BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 1172|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 1172
Author: Chau (D), et al.
Amended: 8/31/15 in Senate
Vote: 21
SENATE GOVERNMENTAL ORG. COMMITTEE: 13-0, 7/14/15
AYES: Hall, Berryhill, Block, Gaines, Galgiani, Glazer,
Hernandez, Hill, Hueso, Lara, McGuire, Runner, Vidak
SENATE APPROPRIATIONS COMMITTEE: 6-1, 8/27/15
AYES: Lara, Bates, Beall, Hill, Leyva, Mendoza
NOES: Nielsen
ASSEMBLY FLOOR: 78-0, 6/2/15 - See last page for vote
SUBJECT: California cyber security
SOURCE: Author
DIGEST: This bill continues in existence the California Cyber
Security Task Force (Task Force), created in 2013 by the
Governor's Office of Emergency Services (OES) and the Department
of Technology (Caltech).
ANALYSIS:
Existing law:
1) Establishes Caltech, within the Government Operations Agency
(GOA). Caltech is generally responsible for the approval and
oversight of information technology (IT) projects by, among
other things, consulting with state agencies during initial
�
AB 1172
Page 2
project planning to ensure that project planning to ensure
that project proposals are based on well-defined programmatic
needs.
2) Establishes, within Caltech, the California Information
Security Office (OIS) under the supervision of the Chief of
the Office of Information Security. The OIS has the
authority to, including, but not limited to, conduct, or
require to be conducted, an independent security assessment
of any state agency, department, or office the cost of which
is to be funded by the state agency, department, or office
being assessed.
3) Requires each state agency to have a chief information
officer who is appointed by the head of the entity, and is
responsible for supervising all IT, including information
security.
4) Authorizes OIS to require an audit of information security
to ensure program compliance, the cost of which shall be
funded by the state agency, department, or office being
audited, and requires the office to report to Caltech any
state agency found to be noncompliant with information
security program requirements
This bill:
1) Continues in existence the California Cyber Security Task
Force, created in 2013 by OES and Caltech.
2) Provides that the Task Force shall consist of the following
members:
a) The Director of OES, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to OES' IT and information security duties.
b) The Director of Caltech, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to the director's IT and information security
duties.
c) The Attorney General, or his or her designee with
knowledge, expertise, and decision-making authority with
respect to the Department of Justice's IT and information
security.
�
AB 1172
Page 3
d) The Adjutant General of the Military Department, or
his or her designee with knowledge, expertise, and
decision-making authority with respect to the Military
Department's IT and information security.
e) The Commissioner of the California Highway Patrol,
or his or her designee with knowledge, expertise, and
decision-making authority with respect to the Department
of the California Highway Patrol's IT and information
security.
f) A representative of the Public Utilities Commission
or California Energy Commission with knowledge,
expertise, and decision-making authority with respect to
IT and information security, who shall be appointed by
the Governor.
g) A representative from the utility or energy
industry, who shall be appointed by the Governor.
h) A representative from law enforcement, who shall be
appointed by the Governor.
i) Three individuals with cyber security expertise, who
shall be appointed, one each, by the Governor, the Senate
Rules Committee, and the Speaker of the Assembly.
3) Provides that the Task Force may convene stakeholders, both
public and private, to act in an advisory capacity and
compile policy recommendations on cyber security for the
State of California.
4) Specifies that the Task Force shall complete and issue a
report of policy recommendations to the Governor's office and
the Legislature on an annual basis.
5) Provides that the Task Force shall meet quarterly, or more
often as necessitated by emergency circumstances, within
existing resources to ensure that the policy recommendations
from the report are implemented and any necessary
modifications that may arise are addressed in a timely
manner.
6) Provides that the OES and Caltech may conduct the strategic
direction of risk assessments performed by the Military
Department's Computer Network Defense Team.
7) Creates within OES a State Director of Cyber Security,
appointed by the Governor and subject to Senate confirmation
�
AB 1172
Page 4
who shall do all of the following:
a) Be the Executive Director of the Task Force.
b) Provide strategic direction of risk assessments
performed with state resources.
c) Complete a risk profile of state assets and
capabilities for the purpose of compiling statewide
contingency plans including, but not limited to,
Emergency Function 18 of the State Emergency Plan which
pertains to cyber security.
d) Act as point of contact to the federal government
and private entities within the state in the event of a
relevant emergency as declared by the Governor.
e) Be an adviser to OES and Caltech on cyber security.
8) Specifies that the Task Force shall perform the following
functions based on the following priorities:
a) Develop within state government cyber prevention,
defense, and response strategies and define a hierarchy
of command within the state for this purpose. This duty
includes, but is not limited to, the following
activities:
i) Ensuring the continual performance of risk
assessments on state IT systems. The assessments
shall include penetration tests, vulnerability scans,
and other industry-standard methods that identify
potential risk.
ii) Using assessment results and other state-level
data to create a risk profile of public assets,
critical infrastructure, public networks, and private
operations susceptible to cyber-attacks. The risk
profile shall include the development of statewide
contingency plans including, but not limited to,
Emergency Function 18 of the State Emergency Plan.
b) Partner with the United States Department of
Homeland Security to develop an appropriate information
sharing system that allows for a controlled and secure
process to effectively disseminate cyber threat and
response information and data to relevant private and
public sector entities. This information sharing system
shall reflect state priorities and target identified
�
AB 1172
Page 5
threat and capability gaps.
c) Provide recommendations for IT security standards
for all state agencies using, among other things,
protocols established by the National Institute for
Standards and Technology and reflective of appropriate
state priorities.
d) Compile and integrate, as appropriate, the research
conducted by academic institutions, federal laboratories,
and other cyber security experts into state operations
and functions.
e) Expand the state's public-private cyber security
partnership network.
f) Expand collaboration, as specified, with the state's
law enforcement apparatus assigned jurisdiction to
prevent, deter, investigate, and prosecute cyber attacks
and IT crime, including collaboration with entities like
High-Tech Theft Apprehension Program, and its five
regional task forces, the Department of the California
Highway Patrol, and the Attorney General's eCrimes unit.
g) Propose, where appropriate potential operational or
functional enhancement to the state's cyber security
assessment and response capabilities, as well as
investment or spending recommendation and guidance for
the state's IT budget and procurement.
9) Provides that the Task Force shall take all necessary steps
to protect personal information and privacy, public and
private sector data, and the constitutional rights and
liberties of individuals, when implementing its duties.
10)Provides that the Task Force may issue reports, in addition
to the report described in this bill, to the Governor's
office and the Legislature detailing the activities of the
task force, as specified.
11)Allows the Task Force to engage or accept the services of
agency or department personnel, accept the services of
stakeholder organizations, and accept federal, private, or
other nonstate funding, to operate, manage, or conduct the
business of the Task Force.
12)Provides that each department and agency shall cooperate
with the Task Force and furnish it with information and
�
AB 1172
Page 6
assistance that is necessary or useful to further the
provisions of this bill.
13)Includes a sunset date of January 1, 2020.
Background
Purpose of the bill. According to the author, "as our state's
operations become more digitally connected, it is more
vulnerable to both foreign and domestic cyber-attacks. Recent
cyber-attacks on private and public entities have shown that
these attacks are growing in number and are becoming
increasingly sophisticated. Unfortunately, the state's overall
capability to coordinate and respond to cyber-attacks in both
the public and private sector is fragmented. AB 1172 would
ensure that California has a central entity and a comprehensive
strategy in place to prevent and respond to cyber-attacks."
CalTech/OIS. CalTech is the central IT organization for the
State of California and is responsible for the approval and
oversight of all state IT projects. Among its various offices
is the California Information Security Office, or OIS.
OIS is the primary state government authority for ensuring the
confidentiality, integrity, and availability of state systems
and applications, and ensuring the protection of state
information. The office represents California to federal,
state, and local government entities, higher education, private
industry, and others on security-related matters. According to
the author's office, there are a total of 384 state entities
subject to the OIS (which excludes some constitutional offices).
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
�
AB 1172
Page 7
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
Existing Task Force. OES and CalTech, acting at the direction
of Governor Brown, created the Task Force to be a statewide
partnership comprised of key stakeholders, subject matter
experts, and cyber security professionals from California's
public, private, academia, and law enforcement sectors. The
Task Force serves as an advisory body to the State of California
Senior Administration Officials in matters related to
Cybersecurity. The Task Force holds public meetings once per
quarter. Its mission is to enhance the security of California
digital infrastructure and to create a culture of cybersecurity
through collaboration, information sharing, and education and
awareness.
The Task Force operates as an advisory body only - it has no
formal authority, it takes no votes, it has no budget, and its
membership is open and voluntary.
Prior/Related Legislation
AB 670 (Irwin, 2015) requires OIS, within Caltech to conduct an
independent security assessment of the IT resources of every
state agency, department or office at least once every two
years. (Pending on the Senate Floor)
AB 739 (Irwin, 2015) provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, ongoing staff
�
AB 1172
Page 8
costs of at least $650,000 to OES for the Director of Cyber
Security position and two additional full-time staff to manage
the responsibility of the Task Force (General Fund). In
addition, an estimated cost of at least $50,000 per year to
cover Task Force member's expenses related to the four mandated
annual meetings (General Fund).
SUPPORT: (Verified8/28/15)
California District Attorneys Association
California State Sheriffs' Association
OPPOSITION: (Verified8/28/15)
None received
ASSEMBLY FLOOR: 78-0, 6/2/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom,
Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang,
Chau, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,
Eggman, Frazier, Gallagher, Cristina Garcia, Eduardo Garcia,
Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley,
Harper, Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer,
Kim, Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis,
Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,
O'Donnell, Olsen, Patterson, Perea, Quirk, Rendon,
Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark
Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams,
Wood, Atkins
NO VOTE RECORDED: Chávez, Beth Gaines
Prepared by:Felipe Lopez / G.O. / (916) 651-1530
8/31/15 10:15:40
**** END ****
�
AB 1172
Page 9