BILL ANALYSIS                                                                                                                                                                                                    

                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          AB 1172 (Chau) - California cyber security
          |                                                                 |
          |                                                                 |
          |                                                                 |
          |                                |                                |
          |Version: July 2, 2015           |Policy Vote: G.O. 13 - 0        |
          |                                |                                |
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |                                |                                |
          |Hearing Date: August 17, 2015   |Consultant: Mark McKenzie       |
          |                                |                                |

          This bill meets the criteria for referral to the Suspense File. 

          Summary:  AB 1172 would formally codify the California Cyber  
          Security Task Force (Task Force) until January 1, 2020,  
          establish the State Director of Cyber Security within the Office  
          of Emergency Services (OES), and prescribe the duties and  
          responsibilities of the Task Force.

           Ongoing staff costs of at least $650,000 to OES for the  
            Director of Cyber Security position and two additional  
            full-time staff to manage the responsibilities of the Task  
            Force. (General Fund)


          AB 1172 (Chau)                                         Page 1 of  
           Estimated costs of at least $50,000 per year to cover Task  
            Force members' expenses related to the four mandated annual  
            meetings (travel, meals, per diem, reimbursements of actual  
            expenses).  (General Fund)

          Background:  Existing law provides that the Department of Technology is  
          generally responsible for the approval and oversight of state  
          information technology (IT) projects.  The Office of Information  
          Security (OIS) within the Department of Technology is  
          responsible for ensuring the confidentiality and integrity of  
          state data systems. The OIS is required to establish policies,  
          standards, and procedures for state agencies to manage security  
          and risk.  Existing law authorizes the OIS to conduct  
          independent security assessments of any state agency,  
          department, or office, and requires the state entity whose  
          systems are being assessed to pay for the security assessment.
          In 2013, the Governor administratively directed OES and the  
          Department of Technology to create a Cyber Security Task Force  
          comprised of specified stakeholders, subject matter experts, and  
          cyber security professionals from public, private, academic, and  
          law enforcement sectors.  The Task Force serves as an advisory  
          body to senior state officials on cyber security issues, and  
          holds quarterly meetings.  The Task Force is currently comprised  
          of seven subcommittees: risk mitigation; information sharing;  
          workforce development and education; economic development;  
          emergency preparedness; legislation and funding; and high tech  
          and digital forensics.  Its mission is to enhance the security  
          of California digital infrastructure and to create a culture of  
          cybersecurity through collaboration, information sharing, and  
          education and awareness.

          Proposed Law:  
            AB 1172 would codify and continue the Task Force in existence  
          within OES, consisting of 11 specified members.  The bill would  
          also do the following:
           Authorize the Task Force to convene public and private  
            stakeholders to act in an advisory role and compile policy  
            recommendations on cyber security.
           Require the Task Force to annually report policy  
            recommendations to the Governor and Legislature.


          AB 1172 (Chau)                                         Page 2 of  
           Require the Task Force to meet at least quarterly, or more as  
            necessary, to ensure implementation of policy recommendations  
            and make timely modifications to those recommendations.
           Authorize OES and the Department of Technology to conduct the  
            strategic direction of risk assessments performed by the  
            Military Department's Computer Network Defense Team.
           Establish the appointed position of the Director of Cyber  
            Security within OES to be the executive director of the Task  
            Force, provide strategic direction of risk assessments,  
            complete a risk profile of state assets and capabilities, act  
            as a point of contact to the federal government and private  
            entities during an emergency, and advise OES and the  
            Department of Technology on cyber security.
           Require the Task force to perform the following functions:
               o      Develop cyber prevention, defense, and response  
                 strategies, and define a hierarchy of command within  
                 state government, as specified.
               o      Partner with the U.S. Department of Homeland  
                 Security to develop an information sharing system to  
                 reflect state priorities and identified threat and  
                 capability gaps.
               o      Provide recommendations for IT security standards  
                 for state agencies.
               o      Compile and integrate research conducted by  
                 academic, federal, and other cyber security experts into  
                 state operations and functions.
               o      Expand the public-private security partnership  
               o      Expand collaboration with the state's law  
                 enforcement apparatus assigned jurisdiction to prevent,  
                 deter, investigate, and prosecute cyber-attacks and IT  
               o      Propose potential operational or functional  
                 enhancements to the state's cyber security assessment and  
                 response capabilities, and investment or spending  
                 recommendations and guidance for the state's IT budget  
                 and procurement.
           Require the Task Force to take necessary steps to protect  
            personal information and privacy, public and private sector  
            data, and constitutional rights.
           Authorize the Task Force to issue reports to the Governor and  
            Legislature that detail Task Force activities.
           Authorize the Task Force to engage or accept services of  
            agency or department personnel, accept services of stakeholder  


          AB 1172 (Chau)                                         Page 3 of  
            organizations, and accept federal, private, or other non-state  
            funding for Task Force purposes.
           Require state agencies and departments to cooperate with the  
            Task Force and provide information and assistance necessary to  
            fulfill the bill's purposes.

           Repeals the Task Force on January 1,  

          Legislation:  AB 670 (Irwin), which is currently pending in this  
          committee, would require the Department of Technology to perform  
          security assessments of the IT resources of every state agency,  
          department, or office at least once every two years.
          AB 2200 (J. Perez), which was approved by the Senate but died  
          without a final vote in the Assembly in 2014, would have created  
          the California Cyber Security Steering Committee within OES and  
          continue the Cyber Security Task Force in existence until 2020.

          Comments:  AB 1172 would formally codify the current  
          administratively-created Task Force, establish a full-time  
          Director of Cyber Security position, and prescribe duties and  
          responsibilities of the Task Force.  OES indicates that the  
          prescribed functions of the Task Force exceed the  
          responsibilities of the current Task Force, and would require a  
          minimum of two additional PY of technical and analytical staff  
          to work with the new Director of Cyber Security.  The estimated  
          costs of these three positions would be approximately $650,000  
          annually.  The current Task Force does not have a budget or  
          dedicated staff, but some functions are being conducted by  
          existing OES and Department of Technology staff.
          The Department of Technology indicates that the bill would  
          conflict with current statutory authorities on several levels:   
          (1) current law requires the Director of Technology to supervise  
          the Department and report directly to the Governor on IT issues,  
          and strategic management of the state's IT resources; (2)  
          current law makes the OIS responsible for information security  
          and risk management, including the direction of risk  


          AB 1172 (Chau)                                         Page 4 of  
          assessments;  (3) current law requires the OIS to serve as the  
          state's Chief Information Security Officer, providing direction  
          for information security and privacy to state agencies, and to  
          represent the state when coordinating with federal, state,  
          private, and local entities on issues that impact information  
          security and privacy.  This bill would create duplicative duties  
          for the Task Force that would be located within OES, with the  
          Department of Technology as a junior partner on the Task Force.

          In recent years, the federal government has made a significant  
          amount of grant funding available to the states for programs and  
          projects relating to cyber security. It is not known the extent  
          to which some of the requirements of this bill could be funded  
          with existing or new federal grant funds.

          Proposed Author  
          Amendments:  The author has proposed a minor amendment to  
          specify that the Director of Cyber Security would be "subject to  
          Senate confirmation," rather than "confirmed by the Senate."

                                      -- END --