BILL ANALYSIS �Ó
SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
Senator Isadore Hall, III
Chair
2015 - 2016 Regular
Bill No: AB 1841 Hearing Date:
-----------------------------------------------------------------
|Author: |Irwin |
|-----------+-----------------------------------------------------|
|Version: |4/14/2016 Amended |
-----------------------------------------------------------------
------------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
------------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|Felipe Lopez |
| | |
-----------------------------------------------------------------
SUBJECT: Cybersecurity incident response plan and standards
DIGEST: This bill requires the California Office of Emergency
Services (OES) in conjunction with the Department of Technology
(CDT) to transmit to the Legislature, by July 1, 2017, a
statewide emergency services response plan for cybersecurity,
and further requires OES and CDT to develop a comprehensive
cybersecurity strategy against critical infrastructure by
January 1, 2018.
ANALYSIS:
Existing law:
1)Establishes OES and requires OES to perform a variety of
duties with respect to specified emergency preparedness,
mitigation, and response activities in the state, including
emergency medical services.
2)Specifies that the State Emergency Plan (SEP) shall be in
effect in each political subdivision of the state, and the
governing body of each political subdivision shall take such
action as may be necessary to carry out the provisions
thereof.
3)Establishes CDT under the supervision of the Director of
Technology and generally requires CDT to be responsible for
the approval and oversight of information technology projects
�
AB 1841 (Irwin) Page 2 of ?
by, among other things, consulting with state agencies during
initial project planning to ensure that project proposals are
based on well-defined programmatic needs.
This bill:
1)Requires OES, on or before July 1, 2017, in conjunction with
CDT, to transmit to the Legislature a cybersecurity incident
response plan, known as the Cyber Security Annex to the State
Emergency Plan Emergency Function 18, or EF18, that includes,
but is not limited to, all of the following:
a) Methods for providing emergency services.
b) Command structure for statewide coordinated emergency
services.
c) Emergency service roles of appropriate state agencies.
d) Identification of resources to be mobilized.
e) Public information plans.
f) Continuity of government services.
2)Requires OES, on or before January 1, 2018, in conjunction
with CDT, to develop cybersecurity incident response standards
for state agencies to prepare for cybersecurity interference
with, or the compromise or incapacitation of, critical
infrastructure and the development of critical infrastructure
information, and to transmit critical infrastructure
information to OES. In developing the standards, OES shall
consider all of the following:
a) Cost to implement the standards.
b) Security of critical infrastructure information.
c) Centralized management of risk.
d) National private industry best practices.
3)Requires each state agency to report its compliance with the
standards developed by this bill to OES in the manner and at
the time directed by OES, but no later than January 1, 2019.
4)Requires OES, in conjunction with CDT, to provide suggestions
for a state agency to improve compliance with the standards
developed by this bill, to the head of the state agency and
the secretary responsible for the state agency. For a state
agency that is not under the responsibility of a secretary,
OES shall provide any suggestions to the head of the state
agency and the Governor.
�
AB 1841 (Irwin) Page 3 of ?
5)Specifies that the report and any public records relating to
any communication are confidential and shall not be disclosed
pursuant to state law, including the California Public Records
Act.
6)Defines "Critical infrastructure" to mean systems and assets
so vital to the state that the incapacity or destruction of
those systems or assets would have a debilitating impact on
security, economic security, public health and safety, or any
combination of those matters.
7)Defines "Critical infrastructure information" to mean
information not customarily in the public domain pertaining to
any of the following:
a) Actual, potential, or threatened interference with, or
an attack on, compromise of, or incapacitation of critical
infrastructure by either physical or computer-based attack
or other similar conduct, including, but not limited to,
the misuse of, or unauthorized access to, all types of
communications and data transmission systems, that violates
federal, state, or local law, harms economic security, or
threatens public health or safety.
b) The ability of critical infrastructure to resist any
interference, compromise, or incapacitation, including, but
not limited to, any planned or past assessment or estimate
of the vulnerability of critical infrastructure, including,
but not limited to, security testing, risk evaluation, risk
management planning, or risk audits.
c) Any planned or past operational problem or solution
regarding critical infrastructure, including, but not
limited to, repair, recovery, reconstruction, insurance, or
continuity, to the extent it is related to interference,
compromise, or incapacitation of critical infrastructure.
8)Makes legislative findings pertaining to the importance of
developing a comprehensive cybersecurity incident response
plan.
Background
Purpose of the bill. According to the author, "OES, in its role
as the state's lead agency on emergency preparedness, response,
and damage mitigation, has responsibility to develop, implement,
�
AB 1841 (Irwin) Page 4 of ?
and manage a comprehensive strategy to protect the critical
infrastructure systems of federal and state governments.
California currently does not have an established cybersecurity
strategy or an incident response plan. Several other states
have taken this important step. Having an incident response
plan that is well understood by all relevant stakeholders is
imperative to protecting critical infrastructure and mitigating
potential consequences of a disruption or an attack."
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
OES and the incomplete EF 18. Current law authorizes the
Governor to take actions to prepare for, respond to, and
prevent natural or man-made disasters that endanger life,
property, and the state's resources.
The most recent SEP was prepared by OES in 2009 and outlines
a state-level strategy to support local government efforts
during a large-scale emergency. The plan describes methods
for carrying out emergency operations; the process for
rendering mutual aid; emergency services of governmental
agencies; how resources are mobilized; emergency public
information; and continuity of government. The 2009 SEP
also established the SEP's Emergency Functions (EF), which
consist of 18 disciplines deemed essential to the emergency
management community in California.
�
AB 1841 (Irwin) Page 5 of ?
According to the OES website, only EF 18 remains incomplete,
and is noted as being "in development."
Snapshot of California's Critical Infrastructure. According to
OES, the following represents a snapshot of California's
critical infrastructure:
- Water: 1468 dams, of which 140 have capacities greater
than 10,000 acre-feet; 701 miles of canals and pipelines;
and 1.595 miles of levees.
- Electrical Power: 1,008 in state power plants, nearly
70,000 megawatts install generation capacity, and
substations and transmission lines deliver over 200 billion
kilowatt hours to customers annually.
- Oil and Natural Gas: over 115,000 miles of oil and
natural gas pipelines, 20 refineries and over 100 oil and
natural gas terminal facilities, and more than a dozen of
the U.S.'s largest oil fields.
- Transportation: over 170,000 miles of public roads; over
50,000 lane miles of highways; over 12,000 bridges; 246
public use airports, 30 of which provide scheduled
passenger service. Los Angeles Airport is the seventh
busiest worldwide.
- California has 11 seaports handling more than half of
all the US shipping freight. Three of the country's
largest container ports are in California: Los Angeles,
Long Beach and Oakland. Nationally, Los Angeles is the
busiest container volume, internationally the eighth
busiest, and when combined with Long Beach is the fifth
busiest.
- Public Health: 450 acute care hospitals.
- Emergency Services: 1,974 fire stations.
- Chemical: Approximately 95 "high risk" facilities
- Agriculture: 81,500 farms; more than 400 commodities; in
2012 total agriculture-related sales for output was $44.7
billion, representing 11.3% of the national total.
- Finance: 7,374 commercial banks with deposits totaling
$753 billion; 410 credit unions with assets totaling $115
billion.
State Emergency Plan. The SEP addresses the state's response to
extraordinary emergency situations associated with natural
disasters or human-caused emergencies. In accordance with the
California Emergency Services Act (CESA), the plan describes the
methods for carrying out emergency operations, the process for
�
AB 1841 (Irwin) Page 6 of ?
rendering mutual aid, the emergency services of governmental
agencies, how resources are mobilized, how the public will be
informed and the process to ensure continuity of government
during an emergency or disaster.
The SEP is a management document intended to be read and
understood before an emergency occurs. It is designed to
outline the activities of all California jurisdictions within a
statewide emergency management system and it embraces the
capabilities and resources in the broader emergency management
community that includes individuals, businesses,
non-governmental organizations, tribal governments, other
states, federal government and international assistance.
The most recent SEP provided by OES is from 2009 and outlines
a state-level strategy to support local government efforts
during a large-scale emergency. As required by CESA, the
plan describes methods for carrying out emergency operations;
the process for rendering mutual aid; emergency services of
governmental agencies; how resources are mobilized; emergency
public information; and continuity of government.
Prior/Related Legislation
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure, as defined, to submit
critical infrastructure information to OES. (Never heard in
Senate Governmental Organization Committee)
AB 1346 (Gray, 2016) requires OES to update the SEP on or before
January 1, 2018, and every 5 years thereafter, and would require
the plan to be consistent with specified state climate
adaptation strategies. (Pending in Senate Governmental
Organization Committee).
AB 2595 (Linder, 2016) establishes in statute the California
Cybersecurity Integration Center within OES to develop a
cybersecurity strategy for California in coordination with the
Cybersecurity Task Force. (Held in Assembly Appropriations
Committee)
AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to
conduct, or require to be conducted, no fewer than 35
�
AB 1841 (Irwin) Page 7 of ?
independent security assessments of state agencies, departments,
or offices annually.
AB 739 (Irwin, 2015) provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
AB 1172 (Chau, 2015) continues in existence the California
Cybersecurity Task Force, created in 2013 by OES and CDT.
(Senate Inactive File)
FISCAL EFFECT: Appropriation: No Fiscal
Com.: Yes Local: No
SUPPORT:
Los Angeles Deputy Sheriffs
Los Angeles County Professional Peace Officers Association
Los Angeles Police Protective League
Riverside Sheriffs' Association
OPPOSITION:
None received
ARGUMENTS IN SUPPORT: Supporters of the bill argue that, "in
the past few years, retailers, financial institutions, and
government agencies have increasingly fallen victim to
cyberattacks. Most recently, in June 2015 the federal office of
Personnel Management announced that a cybersecurity intrusion
had exposed the personal information of approximately 20 million
current and former federal employees and other individuals.
Given the size of California's economy and the value of its
information, the State presents a prime target for similar
information security breaches. The State must integrate cyber
incident response policies and procedures with existing recovery
and business continuity plans."
DUAL REFERRAL: Senate Judiciary Committee
�
AB 1841 (Irwin) Page 8 of ?