emergency Function 18 of the State
Emergency Plan.
b) Partner with the United States Department of Homeland
Security to develop an appropriate information sharing
system that allows for a controlled and secure process to
effectively disseminate cyber threat and response
information and data to relevant private and public sector
entities;
c) Provide recommendations for IT security standards for
all state agencies using, among other things, protocols
established by the National Institute for Standards and
Technology (NIST);
d) Compile and integrate research conducted by academic
institutions, federal laboratories, and other cyber
security experts into state operations and functions;
e) Expand the state's public-private cyber security
partnership network;
f) Expand collaboration with the state's law enforcement
apparatus assigned jurisdiction to prevent, deter,
investigate, and prosecute cyber-attacks and IT crime,
including collaboration with entities like the High-Tech
Theft Apprehension Program under the Department of Justice,
and its five regional task forces, the Department of the
California Highway Patrol, and the Attorney General's
�
AB 1172
Page 6
eCrimes unit; and
g) Propose potential operational or functional enhancements
to the state's cyber security assessment and response
capabilities, as well as investment or spending
recommendations and guidance for the state's IT budget and
procurement.
1)Requires the Task Force to take all necessary steps to protect
personal information and privacy, public and private sector
data, and the constitutional rights and liberties of
individuals, when implementing its duties.
2)Authorizes the Task Force to issue reports to the Governor's
office and the Legislature detailing the activities of the
task force.
9)Authorizes the Task Force to engage or accept the services of
agency or department personnel, accept the services of
stakeholder organizations, and accept federal, private, or
other non-state funding, to operate, manage, or conduct the
business of the Task Force.
3)Requires each state department and agency to cooperate with
the Task Force and furnish it with information and assistance
that is necessary or useful.
10)Declares the provisions enacted by this bill to be
inoperative and repealed as of January 1, 2020.
EXISTING LAW:
1)Establishes CalTech within the Government Operations Agency,
�
AB 1172
Page 7
headed by the Director of Technology who is also known as the
State Chief Information Officer. CalTech is responsible for
the approval and oversight of IT projects by, among other
things, consulting with agencies during initial project
planning to ensure that project proposals are based on
well-defined programmatic needs. (Government Code (GC)
Sections 11545, 12803.2)
2)Requires each state agency to have a chief information officer
who is appointed by the head of the state entity, and is
responsible for supervising all IT, including information
security. (GC 11546.1)
3)Establishes the Office of Information Security (OIS) within
DOT, which is responsible for ensuring the confidentiality,
integrity, and availability of state systems and applications.
The law requires the OIS to develop an information security
program and establish policies, standards, and procedures
directing state agencies to effectively manage security and
risk. (GC 11549, et seq.)
4)Establishes an information security program within OIS, which
is responsible for information security and privacy policies
for state agencies in the State Administrative Manual, and for
policies that pertain to security and risk management,
tracking of security and privacy incidents, agency disaster
recovery plans, coordination with other agencies, agency
compliance, promotion of risk management and privacy programs,
and representation of the state on matters related to
information security and privacy. (GC 11549.3(a-b))
5)Authorizes OIS to conduct, or require to be conducted,
independent security assessments of any state agency,
�
AB 1172
Page 8
department, or office, the cost of which shall be funded by
the state agency, department or office being assessed. (GC
11549.3(c))
6)Authorizes OIS to require an audit of information security to
ensure program compliance, the cost of which shall be funded
by the state agency, department, or office being audited, and
requires the office to report to CalTech any state agency
found to be noncompliant with information security program
requirements. (GC 11549.3(d-e))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to set forth in
statute a formal structure and responsibilities for the Task
Force, which is currently functioning as an ad hoc advisory
body under OES. AB 1172 is author-sponsored.
2)Author's statement . According to the author, "As our state's
operations become more digitally connected, [the state] is
more vulnerable to both foreign and domestic cyber-attacks.
Recent cyber-attacks on private and public entities have shown
that these attacks are growing in number and are becoming
increasingly sophisticated. These attacks can originate not
just from individual hackers, but from crime networks, foreign
governments, and even terrorist[s]. Such attacks, if
successful, could wreak havoc on the state by shutting down
critical infrastructure, crippling public and private
�
AB 1172
Page 9
industries, and causing widespread economic harm and
potentially loss of life.
"Unfortunately, the state's overall capability to coordinate
and respond to cyber-attacks in both the public and private
sector is fragmented. Currently, the state's cybersecurity
responsibilities are administered by the Department of
Technology's Information Security Office. In addition, the
Office of Emergency Services is responsible for critical
infrastructure protection and related emergency response
matters.
"AB 1172 would codify the Governor's existing Cybersecurity
Task force under the Governor's Office of Emergency Services.
The bill creates a State Director of Cyber Security to oversee
the taskforce. The taskforce will meet quarterly and consist
of members from government, private industries, and academia.
The taskforce will develop a comprehensive cybersecurity
strategy to asses and enhance the state's preparedness and
response capabilities to cyber-attacks."
3)California and the cyber security threat. According to the
California Military Department, California's size and
prominence makes it vulnerable to cyber incidents that disrupt
business, shutdown critical infrastructure, and compromise
intellectual property or national security. In 2012, 17 % of
the data breaches recorded in the United States took place in
California - more than any other state; and the number of
reported breaches in California increased by 28 % in 2013.
California leads the nation in high tech employment and cyber
innovation with 40 % of all U.S. venture capital investment in
�
AB 1172
Page 10
cyber residing here.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty
percent of all cyber-attacks and other malicious activity are
targeted at the government, making these networks and systems
the most vulnerable target of cybercrime.
According to CMD, the State of California is extremely
vulnerable to cyber incidents that can disrupt industry,
compromise personal information, shutdown critical
infrastructure and compromise intellectual property or
national security. A targeted attack on critical
infrastructure and key resources could cause up to $1 billion
dollars of economic impact to California each day until
services are restored.
However, successful attacks against state government networks
have not been overwhelming, at least not yet. According to a
March 5, 2015, article by the Brookings Institute, "[a]t
present, government has been less affected by security
breaches than the private sector. By late 2014, The Privacy
Rights Clearinghouse (which maintains a list of all publicly
reported data breaches) recorded only 27 incidents involving
government entities which included a data breach involving
800,000 employees and 2.9 million customers at the U.S. Postal
Service, 850,000 job seekers in Oregon, and background data on
25,000 underground investigators at the U.S. Department of
Homeland Security."
Nevertheless, there have substantial efforts at the federal
level and across the country to better prepare for
cyber-attacks. In February 2013, President Obama signed
�
AB 1172
Page 11
Executive Order 13636, which calls for the development of what
NIST called "a voluntary risk-based Cybersecurity Framework -
a set of industry standards and best practices to help
organizations manage cybersecurity risks. The resulting
Framework, created through collaboration between government
and the private sector, uses a common language to address and
manage cybersecurity risk in a cost-effective way based on
business needs without placing additional regulatory
requirements on businesses." In response, NIST issued its
policy recommendations in February 2014.
Shortly after the release of EO 13636, Governor Brown convened
the California Cyber Security Task Force in May 2013 to assess
departmental technology systems and assemble key stakeholders
to discuss cyber security issues to ensure that the state was
adequately prepared to protect and respond to potential
cyber-attacks on the state's systems. The Task Force was
created by executive action with no corresponding basis in
statute, and remains in operation today.
4)The work of the existing Task Force. OES and CalTech, acting
at the direction of Governor Brown, created the Task Force to
be "a statewide partnership comprised of key stakeholders,
subject matter experts, [federal agencies], and cyber security
professionals from California's public sector, private
industry, academia, and law enforcement. The Task Force
serves as an advisory body to the State of California Senior
Administration Officials in matters related to Cybersecurity."
The Task Force holds public meetings once per quarter. Its
express mission is to "enhance the security of California
digital infrastructure and to create a culture of
cybersecurity through collaboration, information sharing, and
education and awareness."
The Task Force operates as an advisory body only - it has no
�
AB 1172
Page 12
formal authority, it takes no votes, it has no budget, and its
membership is open and voluntary. It is currently comprised
of seven subcommittees: risk mitigation; information sharing;
workforce development and education; economic development;
emergency preparedness; legislation and funding; and high tech
and digital forensics.
According to an October 2013 article in Techwire, "[i]n the few
months since the task force formed, approximately 50 entities
have joined the effort, including representatives from the
National Fusion Center Association (NFCA), the FBI, the
Sacramento Utility District, Cyber Watch West (CWW), and
private companies such as Verizon, Bank of America and
Symantec."
5)Practical considerations for the Committee . Practically
speaking, this bill would codify a structure and set of
responsibilities for a Cyber Security Task Force that are
slightly different from the way the Task Force currently
operates.
As noted above, the major provisions of this bill are the
specification of the membership; the creation of a State
Director of Cyber Security; explication of seven major sets of
responsibilities, meeting and report requirements; and a
sunset date of January 1, 2020.
This bill does not grant the Task Force specific powers
vis-à-vis other executive agencies, and the question of voting
power is not addressed. Presumably then, the Task Force would
remain advisory in nature and without authority to take action
beyond what is delegated to it by other agencies. However,
this point is not entirely clear, as the bill does require
state agencies and departments to "cooperate" with the Task
Force and "furnish it with information and assistance that is
necessary or useful to further the purposes" of the bill.
�
AB 1172
Page 13
Furthermore, if the Task Force does not exercise power or take
votes, then there is some question as to the utility of
specifying membership, which would appear to exclude other
parties from being formal members of the Task Force (the
current Task Force has over 300 members ranging from
representatives of state and federal agencies to private
individuals).
It is important to note that this bill is not sponsored by any
executive branch agency associated with the existing Task
Force, and no executive-branch agency has taken a formal
position on the bill. There is also no formal support or
opposition, although the California State Sheriffs'
Association (CSSA) has taken a 'support if amended' position
if the bill is changed to add a representative to the Task
Force who is selected by CSSA.
6)Related legislation . AB 670 (Irwin) would require CalTech to
conduct security assessments of the IT resources of every
state agency, department or office at least once every two
years. AB 670 is currently pending in the Assembly
Appropriations Committee.
AB 739 (Irwin) would require the Attorney General to create a
registry of private entities that intend to engage in
communication of cyber security-threat information, and would
further provide that there is no civil or criminal liability
for a registered entity based upon its communication of cyber
security-threat information to another public or private
entity. AB 739 is currently pending in the Assembly Judiciary
Committee.
7)Prior legislation . AB 2200 (Perez) of 2014 would have created
a thirteen member California Cyber Security Steering Committee
within OES, and would have continued the existence of the
California Cyber Security Task Force until January 1, 2020.
This bill was held at the Assembly Desk.
�
AB 1172
Page 14
SB 1286 (Corbett) of 2014 would have raised from $35 million
to $65 million the amount that the Public Utilities Commission
may devote to research and development projects for the
purposes of cyber security and grid integration. This bill
was held in the Senate Rules Committee.
AB 1620 (Rodriguez) of 2014 would have established in state
government the California Emergency Management and Disaster
Preparedness Commission as a statewide executive-level
commission to assess and improve the condition of the state's
emergency preparedness, management, and disaster recovery
capabilities. This bill was vetoed by Governor Brown.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
Opposition
None on file.
�
AB 1172
Page 15
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200