BILL ANALYSIS �Ó
AB 1841
Page 1
Date of Hearing: April 5, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 1841
(Irwin) - As Amended March 28, 2016
SUBJECT: Office of Emergency Services: duties: cybersecurity
SUMMARY: Requires the state Office of Emergency Services (OES)
to develop, by July 1, 2017, a statewide emergency services
response plan for cybersecurity attacks against critical
infrastructure, and further requires OES to develop a
comprehensive cybersecurity strategy by July 1, 2018, with which
all state agencies must report compliance by January 1, 2019.
Specifically, this bill:
1)Requires, on or before July 1, 2017, OES to transmit to the
Legislature the Cyber Security Annex to the State Emergency
Plan (SEP), also known as Emergency Function 18 (or EF 18)
that includes, but is not limited to, all of the following:
a) Methods for providing emergency services;
b) Command structure for state-wide coordinated
emergency services;
c) Emergency service roles of appropriate state
�
AB 1841
Page 2
agencies;
d) Identification of resources to be mobilized;
e) Public information plans; and,
f) Continuity of government services.
1)Requires, on or before July 1, 2018, OES to develop a
comprehensive state cybersecurity strategy setting standards
for state agencies to prepare for cybersecurity interference
with, or compromise or incapacitation of, critical
infrastructure and the development of critical infrastructure
information, and to transmit critical infrastructure
information to OES.
2)Requires the standards developed by OES to consider all of the
following factors:
a) Costs to implement the standards;
b) Security of critical infrastructure information;
c) Centralized management of risk; and,
d) National private industry best practices.
�
AB 1841
Page 3
3)Requires OES to post the completed state cybersecurity
strategy on its website.
4)Requires each state agency to report to OES on its compliance
with the OES cybersecurity standards, no later than January 1,
2019.
5)Requires OES to provide suggestions for a state agency to
improve its compliance with the OES cybersecurity standards,
if any, to specified public officials.
6)Declares that a cybersecurity compliance report, and any
related communication records, are confidential and may not
be disclosed pursuant to the California Public Records Act.
7)Defines the terms "critical infrastructure," "critical
infrastructure information," "secretary" and "state agency."
8)Makes findings relative to the importance of cybersecurity of
state networks, and declares the intent of the Legislature to
develop a comprehensive cybersecurity strategy under the
coordination of OES.
9)Makes findings and declarations relative to the need to limit
the public's right to access to the documents referenced by
this bill because of the need to promote public safety by
prohibiting access to those who would use that information to
thwart the cybersecurity of critical infrastructure systems
within the state.
EXISTING LAW:
�
AB 1841
Page 4
1)Requires the Governor and OES, pursuant to the California
Emergency Services Act (CESA), to prepare for and mitigate the
effects of emergencies in the state. (Government Code (GC)
8550, et seq.
2)Requires OES, and its appointed Director, to perform a variety
of duties with respect to specified emergency preparedness,
mitigation, and response activities in the state, including
emergency medical services. (GC 8585, 8585.1)
3)Specifies that the SEP shall be in effect in each political
subdivision of the state, and the governing body of each
political subdivision shall take necessary actions to carry
out the provisions of the SEP. (GC 8568)
4)Requires the Governor to coordinate the SEP and those programs
necessary to mitigate the effects of an emergency. (GC 8569)
5)Establishes, within the California Department of Technology
(CDT), the Office of Information Security to ensure the
confidentiality, integrity, and availability of state systems
and applications, and to promote and protect privacy as part
of the development and operations of state systems and
applications to ensure the trust of the residents of this
state. (GC 11549)
FISCAL EFFECT: Unknown
COMMENTS:
�
AB 1841
Page 5
1)Purpose of this bill . This bill is intended to speed the
creation of a statewide cybersecurity response plan, otherwise
known as EF 18, and a related strategy with standards for
state agencies, by imposing various statutory deadlines. This
bill is author-sponsored.
2)Author's statement . According to the author, "Cybersecurity
threats are on the rise and California is a priority target
because of the size of our economy and the value of our
networks and other assets. The state bears a responsibility
in actively defending the critical networks that Californians
rely on for services.
"A denial of service, theft or manipulation of data, disruption
or damage to critical infrastructure through a cyber-based
attack could have significant impacts on national security,
the economy, and the livelihood and safety of individual
citizens. In the first half of 2015 alone, the Department of
Homeland Security responded to 108 cyber incidents impacting
US critical infrastructure: electricity, water, health care,
communications, financial, and manufacturing systems, among
others?
"This issue has prompted state and federal leaders to warn
operators of critical infrastructure of the need to bolster
cyber defenses to protect against debilitating attacks. In
2015, Governor Brown declared in an executive order on
cybersecurity that 'cyber- attacks aimed at breaching and
damaging computer networks and infrastructure in California
represent a major security risk and increase the state's
vulnerability to economic disruption, critical infrastructure
damage, privacy violations, and identity theft.
"AB 1841 will ensure sufficient preparations are taken to
protect these critical infrastructure systems [, which] is a
role of state government. A comprehensive cybersecurity
strategy, undertaken in a coordinated effort between federal
�
AB 1841
Page 6
and state governments and private entities, will help prepare
for cyberattacks on these critical infrastructure systems, and
reduce the potential consequences from those attacks."
3)OES and the incomplete EF 18 . CESA authorizes the Governor
to take actions to prepare for, respond to, and prevent
natural or human-caused emergencies that endanger life,
property, and the state's resources. It further authorizes
OES and its Director to take actions to coordinate
emergency planning, preparedness, and response activities.
OES, in its role as the state's lead agency on emergency
preparedness, response, and damage mitigation, has
responsibility to develop, implement, and manage a
comprehensive strategy to protect the critical
infrastructure systems of federal and state governments,
and private entities. OES meets that responsibility in
part by preparing SEP.
The most recent SEP provided by OES is from 2009 and outlines
a state-level strategy to support local government efforts
during a large-scale emergency. As required by CESA, the
plan describes methods for carrying out emergency
operations; the process for rendering mutual aid; emergency
services of governmental agencies; how resources are
mobilized; emergency public information; and continuity of
government.
The 2009 SEP also establishes the California Emergency
Functions which consist of 18 disciplines deemed essential
to the emergency management community in California. Led
by a State agency, each Emergency Function is designed to
bring together discipline-specific stakeholders to
�
AB 1841
Page 7
collaborate and function within the four phases of
emergency management: mitigation, preparedness, response,
and recovery.
At the state level, the Emergency Functions consist of an
alliance of state agencies, departments, and other
stakeholders with similar discipline-specific
responsibilities.
According to the OES website, only EF 18 remains
incomplete, and is noted as being "in development." CDT,
under the Government Operations Agency, is listed as the
responsible entity, with the point of contact being the
State Chief Information Security Officer.
According to a briefing document from CDT provided by the
author, CDT has completed two of five steps in the
development of EF 18: identifying and engaging
stakeholders, and forming a working group. The three
remaining steps: clarify authorities, roles and
responsibilities; develop functional annex; and develop
concept of operations; are listed as "work in progress."
4)This bill in practice . As noted above, AB 1841 is primarily
intended to speed the adoption of EF 18 by placing a July 1,
2017, deadline on its development and transmittal to the
Legislature.
However, the bill has a number of other elements. It would also
require OES to develop a broad cybersecurity strategy for
critical infrastructure by July 1, 2018, and state agencies
would be required to report their compliance with the
standards set forth in that strategy document by January 1,
2019. The completed EF 18 and the related OES strategy
documents would all be posted publicly online once complete,
although the compliance reports from the individual state
agencies would be kept confidential for security reasons.
5)Related legislation . SB 949 (Jackson) would authorize the
�
AB 1841
Page 8
Governor to require owners and operators of critical
infrastructure to submit critical infrastructure information
to OES or any other designee for the purposes of gathering,
analyzing, communicating, or disclosing critical
infrastructure information. SB 949 is pending hearing in the
Senate Governmental Organizations Committee.
6)Double referral . This bill is double-referred to the Assembly
Governmental Organization Committee, where it will be heard if
passed by this Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 1841
Page 9