BILL ANALYSIS                                                                                                                                                                                                    

                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          AB 1841 (Irwin) - Cybersecurity incident response plan and  
          |                                                                 |
          |                                                                 |
          |                                                                 |
          |                                |                                |
          |Version: April 14, 2016         |Policy Vote: G.O. 12 - 0, JUD.  |
          |                                |          7 - 0                 |
          |                                |                                |
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |                                |                                |
          |Hearing Date: August 8, 2016    |Consultant: Debra Cooper        |
          |                                |                                |

          This bill meets the criteria for referral to the Suspense File.

          Summary:  AB 1841 would require the Office of Emergency Services  
          (OES), in conjunction with the Department of Technology (CDT) to  
          transmit a cybersecurity incident response plan to the  
          Legislature by July 1, 2017. This bill would also require  
          development of cybersecurity incident response standards for  
          state agencies by January 1, 2018.


           Estimated costs to OES of $2.9 million in fiscal year 2016-17,  
            $1.5 million in 2017-18, and ongoing costs of $1.3 million per  
            year. (GF) These costs include: 

               -      One-time costs to OES for hardware, software, and  


          AB 1841 (Irwin)                                        Page 1 of  
                 personnel costs for development of a secure database.

               -      Properly retaining Protected Critical Infrastructure  
                 Information transmitted to Cal OES by state agencies.

               -      On-going database maintenance.

               -      Developing standards for state agencies that  
                 maintain critical infrastructure.

               -      Oversight to ensure that state agencies are meeting  
                 the standards.

               -      Six PY of staff in the Information Technology  
                 Services Division and the Critical Infrastructure  
                 Protection Unit to maintain, monitor, and manage system  

           Ongoing, potentially significant cost pressure for state  
            entities to adopt cybersecurity incident response standards  
            developed by OES and to make necessary changes to address any  
            issues identified by OES concerning compliance with the  
            standards. (GF and/or Special Funds).  

          Background:  In 2013, the Governor administratively directed OES and CDT to  
          create a Cyber Security Task Force composed of specified  
          stakeholders, subject matter experts, and cyber security  
          professionals from public, private, academic, and law  
          enforcement sectors. The mission of the Task Force is to enhance  
          the security of California's digital infrastructure and to  
          create a culture of cybersecurity through collaboration,  
          information sharing, and education and awareness.
          The State Emergency Plan (SEP) addresses the state's response to  
          extraordinary emergency situations associated with natural  
          disasters or human-caused emergencies. The most recent SEP,  
          prepared by OES in 2009 outlined a state-level strategy to  
          support local government efforts during large scale emergencies.  
          The 2009 SEP established 18 Emergency Functions (EF 18) that are  
          primary activities essential for state entities to work together  
          to address emergency management needs. According to OES's  


          AB 1841 (Irwin)                                        Page 2 of  
          website, EF 18 is the only incomplete component of the SEP. One  
          of the 18 incomplete EF 18 functions is cybersecurity.

          According to the California Military Department, California's  
          size and importance makes it vulnerable to cyber incidents that  
          disrupt business, shutdown critical infrastructure, and  
          compromise intellectual property or national security. The  
          owners and operators of California's infrastructure such as  
          power plants, water distribution systems, refineries, and  
          communications equipment have largely replaced analog control  
          systems with digital controls, often connected through computer  
          networks. These updated systems make management of critical  
          infrastructure more efficient but also more vulnerable to  

          According to the author, the State Emergency Plan does not  
          currently have an established cybersecurity strategy or an  
          incident response plan to account for cybersecurity risks  
          imposed on the state and general public. 

          Proposed Law:  
            This bill would:
           Require OES, in conjunction with CDT, on or before July 1,  
            2017, to transmit to the Legislature, a cybersecurity plan  
            that includes, but is not limited to:
               -      Methods for providing emergency services;
               -      Command structure for statewide coordinated  
                 emergency services;
               -      Emergency service roles of appropriate state  
               -      Identification of resources to be mobilized;
               -      Public information plans;
               -      Continuity of government services.
           Require OES, on or before January 1, 2018, in conjunction with  
            CDT, to develop cybersecurity incident response standards for  
            state agencies to prepare for cybersecurity interference with,  
            or the compromise or incapacitation of, critical  
            infrastructure and for the development and transmission of  
            critical infrastructure information to OES. In development of  


          AB 1841 (Irwin)                                        Page 3 of  
            the standards, OES shall consider the following:
               -      Costs to implement the standards;
               -      Security of critical infrastructure information; 
               -      Centralized management of risk;
               -      Industry best practices;
               -      Continuity of operations;
               -      Protection of personal information.
           Require each state agency to report on its compliance with the  
            standards by January 1, 2019, and directs OES, in conjunction  
            with CDT, to provide suggestions for state agencies to improve  
            compliance with the standards. 
           Specify that the report and communications required under this  
            provision are confidential and shall not be disclosed pursuant  
            to any state law including the California Public Records Act. 

          SB 949 (Jackson, 2016) would have authorized the Governor to  
          require owners and operators of critical infrastructure, as  
          defined to submit critical infrastructure information to OES.  
          This bill was referred to the Senate Governmental Organization  
          Committee but never heard. 

          AB 1346 (Gray, 2016) would require OES to update the SEP on or  
          before January 1, 2018 and every 5 years thereafter and would  
          require the plan to be consistent with specified state climate  
          adaptation strategies. This bill is pending in the Senate  
          Appropriations Committee.

          AB 2595 (Linder, 2016) would have established the California  
          Cybersecurity Integration Center within OES to develop a  
          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force. This bill was held in the Assembly  
          Appropriations Committee.

          AB 670 (Irwin, Chapter 518, Statutes of 2015) requires CDT to  
          conduct, or require to be conducted, no fewer than 35  
          independent security assessments of state agencies, departments,  


          AB 1841 (Irwin)                                        Page 4 of  
          or offices annually.

          AB 1172 (Chau, 2015) would have continued in existence the  
          California Cybersecurity Task Force, created in 2013, by OES and  
          CDT. This bill was ordered to the Senate Inactive File.

          Comments:  This bill would require OES to collect protected  
          critical infrastructure information from all state agencies,  
          which OES does not currently do. In order to do this, OES would  
          have to create and maintain a secure "virtual infrastructure"  
          system that is appropriate for retaining this critical  
          information. The main source of costs in fiscal year 2016-17  
          would be development of such a system. An initial $1.5 million  
          would be needed for licensing and two limited term positions for  
          building the database and launching the system.
          The virtual infrastructure system would require an ongoing  
          $300,000 per year for licensing and maintaining the system. OES  
          estimates they would also need an additional 6 PY of staffing  
          for ongoing IT demands, critical infrastructure analysis, and  
          data entry and resolution.

                                      -- END --