BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
                              Senator Isadore Hall, III
                                        Chair
                                2015 - 2016  Regular 

          Bill No:           AB 1172          Hearing Date:    7/14/2015
           ----------------------------------------------------------------- 
          |Author:    |Chau                                                 |
          |-----------+-----------------------------------------------------|
          |Version:   |7/2/2015    Amended                                  |
           ----------------------------------------------------------------- 
           ------------------------------------------------------------------ 
          |Urgency:   |No                     |Fiscal:      |Yes             |
           ------------------------------------------------------------------ 
           ----------------------------------------------------------------- 
          |Consultant:|Felipe Lopez                                         |
          |           |                                                     |
           ----------------------------------------------------------------- 
          

          SUBJECT: California cyber security.


            DIGEST:    This bill continues in existence the California Cyber  
          Security Task Force (Task Force), created in 2013 by the  
          Governor's Office of Emergency Services (OES) and the Department  
          of Technology (Caltech).

          ANALYSIS:
          
          Existing law:
          
          1)Establishes Caltech, within the Government Operations Agency  
            (GOA). Caltech is generally responsible for the approval and  
            oversight of information technology (IT) projects by, among  
            other things, consulting with state agencies during initial  
            project planning to ensure that project planning to ensure  
            that project proposals are based on well-defined programmatic  
            needs. 

          2)Establishes, within Caltech, the California Information  
            Security Office (OIS) under the supervision of the Chief of  
            the Office of Information Security.  The OIS has the authority  
            to, including, but not limited to, conduct, or require to be  
            conducted, an independent security assessment of any state  
            agency, department, or office the cost of which is to be  
            funded by the state agency, department, or office being  
            assessed.








          AB 1172 (Chau)                                      Page 2 of ?
          
          
          3)Requires each state agency to have a chief information officer  
            who is appointed by the head of the entity, and is responsible  
            for supervising all IT, including information security. 

          4)Authorizes OIS to require an audit of information security to  
            ensure program compliance, the cost of which shall be funded  
            by the state agency, department, or office being audited, and  
            requires the office to report to Caltech any state agency  
            found to be noncompliant with information security program  
            requirements

          This bill:

          1)Continues in existence the California Cyber Security Task  
            Force, created in 2013 by OES and Caltech. 

          2)Provides that the Task Force shall consist of the following  
            members:

             a)   The Director of OES, or his or her designee with  
               knowledge, expertise, and decision-making authority with  
               respect to OES' IT and information security duties.
             b)   The Director of Caltech, or his or her designee with  
               knowledge, expertise, and decision-making authority with  
               respect to the director's IT and information security  
               duties. 
             c)   The Attorney General, or his or her designee with  
               knowledge, expertise, and decision-making authority with  
               respect to the Department of Justice's IT and information  
               security. 
             d)   The Adjutant General of the Military Department, or his  
               or her designee with knowledge, expertise, and  
               decision-making authority with respect to the Military  
               Department's IT and information security.
             e)   The Commissioner of the California Highway Patrol, or  
               his or her designee with knowledge, expertise, and  
               decision-making authority with respect to the Department of  
               the California Highway Patrol's IT and information  
               security.
             f)   A representative of the Public Utilities Commission or  
               California Energy Commission with knowledge, expertise, and  
               decision-making authority with respect to IT and  
               information security, who shall be appointed by the  
               Governor.
             g)   A representative from the utility or energy industry,  








          AB 1172 (Chau)                                      Page 3 of ?
          
          
               who shall be appointed by the Governor.
             h)   A representative from law enforcement, who shall be  
               appointed by the Governor. 
             i)   Three individuals with cyber security expertise, who  
               shall be appointed, one each, by the Governor, the Senate  
               Rules Committee, and the Speaker of the Assembly.

          3)Provides that the Task Force may convene stakeholders, both  
            public and private, to act in an advisory capacity and compile  
            policy recommendations on cyber security for the State of  
            California. 
          4)Specifies that the Task Force shall complete and issue a  
            report of policy recommendations to the Governor's office and  
            the Legislature on an annual basis. 

          5)Provides that the Task Force shall meet quarterly, or more  
            often as necessitated by emergency circumstances, within  
            existing resources to ensure that the policy recommendations  
            from the report are implemented and any necessary  
            modifications that may arise are addressed in a timely manner.

          6)Provides that the OES and Caltech may conduct the strategic  
            direction of risk assessments performed by the Military  
            Department's Computer Network Defense Team. 

          7)Creates within OES a State Director of Cyber Security,  
            appointed by the Governor and confirmed by the Senate, who  
            shall do all of the following:

             a)   Be the Executive Director of the Task Force.
             b)   Provide strategic direction of risk assessments  
               performed with state resources.
             c)   Complete a risk profile of state assets and capabilities  
               for the purpose of compiling statewide contingency plans  
               including, but not limited to, Emergency Function 18 of the  
               State Emergency Plan which pertains to cyber security.
             d)   Act as point of contact to the federal government and  
               private entities within the state in the event of a  
               relevant emergency as declared by the Governor.
             e)   Be an adviser to OES and Caltech on cyber security.

          8)Specifies that the Task Force shall perform the following  
            functions based on the following priorities:

             a)   Develop within state government cyber prevention,  








          AB 1172 (Chau)                                      Page 4 of ?
          
          
               defense, and response strategies and define a hierarchy of  
               command within the state for this purpose. This duty  
               includes, but is not limited to, the following activities:

               i)     Ensuring the continual performance of risk  
                 assessments on state IT systems.  The assessments shall  
                 include penetration tests, vulnerability scans, and other  
                 industry-standard methods that identify potential risk.
               ii)    Using assessment results and other state-level data  
                 to create a risk profile of public assets, critical  
                 infrastructure, public networks, and private operations  
                 susceptible to cyber-attacks.  The risk profile shall  
                 include the development of statewide contingency plans  
                 including, but not limited to, Emergency Function 18 of  
                 the State Emergency Plan.

             b)   Partner with the United States Department of Homeland  
               Security to develop an appropriate information sharing  
               system that allows for a controlled and secure process to  
               effectively disseminate cyber threat and response  
               information and data to relevant private and public sector  
               entities.  This information sharing system shall reflect  
               state priorities and target identified threat and  
               capability gaps.
             c)   Provide recommendations for IT security standards for  
               all state agencies using, among other things, protocols  
               established by the National Institute for Standards and  
               Technology and reflective of appropriate state priorities.
             d)   Compile and integrate, as appropriate, the research  
               conducted by academic institutions, federal laboratories,  
               and other cyber security experts into state operations and  
               functions. 
             e)   Expand the state's public-private cyber security  
               partnership network.
             f)   Expand collaboration, as specified, with the state's law  
               enforcement apparatus assigned jurisdiction to prevent,  
               deter, investigate, and prosecute cyber attacks and IT  
               crime, including collaboration with entities like High-Tech  
               Theft Apprehension Program, and its five regional task  
               forces, the Department of the California Highway Patrol,  
               and the Attorney General's eCrimes unit.  
             g)   Propose, where appropriate potential operational or  
               functional enhancement to the state's cyber security  
               assessment and response capabilities, as well as investment  
               or spending recommendation and guidance for the state's IT  








          AB 1172 (Chau)                                      Page 5 of ?
          
          
               budget and procurement.

          9)Provides that the Task Force shall take all necessary steps to  
            protect personal information and privacy, public and private  
            sector data, and the constitutional rights and liberties of  
            individuals, when implementing its duties. 

            10) Provides that the Task Force may issue reports, in  
              addition to the report described in this bill, to the  
              Governor's office and the Legislature detailing the  
              activities of the task force, as specified.

            11) Allows the Task Force to engage or accept the services of  
              agency or department personnel, accept the services of  
              stakeholder organizations, and accept federal, private, or  
              other nonstate funding, to operate, manage, or conduct the  
              business of the Task Force. 

            12) Provides that each department and agency shall cooperate  
              with the Task Force and furnish it with information and  
              assistance that is necessary or useful to further the  
              provisions of this bill. 

            13) Includes a sunset date of January 1, 2020. 

          Background

          Purpose of the bill.  According to the author, "as our state's  
          operations become more digitally connected, it is more  
          vulnerable to both foreign and domestic cyber-attacks.  Recent  
          cyber-attacks on private and public entities have shown that  
          these attacks are growing in number and are becoming  
          increasingly sophisticated.  Unfortunately, the state's overall  
          capability to coordinate and respond to cyber-attacks in both  
          the public and private sector is fragmented.  AB 1172 would  
          ensure that California has a central entity and a comprehensive  
          strategy in place to prevent and respond to cyber-attacks."

           CalTech/OIS  .  CalTech is the central IT organization for the  
          State of California and is responsible for the approval and  
          oversight of all state IT projects.  Among its various offices  
          is the California Information Security Office, or OIS.

          OIS is the primary state government authority for ensuring the  
          confidentiality, integrity, and availability of state systems  








          AB 1172 (Chau)                                      Page 6 of ?
          
          
          and applications, and ensuring the protection of state  
          information.  The office represents California to federal,  
          state, and local government entities, higher education, private  
          industry, and others on security-related matters.  According to  
          the author's office, there are a total of 384 state entities  
          subject to the OIS (which excludes some constitutional offices).  
           

          Cyber Threats in California. According to the California  
          Military Department (CMD), California's size and importance  
          makes it vulnerable to cyber incidents that disrupt business,  
          shutdown critical infrastructure, and compromise intellectual  
          property or national security.  

          CMD calls cybercrime "a growth industry" causing $400 billion in  
          negative impacts annually on the global economy.  Thirty percent  
          of all cyber-attacks and other malicious activity are targeted  
          at the government, making these networks and systems the most  
          vulnerable target of cybercrime.  

          According to CMD, the threat to government networks has never  
          been higher.  "Hacktivists", nation states, cyber criminals and  
          other threat groups are attacking government networks to steal  
          sensitive information and make a political/economic statement.   
          It is not known how many attacks, whether successful or  
          unsuccessful, have been made against state agency computers over  
          the past year. 


          Existing Task Force.  OES and CalTech, acting at the direction  
          of Governor Brown, created the Task Force to be a statewide  
          partnership comprised of key stakeholders, subject matter  
          experts, and cyber security professionals from California's  
          public, private, academia, and law enforcement sectors.  The  
          Task Force serves as an advisory body to the State of California  
          Senior Administration Officials in matters related to  
          Cybersecurity.  The Task Force holds public meetings once per  
          quarter.  Its mission is to enhance the security of California  
          digital infrastructure and to create a culture of cybersecurity  
          through collaboration, information sharing, and education and  
          awareness.

          The Task Force operates as an advisory body only - it has no  
          formal authority, it takes no votes, it has no budget, and its  
          membership is open and voluntary.  It is currently comprised of  








          AB 1172 (Chau)                                      Page 7 of ?
          
          
          seven subcommittees: risk mitigation; information sharing;  
          workforce development and education; economic development;  
          emergency preparedness; legislation and funding; and high tech  
          and digital forensics. 

          Prior/Related Legislation

          AB 670 (Irwin, 2015) requires OIS, within Caltech to conduct an  
          independent security assessment of the IT resources of every  
          state agency, department or office at least once every two  
          years.  (Pending in Senate Appropriations Committee)

          AB 739 (Irwin, 2015) provides legal immunity for civil or  
          criminal liability for private entities that communicate  
          anonymized cyber security threat information and meet specified  
          requirements, until January 1, 2020.  (Held in Assembly  
          Judiciary Committee) 

          AB 2200 (Perez, 2014) would have created a 13 member California  
          Cyber Security Steering Committee in OES and continue the  
          existence of the California Cyber Security Task Force until  
          January 1, 2020.  (Held at the Assembly Desk)

          AB 1620 (Rodriguez, 2014) would have established the California  
          Emergency Management and Disaster Preparedness Commission as a  
          statewide executive-level commission to assess and improve the  
          condition of the State's emergency preparedness, management, and  
          disaster recovery capabilities.  (Vetoed by Governor Brown)

          FISCAL EFFECT:                 Appropriation:  No    Fiscal  
          Com.:             Yes          Local:          No


            SUPPORT:  

          California District Attorneys Association
          California State Sheriffs' Association

          OPPOSITION:

          None received

          
          









          AB 1172 (Chau)                                      Page 8 of ?