BILL ANALYSIS                                                                                                                                                                                                    

                                                                    AB 1841

                                                                    Page  1

          Date of Hearing:  April 5, 2016


                                   Ed Chau, Chair

          AB 1841  
          (Irwin) - As Amended March 28, 2016

          SUBJECT:  Office of Emergency Services:  duties:  cybersecurity

          SUMMARY:  Requires the state Office of Emergency Services (OES)  
          to develop, by July 1, 2017, a statewide emergency services  
          response plan for cybersecurity attacks against critical  
          infrastructure, and further requires OES to develop a  
          comprehensive cybersecurity strategy by July 1, 2018, with which  
          all state agencies must report compliance by January 1, 2019.   
          Specifically, this bill:  

          1)Requires, on or before July 1, 2017, OES to transmit to the  
            Legislature the Cyber Security Annex to the State Emergency  
            Plan (SEP), also known as Emergency Function 18 (or EF 18)  
            that includes, but is not limited to, all of the following:

               a)     Methods for providing emergency services;

               b)     Command structure for state-wide coordinated  
                 emergency services;

               c)     Emergency service roles of appropriate state  


                                                                    AB 1841

                                                                    Page  2


               d)     Identification of resources to be mobilized;

               e)     Public information plans; and,

               f)     Continuity of government services.

          1)Requires, on or before July 1, 2018, OES to develop a  
            comprehensive state cybersecurity strategy setting standards  
            for state agencies to prepare for cybersecurity interference  
            with, or compromise or incapacitation of, critical  
            infrastructure and the development of critical infrastructure  
            information, and to transmit critical infrastructure  
            information to OES.

          2)Requires the standards developed by OES to consider all of the  
            following factors: 

               a)     Costs to implement the standards;

               b)     Security of critical infrastructure information;

               c)     Centralized management of risk; and,

               d)     National private industry best practices.


                                                                    AB 1841

                                                                    Page  3

          3)Requires OES to post the completed state cybersecurity  
            strategy on its website.

          4)Requires each state agency to report to OES on its compliance  
            with the OES cybersecurity standards, no later than January 1,  

          5)Requires OES to provide suggestions for a state agency to  
            improve its compliance with the OES cybersecurity standards,  
            if any, to specified public officials. 
          6)Declares that a cybersecurity compliance report, and any  
            related communication records,    are confidential and may not  
            be disclosed pursuant to the California Public Records Act. 

          7)Defines the terms "critical infrastructure," "critical  
            infrastructure information," "secretary" and "state agency."

          8)Makes findings relative to the importance of cybersecurity of  
            state networks, and declares the intent of the Legislature to  
            develop a comprehensive cybersecurity strategy under the  
            coordination of OES. 

          9)Makes findings and declarations relative to the need to limit  
            the public's right to access to the documents referenced by  
            this bill because of the need to promote public safety by  
            prohibiting access to those who would use that information to  
            thwart the cybersecurity of critical infrastructure systems  
            within the state.

          EXISTING LAW:  


                                                                    AB 1841

                                                                    Page  4

          1)Requires the Governor and OES, pursuant to the California  
            Emergency Services Act (CESA), to prepare for and mitigate the  
            effects of emergencies in the state.  (Government Code (GC)  
            8550, et seq.
          2)Requires OES, and its appointed Director, to perform a variety  
            of duties with respect to specified emergency preparedness,  
            mitigation, and response activities in the state, including  
            emergency medical services.  (GC 8585, 8585.1)

          3)Specifies that the SEP shall be in effect in each political  
            subdivision of the state, and the governing body of each  
            political subdivision shall take necessary actions to carry  
            out the provisions of the SEP.  (GC 8568)

          4)Requires the Governor to coordinate the SEP and those programs  
            necessary to mitigate the effects of an emergency.  (GC 8569)

          5)Establishes, within the California Department of Technology  
            (CDT), the Office of Information Security to ensure the  
            confidentiality, integrity, and availability of state systems  
            and applications, and to promote and protect privacy as part  
            of the development and operations of state systems and  
            applications to ensure the trust of the residents of this  
            state.  (GC 11549)

          FISCAL EFFECT:  Unknown



                                                                    AB 1841

                                                                    Page  5

           1)Purpose of this bill  .  This bill is intended to speed the  
            creation of a statewide cybersecurity response plan, otherwise  
            known as EF 18, and a related strategy with standards for  
            state agencies, by imposing various statutory deadlines.  This  
            bill is author-sponsored.  

           2)Author's statement  .  According to the author, "Cybersecurity  
            threats are on the rise and California is a priority target  
            because of the size of our economy and the value of our  
            networks and other assets.  The state bears a responsibility  
            in actively defending the critical networks that Californians  
            rely on for services. 

          "A denial of service, theft or manipulation of data, disruption  
            or damage to critical infrastructure through a cyber-based  
            attack could have significant impacts on national security,  
            the economy, and the livelihood and safety of individual  
            citizens.  In the first half of 2015 alone, the Department of  
            Homeland Security responded to 108 cyber incidents impacting  
            US critical infrastructure: electricity, water, health care,  
            communications, financial, and manufacturing systems, among  

          "This issue has prompted state and federal leaders to warn  
            operators of critical infrastructure of the need to bolster  
            cyber defenses to protect against debilitating attacks.  In  
            2015, Governor Brown declared in an executive order on  
            cybersecurity that 'cyber- attacks aimed at breaching and  
            damaging computer networks and infrastructure in California  
            represent a major security risk and increase the state's  
            vulnerability to economic disruption, critical infrastructure  
            damage, privacy violations, and identity theft.
            "AB 1841 will ensure sufficient preparations are taken to  
            protect these critical infrastructure systems [, which] is a  
            role of state government.  A comprehensive cybersecurity  
            strategy, undertaken in a coordinated effort between federal  


                                                                    AB 1841

                                                                    Page  6

            and state governments and private entities, will help prepare  
            for cyberattacks on these critical infrastructure systems, and  
            reduce the potential consequences from those attacks."

           3)OES and the incomplete EF 18  .  CESA authorizes the Governor  
            to take actions to prepare for, respond to, and prevent  
            natural or human-caused emergencies that endanger life,  
            property, and the state's resources.  It further authorizes  
            OES and its Director to take actions to coordinate  
            emergency planning, preparedness, and response activities.

          OES, in its role as the state's lead agency on emergency  
            preparedness, response, and damage mitigation, has  
            responsibility to develop, implement, and manage a  
            comprehensive strategy to protect the critical  
            infrastructure systems of federal and state governments,  
            and private entities.  OES meets that responsibility in  
            part by preparing SEP. 

          The most recent SEP provided by OES is from 2009 and outlines  
            a state-level strategy to support local government efforts  
            during a large-scale emergency.  As required by CESA, the  
            plan describes methods for carrying out emergency  
            operations; the process for rendering mutual aid; emergency  
            services of governmental agencies; how resources are  
            mobilized; emergency public information; and continuity of  


             The 2009 SEP also establishes the California Emergency  
            Functions which consist of 18 disciplines deemed essential  
            to the emergency management community in California.  Led  
            by a State agency, each Emergency Function is designed to  
            bring together discipline-specific stakeholders to  


                                                                    AB 1841

                                                                    Page  7

            collaborate and function within the four phases of  
            emergency management: mitigation, preparedness, response,  
            and recovery.

            At the state level, the Emergency Functions consist of an  
            alliance of state agencies, departments, and other  
            stakeholders with similar discipline-specific  

            According to the OES website, only EF 18 remains  
            incomplete, and is noted as being "in development."  CDT,  
            under the Government Operations Agency, is listed as the  
            responsible entity, with the point of contact being the  
            State Chief Information Security Officer.  

            According to a briefing document from CDT provided by the  
            author, CDT has completed two of five steps in the  
            development of EF 18: identifying and engaging  
            stakeholders, and forming a working group.  The three  
            remaining steps: clarify authorities, roles and  
            responsibilities; develop functional annex; and develop  
            concept of operations; are listed as "work in progress."  
           4)This bill in practice  . As noted above, AB 1841 is primarily  
            intended to speed the adoption of EF 18 by placing a July 1,  
            2017, deadline on its development and transmittal to the  

          However, the bill has a number of other elements. It would also  
            require OES to develop a broad cybersecurity strategy for  
            critical infrastructure by July 1, 2018, and state agencies  
            would be required to report their compliance with the  
            standards set forth in that strategy document by January 1,  
            2019.  The completed EF 18 and the related OES strategy  
            documents would all be posted publicly online once complete,  
            although the compliance reports from the individual state  
            agencies would be kept confidential for security reasons.   
           5)Related legislation  .  SB 949 (Jackson) would authorize the  


                                                                    AB 1841

                                                                    Page  8

            Governor to require owners and operators of critical  
            infrastructure to submit critical infrastructure information  
            to OES or any other designee for the purposes of gathering,  
            analyzing, communicating, or disclosing critical  
            infrastructure information.  SB 949 is pending hearing in the  
            Senate Governmental Organizations Committee. 

           6)Double referral  . This bill is double-referred to the Assembly  
            Governmental Organization Committee, where it will be heard if  
            passed by this Committee. 



          None on file. 


          None on file. 

          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200


                                                                    AB 1841

                                                                    Page  9