BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
                              Senator Isadore Hall, III
                                        Chair
                                2015 - 2016  Regular 

          Bill No:           AB 1841          Hearing Date:     
           ----------------------------------------------------------------- 
          |Author:    |Irwin                                                |
          |-----------+-----------------------------------------------------|
          |Version:   |4/14/2016    Amended                                 |
           ----------------------------------------------------------------- 
           ------------------------------------------------------------------ 
          |Urgency:   |No                     |Fiscal:      |Yes             |
           ------------------------------------------------------------------ 
           ----------------------------------------------------------------- 
          |Consultant:|Felipe Lopez                                         |
          |           |                                                     |
           ----------------------------------------------------------------- 
          

          SUBJECT: Cybersecurity incident response plan and standards


            DIGEST:    This bill requires the California Office of Emergency  
          Services (OES) in conjunction with the Department of Technology  
          (CDT) to transmit to the Legislature, by July 1, 2017, a  
          statewide emergency services response plan for cybersecurity,  
          and further requires OES and CDT to develop a comprehensive  
          cybersecurity strategy against critical infrastructure by  
          January 1, 2018.

          ANALYSIS:
          
          Existing law:
          
          1)Establishes OES and requires OES to perform a variety of  
            duties with respect to specified emergency preparedness,  
            mitigation, and response activities in the state, including  
            emergency medical services.

          2)Specifies that the State Emergency Plan (SEP) shall be in  
            effect in each political subdivision of the state, and the  
            governing body of each political subdivision shall take such  
            action as may be necessary to carry out the provisions  
            thereof. 

          3)Establishes CDT under the supervision of the Director of  
            Technology and generally requires CDT to be responsible for  
            the approval and oversight of information technology projects  







          AB 1841 (Irwin)                                    Page 2 of ?
          
          
            by, among other things, consulting with state agencies during  
            initial project planning to ensure that project proposals are  
            based on well-defined programmatic needs. 

          This bill:

          1)Requires OES, on or before July 1, 2017, in conjunction with  
            CDT, to transmit to the Legislature a cybersecurity incident  
            response plan, known as the Cyber Security Annex to the State  
            Emergency Plan Emergency Function 18, or EF18,  that includes,  
            but is not limited to, all of the following:

             a)   Methods for providing emergency services.
             b)   Command structure for statewide coordinated emergency  
               services.
             c)   Emergency service roles of appropriate state agencies.
             d)   Identification of resources to be mobilized.
             e)   Public information plans.
             f)   Continuity of government services. 

          2)Requires OES, on or before January 1, 2018, in conjunction  
            with CDT, to develop cybersecurity incident response standards  
            for state agencies to prepare for cybersecurity interference  
            with, or the compromise or incapacitation of, critical  
            infrastructure and the development of critical infrastructure  
            information, and to transmit critical infrastructure  
            information to OES.  In developing the standards, OES shall  
            consider all of the following:

             a)   Cost to implement the standards.
             b)   Security of critical infrastructure information.
             c)   Centralized management of risk.
             d)   National private industry best practices.

          3)Requires each state agency to report its compliance with the  
            standards developed by this bill to OES in the manner and at  
            the time directed by OES, but no later than January 1, 2019.

          4)Requires OES, in conjunction with CDT, to provide suggestions  
            for a state agency to improve compliance with the standards  
            developed by this bill, to the head of the state agency and  
            the secretary responsible for the state agency.  For a state  
            agency that is not under the responsibility of a secretary,  
            OES shall provide any suggestions to the head of the state  
            agency and the Governor. 








          AB 1841 (Irwin)                                    Page 3 of ?
          
          

          5)Specifies that the report and any public records relating to  
            any communication are confidential and shall not be disclosed  
            pursuant to state law, including the California Public Records  
            Act.

          6)Defines "Critical infrastructure" to mean systems and assets  
            so vital to the state that the incapacity or destruction of  
            those systems or assets would have a debilitating impact on  
            security, economic security, public health and safety, or any  
            combination of those matters.

          7)Defines "Critical infrastructure information" to mean  
            information not customarily in the public domain pertaining to  
            any of the following:

             a)   Actual, potential, or threatened interference with, or  
               an attack on, compromise of, or incapacitation of critical  
               infrastructure by either physical or computer-based attack  
               or other similar conduct, including, but not limited to,  
               the misuse of, or unauthorized access to, all types of  
               communications and data transmission systems, that violates  
               federal, state, or local law, harms economic security, or  
               threatens public health or safety.
             b)   The ability of critical infrastructure to resist any  
               interference, compromise, or incapacitation, including, but  
               not limited to, any planned or past assessment or estimate  
               of the vulnerability of critical infrastructure, including,  
               but not limited to, security testing, risk evaluation, risk  
               management planning, or risk audits.
             c)   Any planned or past operational problem or solution  
               regarding critical infrastructure, including, but not  
               limited to, repair, recovery, reconstruction, insurance, or  
               continuity, to the extent it is related to interference,  
               compromise, or incapacitation of critical infrastructure. 
           
          8)Makes legislative findings pertaining to the importance of  
            developing a comprehensive cybersecurity incident response  
            plan.

          Background

          Purpose of the bill. According to the author, "OES, in its role  
          as the state's lead agency on emergency preparedness, response,  
          and damage mitigation, has responsibility to develop, implement,  








          AB 1841 (Irwin)                                    Page 4 of ?
          
          
          and manage a comprehensive strategy to protect the critical  
          infrastructure systems of federal and state governments.   
          California currently does not have an established cybersecurity  
          strategy or an incident response plan.  Several other states  
          have taken this important step.  Having an incident response  
          plan that is well understood by all relevant stakeholders is  
          imperative to protecting critical infrastructure and mitigating  
          potential consequences of a disruption or an attack."

          Cyber Threats in California. According to the California  
          Military Department (CMD), California's size and importance  
          makes it vulnerable to cyber incidents that disrupt business,  
          shutdown critical infrastructure, and compromise intellectual  
          property or national security.  

          CMD calls cybercrime "a growth industry" causing $400 billion in  
          negative impacts annually on the global economy.  Thirty percent  
          of all cyber-attacks and other malicious activity are targeted  
          at the government, making these networks and systems the most  
          vulnerable target of cybercrime.  

          According to CMD, the threat to government networks has never  
          been higher.  "Hacktivists", nation states, cyber criminals and  
          other threat groups are attacking government networks to steal  
          sensitive information and make a political/economic statement.   
          It is not known how many attacks, whether successful or  
          unsuccessful, have been made against state agency computers over  
          the past year.

          OES and the incomplete EF 18.  Current law authorizes the  
          Governor to take actions to prepare for, respond to, and  
          prevent natural or man-made disasters that endanger life,  
          property, and the state's resources.  

          The most recent SEP was prepared by OES in 2009 and outlines  
          a state-level strategy to support local government efforts  
          during a large-scale emergency.  The plan describes methods  
          for carrying out emergency operations; the process for  
          rendering mutual aid; emergency services of governmental  
          agencies; how resources are mobilized; emergency public  
          information; and continuity of government.   The 2009 SEP  
          also established the SEP's Emergency Functions (EF), which  
          consist of 18 disciplines deemed essential to the emergency  
          management community in California.  









          AB 1841 (Irwin)                                    Page 5 of ?
          
          
          According to the OES website, only EF 18 remains incomplete,  
          and is noted as being "in development."  

          Snapshot of California's Critical Infrastructure.  According to  
          OES, the following represents a snapshot of California's  
          critical infrastructure:

             -    Water: 1468 dams, of which 140 have capacities greater  
               than 10,000 acre-feet; 701 miles of canals and pipelines;  
               and 1.595 miles of levees.
             -    Electrical Power: 1,008 in state power plants, nearly  
               70,000 megawatts install generation capacity, and  
               substations and transmission lines deliver over 200 billion  
               kilowatt hours to customers annually.
             -    Oil and Natural Gas: over 115,000 miles of oil and  
               natural gas pipelines, 20 refineries and over 100 oil and  
               natural gas terminal facilities, and more than a dozen of  
               the U.S.'s largest oil fields.
             -    Transportation: over 170,000 miles of public roads; over  
               50,000 lane miles of highways; over 12,000 bridges; 246  
               public use airports, 30 of which provide scheduled  
               passenger service.  Los Angeles Airport is the seventh  
               busiest worldwide.
             -    California has 11 seaports handling more than half of  
               all the US shipping freight.  Three of the country's  
               largest container ports are in California: Los Angeles,  
               Long Beach and Oakland.  Nationally, Los Angeles is the  
               busiest container volume, internationally the eighth  
               busiest, and when combined with Long Beach is the fifth  
               busiest. 
             -    Public Health: 450 acute care hospitals.
             -    Emergency Services: 1,974 fire stations.
             -    Chemical: Approximately 95 "high risk" facilities
             -    Agriculture: 81,500 farms; more than 400 commodities; in  
               2012 total agriculture-related sales for output was $44.7  
               billion, representing 11.3% of the national total.
             -    Finance: 7,374 commercial banks with deposits totaling  
               $753 billion; 410 credit unions with assets totaling $115  
               billion.

          State Emergency Plan.  The SEP addresses the state's response to  
          extraordinary emergency situations associated with natural  
          disasters or human-caused emergencies.  In accordance with the  
          California Emergency Services Act (CESA), the plan describes the  
          methods for carrying out emergency operations, the process for  








          AB 1841 (Irwin)                                    Page 6 of ?
          
          
          rendering mutual aid, the emergency services of governmental  
          agencies, how resources are mobilized, how the public will be  
          informed and the process to ensure continuity of government  
          during an emergency or disaster.

          The SEP is a management document intended to be read and  
          understood before an emergency occurs.  It is designed to  
          outline the activities of all California jurisdictions within a  
          statewide emergency management system and it embraces the  
          capabilities and resources in the broader emergency management  
          community that includes individuals, businesses,  
          non-governmental organizations, tribal governments, other  
          states, federal government and international assistance. 


          The most recent SEP provided by OES is from 2009 and outlines  
          a state-level strategy to support local government efforts  
          during a large-scale emergency.  As required by CESA, the  
          plan describes methods for carrying out emergency operations;  
          the process for rendering mutual aid; emergency services of  
          governmental agencies; how resources are mobilized; emergency  
          public information; and continuity of government.


          Prior/Related Legislation

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information to OES.  (Never heard in  
          Senate Governmental Organization Committee)

          AB 1346 (Gray, 2016) requires OES to update the SEP on or before  
          January 1, 2018, and every 5 years thereafter, and would require  
          the plan to be consistent with specified state climate  
          adaptation strategies.  (Pending in Senate Governmental  
          Organization Committee).

          AB 2595 (Linder, 2016) establishes in statute the California  
          Cybersecurity Integration Center within OES to develop a  
          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force.  (Held in Assembly Appropriations  
          Committee) 

          AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to  
          conduct, or require to be conducted, no fewer than 35  








          AB 1841 (Irwin)                                    Page 7 of ?
          
          
          independent security assessments of state agencies, departments,  
          or offices annually.  

          AB 739 (Irwin, 2015) provides legal immunity for civil or  
          criminal liability for private entities that communicate  
          anonymized cyber security threat information and meet specified  
          requirements, until January 1, 2020.  (Held in Assembly  
          Judiciary Committee) 

          AB 1172 (Chau, 2015) continues in existence the California  
          Cybersecurity Task Force, created in 2013 by OES and CDT.   
          (Senate Inactive File)

          FISCAL EFFECT:                 Appropriation:  No    Fiscal  
          Com.:             Yes          Local:          No


            SUPPORT:  

          Los Angeles Deputy Sheriffs
          Los Angeles County Professional Peace Officers Association
          Los Angeles Police Protective League
          Riverside Sheriffs' Association

          OPPOSITION:

          None received

          ARGUMENTS IN SUPPORT:    Supporters of the bill argue that, "in  
          the past few years, retailers, financial institutions, and  
          government agencies have increasingly fallen victim to  
          cyberattacks.  Most recently, in June 2015 the federal office of  
          Personnel Management announced that a cybersecurity intrusion  
          had exposed the personal information of approximately 20 million  
          current and former federal employees and other individuals.   
          Given the size of California's economy and the value of its  
          information, the State presents a prime target for similar  
          information security breaches.  The State must integrate cyber  
          incident response policies and procedures with existing recovery  
          and business continuity plans."

          DUAL REFERRAL:  Senate Judiciary Committee
          

          








          AB 1841 (Irwin)                                    Page 8 of ?