BILL ANALYSIS                                                                                                                                                                                                    Ó

          |SENATE RULES COMMITTEE            |                       AB 1841|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |

                                   THIRD READING 

          Bill No:  AB 1841
          Author:   Irwin (D), et al.
          Amended:  8/15/16 in Senate
          Vote:     21 

           SENATE GOVERNMENTAL ORG. COMMITTEE:  12-0, 6/14/16
           AYES:  Hall, Bates, Block, Gaines, Galgiani, Glazer, Hernandez,  
            Hill, Hueso, Lara, McGuire, Vidak
           NO VOTE RECORDED:  Berryhill

           SENATE JUDICIARY COMMITTEE:  7-0, 6/28/16
           AYES:  Jackson, Moorlach, Anderson, Hertzberg, Leno, Monning,  

           AYES:  Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen

           ASSEMBLY FLOOR:  79-0, 5/31/16 - See last page for vote

           SUBJECT:   Cybersecurity strategy incident response standards

          SOURCE:    Author
          DIGEST:    This bill requires the California Department of  
          Technology (CDT) to on or before July 1, 2018, in conjunction  
          with the Office of Emergency Services (OES), to update the  
          Technology Recovery Plan (TRP) of the State Administrative  
          Manual to ensure the inclusion of cybersecurity strategy  
          incident response standards for each state agency to secure its  
          critical infrastructure controls and critical infrastructure  


                                                                    AB 1841  
                                                                    Page  2

          Existing law:
          1)Establishes OES and requires OES to perform a variety of  
            duties with respect to specified emergency preparedness,  
            mitigation, and response activities in the state, including  
            emergency medical services.

          2)Specifies that the State Emergency Plan (SEP) shall be in  
            effect in each political subdivision of the state, and the  
            governing body of each political subdivision shall take such  
            action as may be necessary to carry out the provisions  

          3)Establishes CDT under the supervision of the Director of CDT  
            and generally requires CDT to be responsible for the approval  
            and oversight of information technology projects by, among  
            other things, consulting with state agencies during initial  
            project planning to ensure that project proposals are based on  
            well-defined programmatic needs. 

          This bill:

          1)Requires CDT, on or before July 1, 2018, in conjunction with  
            OES, to update the TRP element of the State Administrative  
            Manual to ensure the inclusion of cybersecurity strategy  
            incident response standards for each state agency to secure  
            its critical infrastructure controls and critical  
            infrastructure information.  In updating the standards, CDT  
            shall consider but not be limited to considering, all of the  

             a)   Cost to implement the standards.
             b)   Security of critical infrastructure information.
             c)   Centralized management of risk.
             d)   Industry best practices.
             e)   Continuity of operations.
             f)   Protection of personal information

          2)Requires each state agency to provide CDT with a copy of its  
            updated TRP.

          3)Requires each state agency to report its compliance with the  


                                                                    AB 1841  
                                                                    Page  3

            standards updated by this bill to CDT in the manner and at the  
            time directed by CDT, but no later than July 1, 2019.

          4)Provides that CDT, in conjunction with OES, may provide  
            suggestions for a state agency to improve compliance with the  
            standards developed by this bill, to the head of the state  
            agency and the secretary responsible for the state agency.   
            For a state agency that is not under the responsibility of a  
            secretary, CDT shall provide any suggestions to the head of  
            the state agency and the Governor. 

          5)Specifies that the report and any public records relating to  
            any communication are confidential and shall not be disclosed  
            pursuant to state law, including the California Public Records  

          6)Defines "Critical infrastructure controls" to mean networks  
            and systems controlling assets so vital to the state that the  
            incapacity or destruction of those networks, systems or assets  
            would have a debilitating impact on public health, safety,  
            economic security, or any combination thereof.

          7)Defines "Critical infrastructure information" to mean  
            information not customarily in the public domain pertaining to  
            any of the following:

             a)   Actual, potential, or threatened interference with, or  
               an attack on, compromise of, or incapacitation of critical  
               infrastructure controls by either physical or  
               computer-based attack or other similar conduct, including,  
               but not limited to, the misuse of, or unauthorized access  
               to, all types of communications and data transmission  
               systems, that violates federal, state, or local law or  
               harms public health, safety, or economic security, or any  
               combination thereof.

             b)   The ability of critical infrastructure controls to  
               resist any interference, compromise, or incapacitation,  
               including, but not limited to, any planned or past  
               assessment or estimate of the vulnerability of critical  

             c)   Any planned or past operational problem or solution  
               regarding critical infrastructure controls, including, but  


                                                                    AB 1841  
                                                                    Page  4

               not limited to, repair, recovery, reconstruction,  
               insurance, or continuity, to the extent it is related to  
               interference, compromise, or incapacitation of critical  
               infrastructure controls. 
          8)Makes legislative findings pertaining to the importance of  
            adding to the ongoing work of the state's comprehensive  
            cybersecurity strategy.

          Technology Recovery Plan.  The TRP is a sub-set of the state  
          entity's Business Continuity Plan.  The TRP is activated  
          immediately after a disaster strikes and focuses on getting  
          critical systems back online.  Each state entity is required to  
          develop a TRP in support of the state entity's Continuity Plan  
          and the business need to protect critical information assets to  
          ensure their availability following an interruption or disaster.  

          The TRP must outline a planned approach to managing risks to the  
          state entity's mission, including risk and potential impact to  
          critical information technology assets.  The TRP was last  
          updated in August 2013. 

          Cyber threats in California. According to the California  
          Military Department (CMD), California's size and importance  
          makes it vulnerable to cyber incidents that disrupt business,  
          shutdown critical infrastructure, and compromise intellectual  
          property or national security.  

          CMD calls cybercrime "a growth industry" causing $400 billion in  
          negative impacts annually on the global economy.  30% of all  
          cyber-attacks and other malicious activity are targeted at the  
          government, making these networks and systems the most  
          vulnerable target of cybercrime.  

          According to CMD, the threat to government networks has never  
          been higher.  "Hacktivists", nation states, cyber criminals and  
          other threat groups are attacking government networks to steal  
          sensitive information and make a political/economic statement.   
          It is not known how many attacks, whether successful or  
          unsuccessful, have been made against state agency computers over  
          the past year.


                                                                    AB 1841  
                                                                    Page  5

          Snapshot of California's critical infrastructure.  According to  
          OES, the following represents a snapshot of California's  
          critical infrastructure:

           Water: 1468 dams, of which 140 have capacities greater than  
            10,000 acre-feet; 701 miles of canals and pipelines; and 1.595  
            miles of levees.
           Electrical Power: 1,008 in state power plants, nearly 70,000  
            megawatts install generation capacity, and substations and  
            transmission lines deliver over 200 billion kilowatt hours to  
            customers annually.
           Oil and Natural Gas: over 115,000 miles of oil and natural gas  
            pipelines, 20 refineries and over 100 oil and natural gas  
            terminal facilities, and more than a dozen of the U.S.'s  
            largest oil fields.
           Transportation: over 170,000 miles of public roads; over  
            50,000 lane miles of highways; over 12,000 bridges; 246 public  
            use airports, 30 of which provide scheduled passenger service.  
             Los Angeles Airport is the seventh busiest worldwide.
           California has 11 seaports handling more than half of all the  
            US shipping freight.  Three of the country's largest container  
            ports are in California: Los Angeles, Long Beach and Oakland.   
            Nationally, Los Angeles is the busiest container volume,  
            internationally the eighth busiest, and when combined with  
            Long Beach is the fifth busiest. 
           Public Health: 450 acute care hospitals.
           Emergency Services: 1,974 fire stations.
           Chemical: Approximately 95 "high risk" facilities
           Agriculture: 81,500 farms; more than 400 commodities; in 2012  
            total agriculture-related sales for output was $44.7 billion,  
            representing 11.3% of the national total.
           Finance: 7,374 commercial banks with deposits totaling $753  
            billion; 410 credit unions with assets totaling $115 billion.

          Prior/Related Legislation

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information to OES.  (Never heard in  
          Senate Governmental Organization Committee)

          AB 2595 (Linder, 2016) establishes in statute the California  
          Cybersecurity Integration Center within OES to develop a  


                                                                    AB 1841  
                                                                    Page  6

          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force.  (Held in Assembly Appropriations  

          AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to  
          conduct, or require to be conducted, no fewer than 35  
          independent security assessments of state agencies, departments,  
          or offices annually.  

          AB 739 (Irwin, 2015) provides legal immunity for civil or  
          criminal liability for private entities that communicate  
          anonymized cyber security threat information and meet specified  
          requirements, until January 1, 2020.  (Held in the Assembly  
          Judiciary Committee) 

          AB 1172 (Chau, 2015) continues in existence the California  
          Cybersecurity Task Force, created in 2013 by OES and CDT.   
          (Senate Inactive File)

          FISCAL EFFECT:   Appropriation:    No          Fiscal Com.:  
          YesLocal:        No            

          According to the Senate Appropriations Committee, minor and  
          absorbable costs to CDT and OES for updating the TRP.  In  
          addition, unknown, but likely absorbable costs to each state  
          agency to update and report on its TRP.

          SUPPORT:   (Verified8/11/16)

          Deloitte Consulting, LLP
          Los Angeles Area Chamber of Commerce
          Los Angeles County Professional Peace Officers Association
          Los Angeles Deputy Sheriffs
          Los Angeles Police Protective League
          Riverside Sheriff's Association

          OPPOSITION:   (Verified8/11/16)


                                                                    AB 1841  
                                                                    Page  7

          None received

          ARGUMENTS IN SUPPORT:     Supporters of the bill argue that, "in  
          the past few years, retailers, financial institutions, and  
          government agencies have increasingly fallen victim to  
          cyberattacks.  Most recently, in June 2015 the federal office of  
          Personnel Management announced that a cybersecurity intrusion  
          had exposed the personal information of approximately 20 million  
          current and former federal employees and other individuals.   
          Given the size of California's economy and the value of its  
          information, the State presents a prime target for similar  
          information security breaches."

          ASSEMBLY FLOOR:  79-0, 5/31/16
          AYES:  Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,  
            Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,  
            Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,  
            Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier,  
            Gallagher, Cristina Garcia, Eduardo Garcia, Gatto, Gipson,  
            Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Harper, Roger  
            Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey,  
            Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,  
            McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,  
            O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez,  
            Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,  
            Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon
          NO VOTE RECORDED:  Beth Gaines

          Prepared by:Felipe Lopez / G.O. / (916) 651-1530
          8/15/16 20:10:10

                                   ****  END  ****