BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 1841| |Office of Senate Floor Analyses | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 1841 Author: Irwin (D), et al. Amended: 8/15/16 in Senate Vote: 21 SENATE GOVERNMENTAL ORG. COMMITTEE: 12-0, 6/14/16 AYES: Hall, Bates, Block, Gaines, Galgiani, Glazer, Hernandez, Hill, Hueso, Lara, McGuire, Vidak NO VOTE RECORDED: Berryhill SENATE JUDICIARY COMMITTEE: 7-0, 6/28/16 AYES: Jackson, Moorlach, Anderson, Hertzberg, Leno, Monning, Wieckowski SENATE APPROPRIATIONS COMMITTEE: 7-0, 8/11/16 AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen ASSEMBLY FLOOR: 79-0, 5/31/16 - See last page for vote SUBJECT: Cybersecurity strategy incident response standards SOURCE: Author DIGEST: This bill requires the California Department of Technology (CDT) to on or before July 1, 2018, in conjunction with the Office of Emergency Services (OES), to update the Technology Recovery Plan (TRP) of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. AB 1841 Page 2 ANALYSIS: Existing law: 1)Establishes OES and requires OES to perform a variety of duties with respect to specified emergency preparedness, mitigation, and response activities in the state, including emergency medical services. 2)Specifies that the State Emergency Plan (SEP) shall be in effect in each political subdivision of the state, and the governing body of each political subdivision shall take such action as may be necessary to carry out the provisions thereof. 3)Establishes CDT under the supervision of the Director of CDT and generally requires CDT to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. This bill: 1)Requires CDT, on or before July 1, 2018, in conjunction with OES, to update the TRP element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. In updating the standards, CDT shall consider but not be limited to considering, all of the following: a) Cost to implement the standards. b) Security of critical infrastructure information. c) Centralized management of risk. d) Industry best practices. e) Continuity of operations. f) Protection of personal information 2)Requires each state agency to provide CDT with a copy of its updated TRP. 3)Requires each state agency to report its compliance with the AB 1841 Page 3 standards updated by this bill to CDT in the manner and at the time directed by CDT, but no later than July 1, 2019. 4)Provides that CDT, in conjunction with OES, may provide suggestions for a state agency to improve compliance with the standards developed by this bill, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, CDT shall provide any suggestions to the head of the state agency and the Governor. 5)Specifies that the report and any public records relating to any communication are confidential and shall not be disclosed pursuant to state law, including the California Public Records Act. 6)Defines "Critical infrastructure controls" to mean networks and systems controlling assets so vital to the state that the incapacity or destruction of those networks, systems or assets would have a debilitating impact on public health, safety, economic security, or any combination thereof. 7)Defines "Critical infrastructure information" to mean information not customarily in the public domain pertaining to any of the following: a) Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure controls by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law or harms public health, safety, or economic security, or any combination thereof. b) The ability of critical infrastructure controls to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past assessment or estimate of the vulnerability of critical infrastructure. c) Any planned or past operational problem or solution regarding critical infrastructure controls, including, but AB 1841 Page 4 not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure controls. 8)Makes legislative findings pertaining to the importance of adding to the ongoing work of the state's comprehensive cybersecurity strategy. Background Technology Recovery Plan. The TRP is a sub-set of the state entity's Business Continuity Plan. The TRP is activated immediately after a disaster strikes and focuses on getting critical systems back online. Each state entity is required to develop a TRP in support of the state entity's Continuity Plan and the business need to protect critical information assets to ensure their availability following an interruption or disaster. The TRP must outline a planned approach to managing risks to the state entity's mission, including risk and potential impact to critical information technology assets. The TRP was last updated in August 2013. Cyber threats in California. According to the California Military Department (CMD), California's size and importance makes it vulnerable to cyber incidents that disrupt business, shutdown critical infrastructure, and compromise intellectual property or national security. CMD calls cybercrime "a growth industry" causing $400 billion in negative impacts annually on the global economy. 30% of all cyber-attacks and other malicious activity are targeted at the government, making these networks and systems the most vulnerable target of cybercrime. According to CMD, the threat to government networks has never been higher. "Hacktivists", nation states, cyber criminals and other threat groups are attacking government networks to steal sensitive information and make a political/economic statement. It is not known how many attacks, whether successful or unsuccessful, have been made against state agency computers over the past year. AB 1841 Page 5 Snapshot of California's critical infrastructure. According to OES, the following represents a snapshot of California's critical infrastructure: Water: 1468 dams, of which 140 have capacities greater than 10,000 acre-feet; 701 miles of canals and pipelines; and 1.595 miles of levees. Electrical Power: 1,008 in state power plants, nearly 70,000 megawatts install generation capacity, and substations and transmission lines deliver over 200 billion kilowatt hours to customers annually. Oil and Natural Gas: over 115,000 miles of oil and natural gas pipelines, 20 refineries and over 100 oil and natural gas terminal facilities, and more than a dozen of the U.S.'s largest oil fields. Transportation: over 170,000 miles of public roads; over 50,000 lane miles of highways; over 12,000 bridges; 246 public use airports, 30 of which provide scheduled passenger service. Los Angeles Airport is the seventh busiest worldwide. California has 11 seaports handling more than half of all the US shipping freight. Three of the country's largest container ports are in California: Los Angeles, Long Beach and Oakland. Nationally, Los Angeles is the busiest container volume, internationally the eighth busiest, and when combined with Long Beach is the fifth busiest. Public Health: 450 acute care hospitals. Emergency Services: 1,974 fire stations. Chemical: Approximately 95 "high risk" facilities Agriculture: 81,500 farms; more than 400 commodities; in 2012 total agriculture-related sales for output was $44.7 billion, representing 11.3% of the national total. Finance: 7,374 commercial banks with deposits totaling $753 billion; 410 credit unions with assets totaling $115 billion. Prior/Related Legislation SB 949 (Jackson, 2016) authorizes the Governor to require owners and operators of critical infrastructure, as defined, to submit critical infrastructure information to OES. (Never heard in Senate Governmental Organization Committee) AB 2595 (Linder, 2016) establishes in statute the California Cybersecurity Integration Center within OES to develop a AB 1841 Page 6 cybersecurity strategy for California in coordination with the Cybersecurity Task Force. (Held in Assembly Appropriations Committee) AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to conduct, or require to be conducted, no fewer than 35 independent security assessments of state agencies, departments, or offices annually. AB 739 (Irwin, 2015) provides legal immunity for civil or criminal liability for private entities that communicate anonymized cyber security threat information and meet specified requirements, until January 1, 2020. (Held in the Assembly Judiciary Committee) AB 1172 (Chau, 2015) continues in existence the California Cybersecurity Task Force, created in 2013 by OES and CDT. (Senate Inactive File) FISCAL EFFECT: Appropriation: No Fiscal Com.: YesLocal: No According to the Senate Appropriations Committee, minor and absorbable costs to CDT and OES for updating the TRP. In addition, unknown, but likely absorbable costs to each state agency to update and report on its TRP. SUPPORT: (Verified8/11/16) Deloitte Consulting, LLP Los Angeles Area Chamber of Commerce Los Angeles County Professional Peace Officers Association Los Angeles Deputy Sheriffs Los Angeles Police Protective League Riverside Sheriff's Association OPPOSITION: (Verified8/11/16) AB 1841 Page 7 None received ARGUMENTS IN SUPPORT: Supporters of the bill argue that, "in the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyberattacks. Most recently, in June 2015 the federal office of Personnel Management announced that a cybersecurity intrusion had exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California's economy and the value of its information, the State presents a prime target for similar information security breaches." ASSEMBLY FLOOR: 79-0, 5/31/16 AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker, Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey, Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes, McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte, O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon NO VOTE RECORDED: Beth Gaines Prepared by:Felipe Lopez / G.O. / (916) 651-1530 8/15/16 20:10:10 **** END ****