BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 1841|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 1841
Author: Irwin (D), et al.
Amended: 8/15/16 in Senate
Vote: 21
SENATE GOVERNMENTAL ORG. COMMITTEE: 12-0, 6/14/16
AYES: Hall, Bates, Block, Gaines, Galgiani, Glazer, Hernandez,
Hill, Hueso, Lara, McGuire, Vidak
NO VOTE RECORDED: Berryhill
SENATE JUDICIARY COMMITTEE: 7-0, 6/28/16
AYES: Jackson, Moorlach, Anderson, Hertzberg, Leno, Monning,
Wieckowski
SENATE APPROPRIATIONS COMMITTEE: 7-0, 8/11/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
ASSEMBLY FLOOR: 79-0, 5/31/16 - See last page for vote
SUBJECT: Cybersecurity strategy incident response standards
SOURCE: Author
DIGEST: This bill requires the California Department of
Technology (CDT) to on or before July 1, 2018, in conjunction
with the Office of Emergency Services (OES), to update the
Technology Recovery Plan (TRP) of the State Administrative
Manual to ensure the inclusion of cybersecurity strategy
incident response standards for each state agency to secure its
critical infrastructure controls and critical infrastructure
information.
�
AB 1841
Page 2
ANALYSIS:
Existing law:
1)Establishes OES and requires OES to perform a variety of
duties with respect to specified emergency preparedness,
mitigation, and response activities in the state, including
emergency medical services.
2)Specifies that the State Emergency Plan (SEP) shall be in
effect in each political subdivision of the state, and the
governing body of each political subdivision shall take such
action as may be necessary to carry out the provisions
thereof.
3)Establishes CDT under the supervision of the Director of CDT
and generally requires CDT to be responsible for the approval
and oversight of information technology projects by, among
other things, consulting with state agencies during initial
project planning to ensure that project proposals are based on
well-defined programmatic needs.
This bill:
1)Requires CDT, on or before July 1, 2018, in conjunction with
OES, to update the TRP element of the State Administrative
Manual to ensure the inclusion of cybersecurity strategy
incident response standards for each state agency to secure
its critical infrastructure controls and critical
infrastructure information. In updating the standards, CDT
shall consider but not be limited to considering, all of the
following:
a) Cost to implement the standards.
b) Security of critical infrastructure information.
c) Centralized management of risk.
d) Industry best practices.
e) Continuity of operations.
f) Protection of personal information
2)Requires each state agency to provide CDT with a copy of its
updated TRP.
3)Requires each state agency to report its compliance with the
�
AB 1841
Page 3
standards updated by this bill to CDT in the manner and at the
time directed by CDT, but no later than July 1, 2019.
4)Provides that CDT, in conjunction with OES, may provide
suggestions for a state agency to improve compliance with the
standards developed by this bill, to the head of the state
agency and the secretary responsible for the state agency.
For a state agency that is not under the responsibility of a
secretary, CDT shall provide any suggestions to the head of
the state agency and the Governor.
5)Specifies that the report and any public records relating to
any communication are confidential and shall not be disclosed
pursuant to state law, including the California Public Records
Act.
6)Defines "Critical infrastructure controls" to mean networks
and systems controlling assets so vital to the state that the
incapacity or destruction of those networks, systems or assets
would have a debilitating impact on public health, safety,
economic security, or any combination thereof.
7)Defines "Critical infrastructure information" to mean
information not customarily in the public domain pertaining to
any of the following:
a) Actual, potential, or threatened interference with, or
an attack on, compromise of, or incapacitation of critical
infrastructure controls by either physical or
computer-based attack or other similar conduct, including,
but not limited to, the misuse of, or unauthorized access
to, all types of communications and data transmission
systems, that violates federal, state, or local law or
harms public health, safety, or economic security, or any
combination thereof.
b) The ability of critical infrastructure controls to
resist any interference, compromise, or incapacitation,
including, but not limited to, any planned or past
assessment or estimate of the vulnerability of critical
infrastructure.
c) Any planned or past operational problem or solution
regarding critical infrastructure controls, including, but
�
AB 1841
Page 4
not limited to, repair, recovery, reconstruction,
insurance, or continuity, to the extent it is related to
interference, compromise, or incapacitation of critical
infrastructure controls.
8)Makes legislative findings pertaining to the importance of
adding to the ongoing work of the state's comprehensive
cybersecurity strategy.
Background
Technology Recovery Plan. The TRP is a sub-set of the state
entity's Business Continuity Plan. The TRP is activated
immediately after a disaster strikes and focuses on getting
critical systems back online. Each state entity is required to
develop a TRP in support of the state entity's Continuity Plan
and the business need to protect critical information assets to
ensure their availability following an interruption or disaster.
The TRP must outline a planned approach to managing risks to the
state entity's mission, including risk and potential impact to
critical information technology assets. The TRP was last
updated in August 2013.
Cyber threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. 30% of all
cyber-attacks and other malicious activity are targeted at the
government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
�
AB 1841
Page 5
Snapshot of California's critical infrastructure. According to
OES, the following represents a snapshot of California's
critical infrastructure:
Water: 1468 dams, of which 140 have capacities greater than
10,000 acre-feet; 701 miles of canals and pipelines; and 1.595
miles of levees.
Electrical Power: 1,008 in state power plants, nearly 70,000
megawatts install generation capacity, and substations and
transmission lines deliver over 200 billion kilowatt hours to
customers annually.
Oil and Natural Gas: over 115,000 miles of oil and natural gas
pipelines, 20 refineries and over 100 oil and natural gas
terminal facilities, and more than a dozen of the U.S.'s
largest oil fields.
Transportation: over 170,000 miles of public roads; over
50,000 lane miles of highways; over 12,000 bridges; 246 public
use airports, 30 of which provide scheduled passenger service.
Los Angeles Airport is the seventh busiest worldwide.
California has 11 seaports handling more than half of all the
US shipping freight. Three of the country's largest container
ports are in California: Los Angeles, Long Beach and Oakland.
Nationally, Los Angeles is the busiest container volume,
internationally the eighth busiest, and when combined with
Long Beach is the fifth busiest.
Public Health: 450 acute care hospitals.
Emergency Services: 1,974 fire stations.
Chemical: Approximately 95 "high risk" facilities
Agriculture: 81,500 farms; more than 400 commodities; in 2012
total agriculture-related sales for output was $44.7 billion,
representing 11.3% of the national total.
Finance: 7,374 commercial banks with deposits totaling $753
billion; 410 credit unions with assets totaling $115 billion.
Prior/Related Legislation
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure, as defined, to submit
critical infrastructure information to OES. (Never heard in
Senate Governmental Organization Committee)
AB 2595 (Linder, 2016) establishes in statute the California
Cybersecurity Integration Center within OES to develop a
�
AB 1841
Page 6
cybersecurity strategy for California in coordination with the
Cybersecurity Task Force. (Held in Assembly Appropriations
Committee)
AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to
conduct, or require to be conducted, no fewer than 35
independent security assessments of state agencies, departments,
or offices annually.
AB 739 (Irwin, 2015) provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in the Assembly
Judiciary Committee)
AB 1172 (Chau, 2015) continues in existence the California
Cybersecurity Task Force, created in 2013 by OES and CDT.
(Senate Inactive File)
FISCAL EFFECT: Appropriation: No Fiscal Com.:
YesLocal: No
According to the Senate Appropriations Committee, minor and
absorbable costs to CDT and OES for updating the TRP. In
addition, unknown, but likely absorbable costs to each state
agency to update and report on its TRP.
SUPPORT: (Verified8/11/16)
Deloitte Consulting, LLP
Los Angeles Area Chamber of Commerce
Los Angeles County Professional Peace Officers Association
Los Angeles Deputy Sheriffs
Los Angeles Police Protective League
Riverside Sheriff's Association
OPPOSITION: (Verified8/11/16)
�
AB 1841
Page 7
None received
ARGUMENTS IN SUPPORT: Supporters of the bill argue that, "in
the past few years, retailers, financial institutions, and
government agencies have increasingly fallen victim to
cyberattacks. Most recently, in June 2015 the federal office of
Personnel Management announced that a cybersecurity intrusion
had exposed the personal information of approximately 20 million
current and former federal employees and other individuals.
Given the size of California's economy and the value of its
information, the State presents a prime target for similar
information security breaches."
ASSEMBLY FLOOR: 79-0, 5/31/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,
Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,
Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,
Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier,
Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson,
Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger
Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey,
Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,
McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,
O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez,
Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,
Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon
NO VOTE RECORDED: Beth Gaines
Prepared by:Felipe Lopez / G.O. / (916) 651-1530
8/15/16 20:10:10
**** END ****