BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 1172 (Chau) - California cyber security
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: July 2, 2015 |Policy Vote: G.O. 13 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 17, 2015 |Consultant: Mark McKenzie |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: AB 1172 would formally codify the California Cyber
Security Task Force (Task Force) until January 1, 2020,
establish the State Director of Cyber Security within the Office
of Emergency Services (OES), and prescribe the duties and
responsibilities of the Task Force.
Fiscal
Impact:
Ongoing staff costs of at least $650,000 to OES for the
Director of Cyber Security position and two additional
full-time staff to manage the responsibilities of the Task
Force. (General Fund)
�
AB 1172 (Chau) Page 1 of
?
Estimated costs of at least $50,000 per year to cover Task
Force members' expenses related to the four mandated annual
meetings (travel, meals, per diem, reimbursements of actual
expenses). (General Fund)
Background: Existing law provides that the Department of Technology is
generally responsible for the approval and oversight of state
information technology (IT) projects. The Office of Information
Security (OIS) within the Department of Technology is
responsible for ensuring the confidentiality and integrity of
state data systems. The OIS is required to establish policies,
standards, and procedures for state agencies to manage security
and risk. Existing law authorizes the OIS to conduct
independent security assessments of any state agency,
department, or office, and requires the state entity whose
systems are being assessed to pay for the security assessment.
In 2013, the Governor administratively directed OES and the
Department of Technology to create a Cyber Security Task Force
comprised of specified stakeholders, subject matter experts, and
cyber security professionals from public, private, academic, and
law enforcement sectors. The Task Force serves as an advisory
body to senior state officials on cyber security issues, and
holds quarterly meetings. The Task Force is currently comprised
of seven subcommittees: risk mitigation; information sharing;
workforce development and education; economic development;
emergency preparedness; legislation and funding; and high tech
and digital forensics. Its mission is to enhance the security
of California digital infrastructure and to create a culture of
cybersecurity through collaboration, information sharing, and
education and awareness.
Proposed Law:
AB 1172 would codify and continue the Task Force in existence
within OES, consisting of 11 specified members. The bill would
also do the following:
Authorize the Task Force to convene public and private
stakeholders to act in an advisory role and compile policy
recommendations on cyber security.
Require the Task Force to annually report policy
recommendations to the Governor and Legislature.
�
AB 1172 (Chau) Page 2 of
?
Require the Task Force to meet at least quarterly, or more as
necessary, to ensure implementation of policy recommendations
and make timely modifications to those recommendations.
Authorize OES and the Department of Technology to conduct the
strategic direction of risk assessments performed by the
Military Department's Computer Network Defense Team.
Establish the appointed position of the Director of Cyber
Security within OES to be the executive director of the Task
Force, provide strategic direction of risk assessments,
complete a risk profile of state assets and capabilities, act
as a point of contact to the federal government and private
entities during an emergency, and advise OES and the
Department of Technology on cyber security.
Require the Task force to perform the following functions:
o Develop cyber prevention, defense, and response
strategies, and define a hierarchy of command within
state government, as specified.
o Partner with the U.S. Department of Homeland
Security to develop an information sharing system to
reflect state priorities and identified threat and
capability gaps.
o Provide recommendations for IT security standards
for state agencies.
o Compile and integrate research conducted by
academic, federal, and other cyber security experts into
state operations and functions.
o Expand the public-private security partnership
network.
o Expand collaboration with the state's law
enforcement apparatus assigned jurisdiction to prevent,
deter, investigate, and prosecute cyber-attacks and IT
crime.
o Propose potential operational or functional
enhancements to the state's cyber security assessment and
response capabilities, and investment or spending
recommendations and guidance for the state's IT budget
and procurement.
Require the Task Force to take necessary steps to protect
personal information and privacy, public and private sector
data, and constitutional rights.
Authorize the Task Force to issue reports to the Governor and
Legislature that detail Task Force activities.
Authorize the Task Force to engage or accept services of
agency or department personnel, accept services of stakeholder
�
AB 1172 (Chau) Page 3 of
?
organizations, and accept federal, private, or other non-state
funding for Task Force purposes.
Require state agencies and departments to cooperate with the
Task Force and provide information and assistance necessary to
fulfill the bill's purposes.
Repeals the Task Force on January 1,
2020.
Related
Legislation: AB 670 (Irwin), which is currently pending in this
committee, would require the Department of Technology to perform
security assessments of the IT resources of every state agency,
department, or office at least once every two years.
AB 2200 (J. Perez), which was approved by the Senate but died
without a final vote in the Assembly in 2014, would have created
the California Cyber Security Steering Committee within OES and
continue the Cyber Security Task Force in existence until 2020.
Staff
Comments: AB 1172 would formally codify the current
administratively-created Task Force, establish a full-time
Director of Cyber Security position, and prescribe duties and
responsibilities of the Task Force. OES indicates that the
prescribed functions of the Task Force exceed the
responsibilities of the current Task Force, and would require a
minimum of two additional PY of technical and analytical staff
to work with the new Director of Cyber Security. The estimated
costs of these three positions would be approximately $650,000
annually. The current Task Force does not have a budget or
dedicated staff, but some functions are being conducted by
existing OES and Department of Technology staff.
The Department of Technology indicates that the bill would
conflict with current statutory authorities on several levels:
(1) current law requires the Director of Technology to supervise
the Department and report directly to the Governor on IT issues,
and strategic management of the state's IT resources; (2)
current law makes the OIS responsible for information security
and risk management, including the direction of risk
�
AB 1172 (Chau) Page 4 of
?
assessments; (3) current law requires the OIS to serve as the
state's Chief Information Security Officer, providing direction
for information security and privacy to state agencies, and to
represent the state when coordinating with federal, state,
private, and local entities on issues that impact information
security and privacy. This bill would create duplicative duties
for the Task Force that would be located within OES, with the
Department of Technology as a junior partner on the Task Force.
In recent years, the federal government has made a significant
amount of grant funding available to the states for programs and
projects relating to cyber security. It is not known the extent
to which some of the requirements of this bill could be funded
with existing or new federal grant funds.
Proposed Author
Amendments: The author has proposed a minor amendment to
specify that the Director of Cyber Security would be "subject to
Senate confirmation," rather than "confirmed by the Senate."
-- END --