BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 1172| |Office of Senate Floor Analyses | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 1172 Author: Chau (D), et al. Amended: 8/31/15 in Senate Vote: 21 SENATE GOVERNMENTAL ORG. COMMITTEE: 13-0, 7/14/15 AYES: Hall, Berryhill, Block, Gaines, Galgiani, Glazer, Hernandez, Hill, Hueso, Lara, McGuire, Runner, Vidak SENATE APPROPRIATIONS COMMITTEE: 6-1, 8/27/15 AYES: Lara, Bates, Beall, Hill, Leyva, Mendoza NOES: Nielsen ASSEMBLY FLOOR: 78-0, 6/2/15 - See last page for vote SUBJECT: California cyber security SOURCE: Author DIGEST: This bill continues in existence the California Cyber Security Task Force (Task Force), created in 2013 by the Governor's Office of Emergency Services (OES) and the Department of Technology (Caltech). ANALYSIS: Existing law: 1) Establishes Caltech, within the Government Operations Agency (GOA). Caltech is generally responsible for the approval and oversight of information technology (IT) projects by, among other things, consulting with state agencies during initial AB 1172 Page 2 project planning to ensure that project planning to ensure that project proposals are based on well-defined programmatic needs. 2) Establishes, within Caltech, the California Information Security Office (OIS) under the supervision of the Chief of the Office of Information Security. The OIS has the authority to, including, but not limited to, conduct, or require to be conducted, an independent security assessment of any state agency, department, or office the cost of which is to be funded by the state agency, department, or office being assessed. 3) Requires each state agency to have a chief information officer who is appointed by the head of the entity, and is responsible for supervising all IT, including information security. 4) Authorizes OIS to require an audit of information security to ensure program compliance, the cost of which shall be funded by the state agency, department, or office being audited, and requires the office to report to Caltech any state agency found to be noncompliant with information security program requirements This bill: 1) Continues in existence the California Cyber Security Task Force, created in 2013 by OES and Caltech. 2) Provides that the Task Force shall consist of the following members: a) The Director of OES, or his or her designee with knowledge, expertise, and decision-making authority with respect to OES' IT and information security duties. b) The Director of Caltech, or his or her designee with knowledge, expertise, and decision-making authority with respect to the director's IT and information security duties. c) The Attorney General, or his or her designee with knowledge, expertise, and decision-making authority with respect to the Department of Justice's IT and information security. AB 1172 Page 3 d) The Adjutant General of the Military Department, or his or her designee with knowledge, expertise, and decision-making authority with respect to the Military Department's IT and information security. e) The Commissioner of the California Highway Patrol, or his or her designee with knowledge, expertise, and decision-making authority with respect to the Department of the California Highway Patrol's IT and information security. f) A representative of the Public Utilities Commission or California Energy Commission with knowledge, expertise, and decision-making authority with respect to IT and information security, who shall be appointed by the Governor. g) A representative from the utility or energy industry, who shall be appointed by the Governor. h) A representative from law enforcement, who shall be appointed by the Governor. i) Three individuals with cyber security expertise, who shall be appointed, one each, by the Governor, the Senate Rules Committee, and the Speaker of the Assembly. 3) Provides that the Task Force may convene stakeholders, both public and private, to act in an advisory capacity and compile policy recommendations on cyber security for the State of California. 4) Specifies that the Task Force shall complete and issue a report of policy recommendations to the Governor's office and the Legislature on an annual basis. 5) Provides that the Task Force shall meet quarterly, or more often as necessitated by emergency circumstances, within existing resources to ensure that the policy recommendations from the report are implemented and any necessary modifications that may arise are addressed in a timely manner. 6) Provides that the OES and Caltech may conduct the strategic direction of risk assessments performed by the Military Department's Computer Network Defense Team. 7) Creates within OES a State Director of Cyber Security, appointed by the Governor and subject to Senate confirmation AB 1172 Page 4 who shall do all of the following: a) Be the Executive Director of the Task Force. b) Provide strategic direction of risk assessments performed with state resources. c) Complete a risk profile of state assets and capabilities for the purpose of compiling statewide contingency plans including, but not limited to, Emergency Function 18 of the State Emergency Plan which pertains to cyber security. d) Act as point of contact to the federal government and private entities within the state in the event of a relevant emergency as declared by the Governor. e) Be an adviser to OES and Caltech on cyber security. 8) Specifies that the Task Force shall perform the following functions based on the following priorities: a) Develop within state government cyber prevention, defense, and response strategies and define a hierarchy of command within the state for this purpose. This duty includes, but is not limited to, the following activities: i) Ensuring the continual performance of risk assessments on state IT systems. The assessments shall include penetration tests, vulnerability scans, and other industry-standard methods that identify potential risk. ii) Using assessment results and other state-level data to create a risk profile of public assets, critical infrastructure, public networks, and private operations susceptible to cyber-attacks. The risk profile shall include the development of statewide contingency plans including, but not limited to, Emergency Function 18 of the State Emergency Plan. b) Partner with the United States Department of Homeland Security to develop an appropriate information sharing system that allows for a controlled and secure process to effectively disseminate cyber threat and response information and data to relevant private and public sector entities. This information sharing system shall reflect state priorities and target identified AB 1172 Page 5 threat and capability gaps. c) Provide recommendations for IT security standards for all state agencies using, among other things, protocols established by the National Institute for Standards and Technology and reflective of appropriate state priorities. d) Compile and integrate, as appropriate, the research conducted by academic institutions, federal laboratories, and other cyber security experts into state operations and functions. e) Expand the state's public-private cyber security partnership network. f) Expand collaboration, as specified, with the state's law enforcement apparatus assigned jurisdiction to prevent, deter, investigate, and prosecute cyber attacks and IT crime, including collaboration with entities like High-Tech Theft Apprehension Program, and its five regional task forces, the Department of the California Highway Patrol, and the Attorney General's eCrimes unit. g) Propose, where appropriate potential operational or functional enhancement to the state's cyber security assessment and response capabilities, as well as investment or spending recommendation and guidance for the state's IT budget and procurement. 9) Provides that the Task Force shall take all necessary steps to protect personal information and privacy, public and private sector data, and the constitutional rights and liberties of individuals, when implementing its duties. 10)Provides that the Task Force may issue reports, in addition to the report described in this bill, to the Governor's office and the Legislature detailing the activities of the task force, as specified. 11)Allows the Task Force to engage or accept the services of agency or department personnel, accept the services of stakeholder organizations, and accept federal, private, or other nonstate funding, to operate, manage, or conduct the business of the Task Force. 12)Provides that each department and agency shall cooperate with the Task Force and furnish it with information and AB 1172 Page 6 assistance that is necessary or useful to further the provisions of this bill. 13)Includes a sunset date of January 1, 2020. Background Purpose of the bill. According to the author, "as our state's operations become more digitally connected, it is more vulnerable to both foreign and domestic cyber-attacks. Recent cyber-attacks on private and public entities have shown that these attacks are growing in number and are becoming increasingly sophisticated. Unfortunately, the state's overall capability to coordinate and respond to cyber-attacks in both the public and private sector is fragmented. AB 1172 would ensure that California has a central entity and a comprehensive strategy in place to prevent and respond to cyber-attacks." CalTech/OIS. CalTech is the central IT organization for the State of California and is responsible for the approval and oversight of all state IT projects. Among its various offices is the California Information Security Office, or OIS. OIS is the primary state government authority for ensuring the confidentiality, integrity, and availability of state systems and applications, and ensuring the protection of state information. The office represents California to federal, state, and local government entities, higher education, private industry, and others on security-related matters. According to the author's office, there are a total of 384 state entities subject to the OIS (which excludes some constitutional offices). Cyber Threats in California. According to the California Military Department (CMD), California's size and importance makes it vulnerable to cyber incidents that disrupt business, shutdown critical infrastructure, and compromise intellectual property or national security. CMD calls cybercrime "a growth industry" causing $400 billion in negative impacts annually on the global economy. Thirty percent of all cyber-attacks and other malicious activity are targeted at the government, making these networks and systems the most vulnerable target of cybercrime. AB 1172 Page 7 According to CMD, the threat to government networks has never been higher. "Hacktivists", nation states, cyber criminals and other threat groups are attacking government networks to steal sensitive information and make a political/economic statement. It is not known how many attacks, whether successful or unsuccessful, have been made against state agency computers over the past year. Existing Task Force. OES and CalTech, acting at the direction of Governor Brown, created the Task Force to be a statewide partnership comprised of key stakeholders, subject matter experts, and cyber security professionals from California's public, private, academia, and law enforcement sectors. The Task Force serves as an advisory body to the State of California Senior Administration Officials in matters related to Cybersecurity. The Task Force holds public meetings once per quarter. Its mission is to enhance the security of California digital infrastructure and to create a culture of cybersecurity through collaboration, information sharing, and education and awareness. The Task Force operates as an advisory body only - it has no formal authority, it takes no votes, it has no budget, and its membership is open and voluntary. Prior/Related Legislation AB 670 (Irwin, 2015) requires OIS, within Caltech to conduct an independent security assessment of the IT resources of every state agency, department or office at least once every two years. (Pending on the Senate Floor) AB 739 (Irwin, 2015) provides legal immunity for civil or criminal liability for private entities that communicate anonymized cyber security threat information and meet specified requirements, until January 1, 2020. (Held in Assembly Judiciary Committee) FISCAL EFFECT: Appropriation: No Fiscal Com.:YesLocal: No According to the Senate Appropriations Committee, ongoing staff AB 1172 Page 8 costs of at least $650,000 to OES for the Director of Cyber Security position and two additional full-time staff to manage the responsibility of the Task Force (General Fund). In addition, an estimated cost of at least $50,000 per year to cover Task Force member's expenses related to the four mandated annual meetings (General Fund). SUPPORT: (Verified8/28/15) California District Attorneys Association California State Sheriffs' Association OPPOSITION: (Verified8/28/15) None received ASSEMBLY FLOOR: 78-0, 6/2/15 AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang, Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte, O'Donnell, Olsen, Patterson, Perea, Quirk, Rendon, Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams, Wood, Atkins NO VOTE RECORDED: Chávez, Beth Gaines Prepared by:Felipe Lopez / G.O. / (916) 651-1530 8/31/15 10:15:40 **** END **** AB 1172 Page 9