BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                    AB 2595


                                                                    Page  1





          Date of Hearing:  April 19, 2016


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                   Ed Chau, Chair


          AB 2595  
          (Linder) - As Amended March 30, 2016


          SUBJECT:  California Cybersecurity Integration Center


          SUMMARY:  Establishes the California Cybersecurity Integration  
          Center, requires it to develop a cybersecurity strategy for  
          California, and authorizes the administration of federal  
          homeland security grant funding by the Office of Emergency  
          Services.  Specifically, this bill:  



          1)Establishes the California Cybersecurity Integration Center  
            (Cal-CSIC) within the Governor's Office of Emergency Services  
            (OES).



          2)Requires Cal-CSIC to develop a cybersecurity strategy for  
            California in coordination with the Cybersecurity Task Force  
            (Task Force), and in accordance with state and federal  
            requirements, consistent with applicable standards and best  
            practices.



          3)Declares the primary mission of Cal-CSIC to be the reduction  








                                                                    AB 2595


                                                                    Page  2





            of the likelihood and severity of cyber incidents that could  
            damage California's economy, its critical infrastructure, or  
            public and private sector computer networks in our state.



          4)Requires the Cal-CSIC to include, but not be limited to,  
            representatives of OES, the California Department of  
            Technology's (CDT) Office of Information Security (OIS), the  
            State Threat Assessment Center, the California Highway Patrol,  
            the California Military Department, the Office of the Attorney  
            General, the California Health and Human Services Agency, the  
            California Utilities Emergency Association, the California  
            State University, the University of California and the  
            California Community Colleges.



          5)Authorizes the Director of OES, in consultation with OIS or  
            the Task Force, to administer, authorize, and allocate federal  
            homeland security grant funding in accordance with federal  
            grant guidelines, and prioritize grant funding for prevention  
            measures undertaken by the OIS in furtherance of the provision  
            in the Governor's Executive order B-34-15 that directs state  
            departments and agencies to "ensure compliance with existing  
            information security and privacy policies, promote awareness  
            of information security standards" with their workforce.


          1)Provides that this authorization shall not preclude the  
            Director of OES from administering the grant programs to  
            respond to statewide emergencies requiring immediate  
            attention.



          2)Defines the terms "prevention measures" and "federal homeland  
            security grant funding."









                                                                    AB 2595


                                                                    Page  3






          EXISTING LAW:  


          1)Requires the Governor and OES, pursuant to the California  
            Emergency Services Act, to prepare for and mitigate the  
            effects of emergencies in the state.  (Government Code (GC)  
            8550, et seq.)


          2)Requires OES, and its appointed Director, to perform a variety  
            of duties with respect to specified emergency preparedness,  
            mitigation, and response activities in the state, including  
            emergency medical services.  (GC 8585, 8585.1)


          3)Establishes, within CDT, the OIS to ensure the  
            confidentiality, integrity, and availability of state systems  
            and applications, and to promote and protect privacy as part  
            of the development and operations of state systems and  
            applications to ensure the trust of the residents of this  
            state.  (GC 11549)


          FISCAL EFFECT:  Unknown


          COMMENTS:  


           1)Purpose of this bill .  This bill is intended to accomplish two  
            goals related to state cybersecurity: the codification of a  
            new state CISC created by Executive Order in 2015, and  
            providing more specific guidance to OES regarding the  
            expenditure of federal grant money for cybersecurity purposes.  
             This measure is author-sponsored. 


           2)Author's statement  .  According to the author, "In 2013,  








                                                                    AB 2595


                                                                    Page  4





            Governor Brown reorganized government to address the growing  
            needs of technology by creating the California Department of  
            Technology and the Cybersecurity Task Force, which is  
            co-chaired by the department and the Governor's Office of  
            Emergency Services.  Since that time, however, there has been  
            no accounting of federal homeland security grant dollars that  
            could be used to fund cybersecurity prevention efforts by the  
            state.  There has been no scrutiny by the State Auditor or the  
            Legislature in an oversight role to determine whether those  
            funds are being spent wisely or for the right purposes."


            "AB 2595 is needed to require the Office of Emergency Services  
            to administer homeland security grant funding in a way that  
            would be beneficial for the state to reach its proper  
            prevention levels to protect against a cyberattack, intrusion,  
            or data breach."


           3)Governor Brown's Executive Order creating Cal-CSIC  .  On August  
            31, 2015, Governor Brown signed Executive Order B-34-15 (EO)  
            which noted the increasing number and complexity of  
            cyberattacks against public and private networks, and in  
            response announced the establishment of the Cal-CSIC. 



          Cal-CSIC is charged with reducing the likelihood and severity of  
            a damaging cyber incident in California, and would serve as  
            the "central organizing hub" of state government's  
            cybersecurity activities and coordinate information sharing"  
            with a variety of government agencies.  It would be comprised  
            of representatives from at least 15 different state and  
            federal public entities. 

          According to the EO, its main functions would be threat  
            information sharing, risk assessment, threat prioritization,  
            supporting governmental audits and accountability measures,  
            enabling cross-sector coordination and sharing of best  








                                                                    AB 2595


                                                                    Page  5





            practices.  Cal-CSIC would be responsible for developing a  
            statewide cybersecurity strategy.  It would also be charged  
            with establishing a Cyber Incident Response Team (CIRT) to  
            serve as California's primary unit to lead cyber threat  
            detection, reporting, and response in coordination with public  
            and private entities across the state.  CIRT would also  
            provide assistance to law enforcement agencies with primary  
            jurisdiction over cyber-crimes and state government  
            cybersecurity.  The team would be populated with staff from  
            the agencies, departments and organizations represented on  
            Cal-CSIC. 

          The authorization provided by this bill differs from the EO in a  
            few substantial ways.  This bill omits four federal partner  
            agencies and other members designated by OES, although they  
            could be added at the discretion of the Director of OES.   
            Also, the bill omits any mention of the creation of a Cyber  
            Incident Response Team, and also does not require that  
            information sharing be conducted in a manner that protects the  
            privacy and civil liberties of individuals, safeguards  
            sensitive information, and preserves business confidentiality.  
             It should be noted that the Executive Branch already has the  
            authority to create and operate Cal-CSIC, which is now far  
            along in the development stage.  Codification would simply  
            remove the Governor's authority to unilaterally change any of  
            the provisions added to statute. 
           4)Homeland security grant funding  .  According to the author,  
            "OES is responsible for $1.6 billion in federal grant  
            funding".  Of that total, there are two federal grants  
            intended to fund prevention programs: the State Homeland  
            Security Program, which "provides grant funds to address  
            prevention in urban areas" and the Urban Areas Security  
            Initiative, which "funds address the unique risk-driven and  
            capabilities-based planning, organization, equipment,  
            training, and exercise needs of high density urban areas."   
            The author contends that these two programs total $180 million  
            in federal funding for homeland security efforts in  
            California, but "there has been no accounting of these federal  
            homeland security grant dollars that could be used to fund  








                                                                    AB 2595


                                                                    Page  6





            cybersecurity prevention efforts for Californians."  


             Currently, the practical effect of the language of this bill  
            is to authorize the Director of OES to administer, authorize  
            and allocate federal homeland security grant funding, and to  
            prioritize that grant funding (except in state emergencies)  
            for preventative measures taken by OIS to ensure compliance by  
            state departments and agencies with existing information  
            security standards and policies, including the performance of  
            risk assessments.  There is no obvious reason to believe that  
            the Director of OES lacks the authority to administer and  
            allocate such federal grants, as the administration of such  
            grants has presumably been ongoing for years. 

            The author and the Committee may wish to consider whether or  
            not more specific provisions related to transparency, such as  
            a requirement to annually report any expenditures or  
            allocations of federal homeland security grants funds, would  
            better achieve the stated aim of the bill. 

           5)Related legislation  .  AB 1841 (Irwin) would requires OES to  
            develop, by July 1, 2017, a statewide emergency services  
            response plan for cybersecurity attacks against critical  
            infrastructure, and further requires OES to develop a  
            comprehensive cybersecurity strategy by July 1, 2018, with  
            which all state agencies must report compliance by January 1,  
            2019.  AB 1841 is currently pending in the Assembly  
            Governmental Organization Committee. 

            AB 1881 (Chang) would requires the Director of CDT to develop  
            and update mandatory baseline security controls for state  
            networks based on industry and national standards, and  
            annually measure the state's progress towards compliance.  AB  
            1881 is currently pending in the Assembly Privacy and Consumer  
            Protection Committee.    


            SB 949 (Jackson) would authorize the Governor to require  








                                                                    AB 2595


                                                                    Page  7





            owners and operators of critical infrastructure to submit  
            critical infrastructure information to OES or any other  
            designee for the purposes of gathering, analyzing,  
            communicating, or disclosing critical infrastructure  
            information.  SB 949 is pending hearing in the Senate  
            Governmental Organizations Committee. 


           6)Double-referral  .  This bill is double-referred to the Assembly  
            Governmental Organization Committee, where it will be heard if  
            passed by this Committee. 


          REGISTERED SUPPORT / OPPOSITION:




          Support


          None on file. 




          Opposition


          None on file. 




          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200












                                                                    AB 2595


                                                                    Page  8