BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 1841 (Irwin) - Cybersecurity incident response plan and
standards
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: April 14, 2016 |Policy Vote: G.O. 12 - 0, JUD. |
| | 7 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 8, 2016 |Consultant: Debra Cooper |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: AB 1841 would require the Office of Emergency Services
(OES), in conjunction with the Department of Technology (CDT) to
transmit a cybersecurity incident response plan to the
Legislature by July 1, 2017. This bill would also require
development of cybersecurity incident response standards for
state agencies by January 1, 2018.
Fiscal
Impact:
Estimated costs to OES of $2.9 million in fiscal year 2016-17,
$1.5 million in 2017-18, and ongoing costs of $1.3 million per
year. (GF) These costs include:
- One-time costs to OES for hardware, software, and
�
AB 1841 (Irwin) Page 1 of
?
personnel costs for development of a secure database.
- Properly retaining Protected Critical Infrastructure
Information transmitted to Cal OES by state agencies.
- On-going database maintenance.
- Developing standards for state agencies that
maintain critical infrastructure.
- Oversight to ensure that state agencies are meeting
the standards.
- Six PY of staff in the Information Technology
Services Division and the Critical Infrastructure
Protection Unit to maintain, monitor, and manage system
infrastructure.
Ongoing, potentially significant cost pressure for state
entities to adopt cybersecurity incident response standards
developed by OES and to make necessary changes to address any
issues identified by OES concerning compliance with the
standards. (GF and/or Special Funds).
Background: In 2013, the Governor administratively directed OES and CDT to
create a Cyber Security Task Force composed of specified
stakeholders, subject matter experts, and cyber security
professionals from public, private, academic, and law
enforcement sectors. The mission of the Task Force is to enhance
the security of California's digital infrastructure and to
create a culture of cybersecurity through collaboration,
information sharing, and education and awareness.
The State Emergency Plan (SEP) addresses the state's response to
extraordinary emergency situations associated with natural
disasters or human-caused emergencies. The most recent SEP,
prepared by OES in 2009 outlined a state-level strategy to
support local government efforts during large scale emergencies.
The 2009 SEP established 18 Emergency Functions (EF 18) that are
primary activities essential for state entities to work together
to address emergency management needs. According to OES's
�
AB 1841 (Irwin) Page 2 of
?
website, EF 18 is the only incomplete component of the SEP. One
of the 18 incomplete EF 18 functions is cybersecurity.
According to the California Military Department, California's
size and importance makes it vulnerable to cyber incidents that
disrupt business, shutdown critical infrastructure, and
compromise intellectual property or national security. The
owners and operators of California's infrastructure such as
power plants, water distribution systems, refineries, and
communications equipment have largely replaced analog control
systems with digital controls, often connected through computer
networks. These updated systems make management of critical
infrastructure more efficient but also more vulnerable to
cyber-attack.
According to the author, the State Emergency Plan does not
currently have an established cybersecurity strategy or an
incident response plan to account for cybersecurity risks
imposed on the state and general public.
Proposed Law:
This bill would:
Require OES, in conjunction with CDT, on or before July 1,
2017, to transmit to the Legislature, a cybersecurity plan
that includes, but is not limited to:
- Methods for providing emergency services;
- Command structure for statewide coordinated
emergency services;
- Emergency service roles of appropriate state
agencies;
- Identification of resources to be mobilized;
- Public information plans;
- Continuity of government services.
Require OES, on or before January 1, 2018, in conjunction with
CDT, to develop cybersecurity incident response standards for
state agencies to prepare for cybersecurity interference with,
or the compromise or incapacitation of, critical
infrastructure and for the development and transmission of
critical infrastructure information to OES. In development of
�
AB 1841 (Irwin) Page 3 of
?
the standards, OES shall consider the following:
- Costs to implement the standards;
- Security of critical infrastructure information;
- Centralized management of risk;
- Industry best practices;
- Continuity of operations;
- Protection of personal information.
Require each state agency to report on its compliance with the
standards by January 1, 2019, and directs OES, in conjunction
with CDT, to provide suggestions for state agencies to improve
compliance with the standards.
Specify that the report and communications required under this
provision are confidential and shall not be disclosed pursuant
to any state law including the California Public Records Act.
Related
Legislation:
SB 949 (Jackson, 2016) would have authorized the Governor to
require owners and operators of critical infrastructure, as
defined to submit critical infrastructure information to OES.
This bill was referred to the Senate Governmental Organization
Committee but never heard.
AB 1346 (Gray, 2016) would require OES to update the SEP on or
before January 1, 2018 and every 5 years thereafter and would
require the plan to be consistent with specified state climate
adaptation strategies. This bill is pending in the Senate
Appropriations Committee.
AB 2595 (Linder, 2016) would have established the California
Cybersecurity Integration Center within OES to develop a
cybersecurity strategy for California in coordination with the
Cybersecurity Task Force. This bill was held in the Assembly
Appropriations Committee.
AB 670 (Irwin, Chapter 518, Statutes of 2015) requires CDT to
conduct, or require to be conducted, no fewer than 35
independent security assessments of state agencies, departments,
�
AB 1841 (Irwin) Page 4 of
?
or offices annually.
AB 1172 (Chau, 2015) would have continued in existence the
California Cybersecurity Task Force, created in 2013, by OES and
CDT. This bill was ordered to the Senate Inactive File.
Staff
Comments: This bill would require OES to collect protected
critical infrastructure information from all state agencies,
which OES does not currently do. In order to do this, OES would
have to create and maintain a secure "virtual infrastructure"
system that is appropriate for retaining this critical
information. The main source of costs in fiscal year 2016-17
would be development of such a system. An initial $1.5 million
would be needed for licensing and two limited term positions for
building the database and launching the system.
The virtual infrastructure system would require an ongoing
$300,000 per year for licensing and maintaining the system. OES
estimates they would also need an additional 6 PY of staffing
for ongoing IT demands, critical infrastructure analysis, and
data entry and resolution.
-- END --