BILL ANALYSIS �Ó
SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
Senator Isadore Hall, III
Chair
2015 - 2016 Regular
Bill No: AB 1172 Hearing Date: 7/14/2015
-----------------------------------------------------------------
|Author: |Chau |
|-----------+-----------------------------------------------------|
|Version: |7/2/2015 Amended |
-----------------------------------------------------------------
------------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
------------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|Felipe Lopez |
| | |
-----------------------------------------------------------------
SUBJECT: California cyber security.
DIGEST: This bill continues in existence the California Cyber
Security Task Force (Task Force), created in 2013 by the
Governor's Office of Emergency Services (OES) and the Department
of Technology (Caltech).
ANALYSIS:
Existing law:
1)Establishes Caltech, within the Government Operations Agency
(GOA). Caltech is generally responsible for the approval and
oversight of information technology (IT) projects by, among
other things, consulting with state agencies during initial
project planning to ensure that project planning to ensure
that project proposals are based on well-defined programmatic
needs.
2)Establishes, within Caltech, the California Information
Security Office (OIS) under the supervision of the Chief of
the Office of Information Security. The OIS has the authority
to, including, but not limited to, conduct, or require to be
conducted, an independent security assessment of any state
agency, department, or office the cost of which is to be
funded by the state agency, department, or office being
assessed.
�
AB 1172 (Chau) Page 2 of ?
3)Requires each state agency to have a chief information officer
who is appointed by the head of the entity, and is responsible
for supervising all IT, including information security.
4)Authorizes OIS to require an audit of information security to
ensure program compliance, the cost of which shall be funded
by the state agency, department, or office being audited, and
requires the office to report to Caltech any state agency
found to be noncompliant with information security program
requirements
This bill:
1)Continues in existence the California Cyber Security Task
Force, created in 2013 by OES and Caltech.
2)Provides that the Task Force shall consist of the following
members:
a) The Director of OES, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to OES' IT and information security duties.
b) The Director of Caltech, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to the director's IT and information security
duties.
c) The Attorney General, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to the Department of Justice's IT and information
security.
d) The Adjutant General of the Military Department, or his
or her designee with knowledge, expertise, and
decision-making authority with respect to the Military
Department's IT and information security.
e) The Commissioner of the California Highway Patrol, or
his or her designee with knowledge, expertise, and
decision-making authority with respect to the Department of
the California Highway Patrol's IT and information
security.
f) A representative of the Public Utilities Commission or
California Energy Commission with knowledge, expertise, and
decision-making authority with respect to IT and
information security, who shall be appointed by the
Governor.
g) A representative from the utility or energy industry,
�
AB 1172 (Chau) Page 3 of ?
who shall be appointed by the Governor.
h) A representative from law enforcement, who shall be
appointed by the Governor.
i) Three individuals with cyber security expertise, who
shall be appointed, one each, by the Governor, the Senate
Rules Committee, and the Speaker of the Assembly.
3)Provides that the Task Force may convene stakeholders, both
public and private, to act in an advisory capacity and compile
policy recommendations on cyber security for the State of
California.
4)Specifies that the Task Force shall complete and issue a
report of policy recommendations to the Governor's office and
the Legislature on an annual basis.
5)Provides that the Task Force shall meet quarterly, or more
often as necessitated by emergency circumstances, within
existing resources to ensure that the policy recommendations
from the report are implemented and any necessary
modifications that may arise are addressed in a timely manner.
6)Provides that the OES and Caltech may conduct the strategic
direction of risk assessments performed by the Military
Department's Computer Network Defense Team.
7)Creates within OES a State Director of Cyber Security,
appointed by the Governor and confirmed by the Senate, who
shall do all of the following:
a) Be the Executive Director of the Task Force.
b) Provide strategic direction of risk assessments
performed with state resources.
c) Complete a risk profile of state assets and capabilities
for the purpose of compiling statewide contingency plans
including, but not limited to, Emergency Function 18 of the
State Emergency Plan which pertains to cyber security.
d) Act as point of contact to the federal government and
private entities within the state in the event of a
relevant emergency as declared by the Governor.
e) Be an adviser to OES and Caltech on cyber security.
8)Specifies that the Task Force shall perform the following
functions based on the following priorities:
a) Develop within state government cyber prevention,
�
AB 1172 (Chau) Page 4 of ?
defense, and response strategies and define a hierarchy of
command within the state for this purpose. This duty
includes, but is not limited to, the following activities:
i) Ensuring the continual performance of risk
assessments on state IT systems. The assessments shall
include penetration tests, vulnerability scans, and other
industry-standard methods that identify potential risk.
ii) Using assessment results and other state-level data
to create a risk profile of public assets, critical
infrastructure, public networks, and private operations
susceptible to cyber-attacks. The risk profile shall
include the development of statewide contingency plans
including, but not limited to, Emergency Function 18 of
the State Emergency Plan.
b) Partner with the United States Department of Homeland
Security to develop an appropriate information sharing
system that allows for a controlled and secure process to
effectively disseminate cyber threat and response
information and data to relevant private and public sector
entities. This information sharing system shall reflect
state priorities and target identified threat and
capability gaps.
c) Provide recommendations for IT security standards for
all state agencies using, among other things, protocols
established by the National Institute for Standards and
Technology and reflective of appropriate state priorities.
d) Compile and integrate, as appropriate, the research
conducted by academic institutions, federal laboratories,
and other cyber security experts into state operations and
functions.
e) Expand the state's public-private cyber security
partnership network.
f) Expand collaboration, as specified, with the state's law
enforcement apparatus assigned jurisdiction to prevent,
deter, investigate, and prosecute cyber attacks and IT
crime, including collaboration with entities like High-Tech
Theft Apprehension Program, and its five regional task
forces, the Department of the California Highway Patrol,
and the Attorney General's eCrimes unit.
g) Propose, where appropriate potential operational or
functional enhancement to the state's cyber security
assessment and response capabilities, as well as investment
or spending recommendation and guidance for the state's IT
�
AB 1172 (Chau) Page 5 of ?
budget and procurement.
9)Provides that the Task Force shall take all necessary steps to
protect personal information and privacy, public and private
sector data, and the constitutional rights and liberties of
individuals, when implementing its duties.
10) Provides that the Task Force may issue reports, in
addition to the report described in this bill, to the
Governor's office and the Legislature detailing the
activities of the task force, as specified.
11) Allows the Task Force to engage or accept the services of
agency or department personnel, accept the services of
stakeholder organizations, and accept federal, private, or
other nonstate funding, to operate, manage, or conduct the
business of the Task Force.
12) Provides that each department and agency shall cooperate
with the Task Force and furnish it with information and
assistance that is necessary or useful to further the
provisions of this bill.
13) Includes a sunset date of January 1, 2020.
Background
Purpose of the bill. According to the author, "as our state's
operations become more digitally connected, it is more
vulnerable to both foreign and domestic cyber-attacks. Recent
cyber-attacks on private and public entities have shown that
these attacks are growing in number and are becoming
increasingly sophisticated. Unfortunately, the state's overall
capability to coordinate and respond to cyber-attacks in both
the public and private sector is fragmented. AB 1172 would
ensure that California has a central entity and a comprehensive
strategy in place to prevent and respond to cyber-attacks."
CalTech/OIS . CalTech is the central IT organization for the
State of California and is responsible for the approval and
oversight of all state IT projects. Among its various offices
is the California Information Security Office, or OIS.
OIS is the primary state government authority for ensuring the
confidentiality, integrity, and availability of state systems
�
AB 1172 (Chau) Page 6 of ?
and applications, and ensuring the protection of state
information. The office represents California to federal,
state, and local government entities, higher education, private
industry, and others on security-related matters. According to
the author's office, there are a total of 384 state entities
subject to the OIS (which excludes some constitutional offices).
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
Existing Task Force. OES and CalTech, acting at the direction
of Governor Brown, created the Task Force to be a statewide
partnership comprised of key stakeholders, subject matter
experts, and cyber security professionals from California's
public, private, academia, and law enforcement sectors. The
Task Force serves as an advisory body to the State of California
Senior Administration Officials in matters related to
Cybersecurity. The Task Force holds public meetings once per
quarter. Its mission is to enhance the security of California
digital infrastructure and to create a culture of cybersecurity
through collaboration, information sharing, and education and
awareness.
The Task Force operates as an advisory body only - it has no
formal authority, it takes no votes, it has no budget, and its
membership is open and voluntary. It is currently comprised of
�
AB 1172 (Chau) Page 7 of ?
seven subcommittees: risk mitigation; information sharing;
workforce development and education; economic development;
emergency preparedness; legislation and funding; and high tech
and digital forensics.
Prior/Related Legislation
AB 670 (Irwin, 2015) requires OIS, within Caltech to conduct an
independent security assessment of the IT resources of every
state agency, department or office at least once every two
years. (Pending in Senate Appropriations Committee)
AB 739 (Irwin, 2015) provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
AB 2200 (Perez, 2014) would have created a 13 member California
Cyber Security Steering Committee in OES and continue the
existence of the California Cyber Security Task Force until
January 1, 2020. (Held at the Assembly Desk)
AB 1620 (Rodriguez, 2014) would have established the California
Emergency Management and Disaster Preparedness Commission as a
statewide executive-level commission to assess and improve the
condition of the State's emergency preparedness, management, and
disaster recovery capabilities. (Vetoed by Governor Brown)
FISCAL EFFECT: Appropriation: No Fiscal
Com.: Yes Local: No
SUPPORT:
California District Attorneys Association
California State Sheriffs' Association
OPPOSITION:
None received
�
AB 1172 (Chau) Page 8 of ?