BILL ANALYSIS                                                                                                                                                                                                    Ó

          |SENATE RULES COMMITTEE            |                       AB 1172|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |

                                   THIRD READING 

          Bill No:  AB 1172
          Author:   Chau (D), et al.
          Amended:  8/31/15 in Senate
          Vote:     21  

           SENATE GOVERNMENTAL ORG. COMMITTEE:  13-0, 7/14/15
           AYES:  Hall, Berryhill, Block, Gaines, Galgiani, Glazer,  
            Hernandez, Hill, Hueso, Lara, McGuire, Runner, Vidak

           AYES:  Lara, Bates, Beall, Hill, Leyva, Mendoza
           NOES:  Nielsen

           ASSEMBLY FLOOR:  78-0, 6/2/15 - See last page for vote

           SUBJECT:   California cyber security

          SOURCE:    Author
          DIGEST:    This bill continues in existence the California Cyber  
          Security Task Force (Task Force), created in 2013 by the  
          Governor's Office of Emergency Services (OES) and the Department  
          of Technology (Caltech).

          Existing law:
           1) Establishes Caltech, within the Government Operations Agency  
             (GOA). Caltech is generally responsible for the approval and  
             oversight of information technology (IT) projects by, among  
             other things, consulting with state agencies during initial  


                                                                    AB 1172  
                                                                    Page  2

             project planning to ensure that project planning to ensure  
             that project proposals are based on well-defined programmatic  

           2) Establishes, within Caltech, the California Information  
             Security Office (OIS) under the supervision of the Chief of  
             the Office of Information Security.  The OIS has the  
             authority to, including, but not limited to, conduct, or  
             require to be conducted, an independent security assessment  
             of any state agency, department, or office the cost of which  
             is to be funded by the state agency, department, or office  
             being assessed.

           3) Requires each state agency to have a chief information  
             officer who is appointed by the head of the entity, and is  
             responsible for supervising all IT, including information  

           4) Authorizes OIS to require an audit of information security  
             to ensure program compliance, the cost of which shall be  
             funded by the state agency, department, or office being  
             audited, and requires the office to report to Caltech any  
             state agency found to be noncompliant with information  
             security program requirements

          This bill:

           1) Continues in existence the California Cyber Security Task  
             Force, created in 2013 by OES and Caltech. 

           2) Provides that the Task Force shall consist of the following  

               a)     The Director of OES, or his or her designee with  
                 knowledge, expertise, and decision-making authority with  
                 respect to OES' IT and information security duties.
               b)     The Director of Caltech, or his or her designee with  
                 knowledge, expertise, and decision-making authority with  
                 respect to the director's IT and information security  
               c)     The Attorney General, or his or her designee with  
                 knowledge, expertise, and decision-making authority with  
                 respect to the Department of Justice's IT and information  


                                                                    AB 1172  
                                                                    Page  3

               d)     The Adjutant General of the Military Department, or  
                 his or her designee with knowledge, expertise, and  
                 decision-making authority with respect to the Military  
                 Department's IT and information security.
               e)     The Commissioner of the California Highway Patrol,  
                 or his or her designee with knowledge, expertise, and  
                 decision-making authority with respect to the Department  
                 of the California Highway Patrol's IT and information  
               f)     A representative of the Public Utilities Commission  
                 or California Energy Commission with knowledge,  
                 expertise, and decision-making authority with respect to  
                 IT and information security, who shall be appointed by  
                 the Governor.
               g)     A representative from the utility or energy  
                 industry, who shall be appointed by the Governor.
               h)     A representative from law enforcement, who shall be  
                 appointed by the Governor. 
               i)     Three individuals with cyber security expertise, who  
                 shall be appointed, one each, by the Governor, the Senate  
                 Rules Committee, and the Speaker of the Assembly.

           3) Provides that the Task Force may convene stakeholders, both  
             public and private, to act in an advisory capacity and  
             compile policy recommendations on cyber security for the  
             State of California. 

           4) Specifies that the Task Force shall complete and issue a  
             report of policy recommendations to the Governor's office and  
             the Legislature on an annual basis. 

           5) Provides that the Task Force shall meet quarterly, or more  
             often as necessitated by emergency circumstances, within  
             existing resources to ensure that the policy recommendations  
             from the report are implemented and any necessary  
             modifications that may arise are addressed in a timely  

           6) Provides that the OES and Caltech may conduct the strategic  
             direction of risk assessments performed by the Military  
             Department's Computer Network Defense Team. 

           7) Creates within OES a State Director of Cyber Security,  
             appointed by the Governor and subject to Senate confirmation  


                                                                    AB 1172  
                                                                    Page  4

             who shall do all of the following:

               a)     Be the Executive Director of the Task Force.
               b)     Provide strategic direction of risk assessments  
                 performed with state resources.
               c)     Complete a risk profile of state assets and  
                 capabilities for the purpose of compiling statewide  
                 contingency plans including, but not limited to,  
                 Emergency Function 18 of the State Emergency Plan which  
                 pertains to cyber security.
               d)     Act as point of contact to the federal government  
                 and private entities within the state in the event of a  
                 relevant emergency as declared by the Governor.
               e)     Be an adviser to OES and Caltech on cyber security.

           8) Specifies that the Task Force shall perform the following  
             functions based on the following priorities:

               a)     Develop within state government cyber prevention,  
                 defense, and response strategies and define a hierarchy  
                 of command within the state for this purpose. This duty  
                 includes, but is not limited to, the following  

                  i)        Ensuring the continual performance of risk  
                    assessments on state IT systems.  The assessments  
                    shall include penetration tests, vulnerability scans,  
                    and other industry-standard methods that identify  
                    potential risk.
                  ii)       Using assessment results and other state-level  
                    data to create a risk profile of public assets,  
                    critical infrastructure, public networks, and private  
                    operations susceptible to cyber-attacks.  The risk  
                    profile shall include the development of statewide  
                    contingency plans including, but not limited to,  
                    Emergency Function 18 of the State Emergency Plan.

               b)     Partner with the United States Department of  
                 Homeland Security to develop an appropriate information  
                 sharing system that allows for a controlled and secure  
                 process to effectively disseminate cyber threat and  
                 response information and data to relevant private and  
                 public sector entities.  This information sharing system  
                 shall reflect state priorities and target identified  


                                                                    AB 1172  
                                                                    Page  5

                 threat and capability gaps.
               c)     Provide recommendations for IT security standards  
                 for all state agencies using, among other things,  
                 protocols established by the National Institute for  
                 Standards and Technology and reflective of appropriate  
                 state priorities.
               d)     Compile and integrate, as appropriate, the research  
                 conducted by academic institutions, federal laboratories,  
                 and other cyber security experts into state operations  
                 and functions. 
               e)     Expand the state's public-private cyber security  
                 partnership network.
               f)     Expand collaboration, as specified, with the state's  
                 law enforcement apparatus assigned jurisdiction to  
                 prevent, deter, investigate, and prosecute cyber attacks  
                 and IT crime, including collaboration with entities like  
                 High-Tech Theft Apprehension Program, and its five  
                 regional task forces, the Department of the California  
                 Highway Patrol, and the Attorney General's eCrimes unit.   

               g)     Propose, where appropriate potential operational or  
                 functional enhancement to the state's cyber security  
                 assessment and response capabilities, as well as  
                 investment or spending recommendation and guidance for  
                 the state's IT budget and procurement.

           9) Provides that the Task Force shall take all necessary steps  
             to protect personal information and privacy, public and  
             private sector data, and the constitutional rights and  
             liberties of individuals, when implementing its duties. 

           10)Provides that the Task Force may issue reports, in addition  
             to the report described in this bill, to the Governor's  
             office and the Legislature detailing the activities of the  
             task force, as specified.

           11)Allows the Task Force to engage or accept the services of  
             agency or department personnel, accept the services of  
             stakeholder organizations, and accept federal, private, or  
             other nonstate funding, to operate, manage, or conduct the  
             business of the Task Force. 

           12)Provides that each department and agency shall cooperate  
             with the Task Force and furnish it with information and  


                                                                    AB 1172  
                                                                    Page  6

             assistance that is necessary or useful to further the  
             provisions of this bill. 

           13)Includes a sunset date of January 1, 2020. 


          Purpose of the bill.  According to the author, "as our state's  
          operations become more digitally connected, it is more  
          vulnerable to both foreign and domestic cyber-attacks.  Recent  
          cyber-attacks on private and public entities have shown that  
          these attacks are growing in number and are becoming  
          increasingly sophisticated.  Unfortunately, the state's overall  
          capability to coordinate and respond to cyber-attacks in both  
          the public and private sector is fragmented.  AB 1172 would  
          ensure that California has a central entity and a comprehensive  
          strategy in place to prevent and respond to cyber-attacks."

          CalTech/OIS.  CalTech is the central IT organization for the  
          State of California and is responsible for the approval and  
          oversight of all state IT projects.  Among its various offices  
          is the California Information Security Office, or OIS.

          OIS is the primary state government authority for ensuring the  
          confidentiality, integrity, and availability of state systems  
          and applications, and ensuring the protection of state  
          information.  The office represents California to federal,  
          state, and local government entities, higher education, private  
          industry, and others on security-related matters.  According to  
          the author's office, there are a total of 384 state entities  
          subject to the OIS (which excludes some constitutional offices).  

          Cyber Threats in California. According to the California  
          Military Department (CMD), California's size and importance  
          makes it vulnerable to cyber incidents that disrupt business,  
          shutdown critical infrastructure, and compromise intellectual  
          property or national security.  

          CMD calls cybercrime "a growth industry" causing $400 billion in  
          negative impacts annually on the global economy.  Thirty percent  
          of all cyber-attacks and other malicious activity are targeted  
          at the government, making these networks and systems the most  
          vulnerable target of cybercrime.  


                                                                    AB 1172  
                                                                    Page  7

          According to CMD, the threat to government networks has never  
          been higher.  "Hacktivists", nation states, cyber criminals and  
          other threat groups are attacking government networks to steal  
          sensitive information and make a political/economic statement.   
          It is not known how many attacks, whether successful or  
          unsuccessful, have been made against state agency computers over  
          the past year. 

          Existing Task Force.  OES and CalTech, acting at the direction  
          of Governor Brown, created the Task Force to be a statewide  
          partnership comprised of key stakeholders, subject matter  
          experts, and cyber security professionals from California's  
          public, private, academia, and law enforcement sectors.  The  
          Task Force serves as an advisory body to the State of California  
          Senior Administration Officials in matters related to  
          Cybersecurity.  The Task Force holds public meetings once per  
          quarter.  Its mission is to enhance the security of California  
          digital infrastructure and to create a culture of cybersecurity  
          through collaboration, information sharing, and education and  

          The Task Force operates as an advisory body only - it has no  
          formal authority, it takes no votes, it has no budget, and its  
          membership is open and voluntary.  

          Prior/Related Legislation

          AB 670 (Irwin, 2015) requires OIS, within Caltech to conduct an  
          independent security assessment of the IT resources of every  
          state agency, department or office at least once every two  
          years.  (Pending on the Senate Floor)

          AB 739 (Irwin, 2015) provides legal immunity for civil or  
          criminal liability for private entities that communicate  
          anonymized cyber security threat information and meet specified  
          requirements, until January 1, 2020.  (Held in Assembly  
          Judiciary Committee) 

          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   No

          According to the Senate Appropriations Committee, ongoing staff  


                                                                    AB 1172  
                                                                    Page  8

          costs of at least $650,000 to OES for the Director of Cyber  
          Security position and two additional full-time staff to manage  
          the responsibility of the Task Force (General Fund).  In  
          addition, an estimated cost of at least $50,000 per year to  
          cover Task Force member's expenses related to the four mandated  
          annual meetings (General Fund).

          SUPPORT:   (Verified8/28/15)

          California District Attorneys Association
          California State Sheriffs' Association

          OPPOSITION:   (Verified8/28/15)

          None received

          ASSEMBLY FLOOR:  78-0, 6/2/15
          AYES:  Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom,  
            Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang,  
            Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,  
            Eggman, Frazier, Gallagher, Cristina Garcia, Eduardo Garcia,  
            Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley,  
            Harper, Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer,  
            Kim, Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis,  
            Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,  
            O'Donnell, Olsen, Patterson, Perea, Quirk, Rendon,  
            Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark  
            Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams,  
            Wood, Atkins
          NO VOTE RECORDED:  Chávez, Beth Gaines

          Prepared by:Felipe Lopez / G.O. / (916) 651-1530
          8/31/15 10:15:40

                                   ****  END  ****


                                                                    AB 1172  
                                                                    Page  9