BILL ANALYSIS Ó AB 2595 Page 1 Date of Hearing: April 19, 2016 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Ed Chau, Chair AB 2595 (Linder) - As Amended March 30, 2016 SUBJECT: California Cybersecurity Integration Center SUMMARY: Establishes the California Cybersecurity Integration Center, requires it to develop a cybersecurity strategy for California, and authorizes the administration of federal homeland security grant funding by the Office of Emergency Services. Specifically, this bill: 1)Establishes the California Cybersecurity Integration Center (Cal-CSIC) within the Governor's Office of Emergency Services (OES). 2)Requires Cal-CSIC to develop a cybersecurity strategy for California in coordination with the Cybersecurity Task Force (Task Force), and in accordance with state and federal requirements, consistent with applicable standards and best practices. 3)Declares the primary mission of Cal-CSIC to be the reduction AB 2595 Page 2 of the likelihood and severity of cyber incidents that could damage California's economy, its critical infrastructure, or public and private sector computer networks in our state. 4)Requires the Cal-CSIC to include, but not be limited to, representatives of OES, the California Department of Technology's (CDT) Office of Information Security (OIS), the State Threat Assessment Center, the California Highway Patrol, the California Military Department, the Office of the Attorney General, the California Health and Human Services Agency, the California Utilities Emergency Association, the California State University, the University of California and the California Community Colleges. 5)Authorizes the Director of OES, in consultation with OIS or the Task Force, to administer, authorize, and allocate federal homeland security grant funding in accordance with federal grant guidelines, and prioritize grant funding for prevention measures undertaken by the OIS in furtherance of the provision in the Governor's Executive order B-34-15 that directs state departments and agencies to "ensure compliance with existing information security and privacy policies, promote awareness of information security standards" with their workforce. 1)Provides that this authorization shall not preclude the Director of OES from administering the grant programs to respond to statewide emergencies requiring immediate attention. 2)Defines the terms "prevention measures" and "federal homeland security grant funding." AB 2595 Page 3 EXISTING LAW: 1)Requires the Governor and OES, pursuant to the California Emergency Services Act, to prepare for and mitigate the effects of emergencies in the state. (Government Code (GC) 8550, et seq.) 2)Requires OES, and its appointed Director, to perform a variety of duties with respect to specified emergency preparedness, mitigation, and response activities in the state, including emergency medical services. (GC 8585, 8585.1) 3)Establishes, within CDT, the OIS to ensure the confidentiality, integrity, and availability of state systems and applications, and to promote and protect privacy as part of the development and operations of state systems and applications to ensure the trust of the residents of this state. (GC 11549) FISCAL EFFECT: Unknown COMMENTS: 1)Purpose of this bill . This bill is intended to accomplish two goals related to state cybersecurity: the codification of a new state CISC created by Executive Order in 2015, and providing more specific guidance to OES regarding the expenditure of federal grant money for cybersecurity purposes. This measure is author-sponsored. 2)Author's statement . According to the author, "In 2013, AB 2595 Page 4 Governor Brown reorganized government to address the growing needs of technology by creating the California Department of Technology and the Cybersecurity Task Force, which is co-chaired by the department and the Governor's Office of Emergency Services. Since that time, however, there has been no accounting of federal homeland security grant dollars that could be used to fund cybersecurity prevention efforts by the state. There has been no scrutiny by the State Auditor or the Legislature in an oversight role to determine whether those funds are being spent wisely or for the right purposes." "AB 2595 is needed to require the Office of Emergency Services to administer homeland security grant funding in a way that would be beneficial for the state to reach its proper prevention levels to protect against a cyberattack, intrusion, or data breach." 3)Governor Brown's Executive Order creating Cal-CSIC . On August 31, 2015, Governor Brown signed Executive Order B-34-15 (EO) which noted the increasing number and complexity of cyberattacks against public and private networks, and in response announced the establishment of the Cal-CSIC. Cal-CSIC is charged with reducing the likelihood and severity of a damaging cyber incident in California, and would serve as the "central organizing hub" of state government's cybersecurity activities and coordinate information sharing" with a variety of government agencies. It would be comprised of representatives from at least 15 different state and federal public entities. According to the EO, its main functions would be threat information sharing, risk assessment, threat prioritization, supporting governmental audits and accountability measures, enabling cross-sector coordination and sharing of best AB 2595 Page 5 practices. Cal-CSIC would be responsible for developing a statewide cybersecurity strategy. It would also be charged with establishing a Cyber Incident Response Team (CIRT) to serve as California's primary unit to lead cyber threat detection, reporting, and response in coordination with public and private entities across the state. CIRT would also provide assistance to law enforcement agencies with primary jurisdiction over cyber-crimes and state government cybersecurity. The team would be populated with staff from the agencies, departments and organizations represented on Cal-CSIC. The authorization provided by this bill differs from the EO in a few substantial ways. This bill omits four federal partner agencies and other members designated by OES, although they could be added at the discretion of the Director of OES. Also, the bill omits any mention of the creation of a Cyber Incident Response Team, and also does not require that information sharing be conducted in a manner that protects the privacy and civil liberties of individuals, safeguards sensitive information, and preserves business confidentiality. It should be noted that the Executive Branch already has the authority to create and operate Cal-CSIC, which is now far along in the development stage. Codification would simply remove the Governor's authority to unilaterally change any of the provisions added to statute. 4)Homeland security grant funding . According to the author, "OES is responsible for $1.6 billion in federal grant funding". Of that total, there are two federal grants intended to fund prevention programs: the State Homeland Security Program, which "provides grant funds to address prevention in urban areas" and the Urban Areas Security Initiative, which "funds address the unique risk-driven and capabilities-based planning, organization, equipment, training, and exercise needs of high density urban areas." The author contends that these two programs total $180 million in federal funding for homeland security efforts in California, but "there has been no accounting of these federal homeland security grant dollars that could be used to fund AB 2595 Page 6 cybersecurity prevention efforts for Californians." Currently, the practical effect of the language of this bill is to authorize the Director of OES to administer, authorize and allocate federal homeland security grant funding, and to prioritize that grant funding (except in state emergencies) for preventative measures taken by OIS to ensure compliance by state departments and agencies with existing information security standards and policies, including the performance of risk assessments. There is no obvious reason to believe that the Director of OES lacks the authority to administer and allocate such federal grants, as the administration of such grants has presumably been ongoing for years. The author and the Committee may wish to consider whether or not more specific provisions related to transparency, such as a requirement to annually report any expenditures or allocations of federal homeland security grants funds, would better achieve the stated aim of the bill. 5)Related legislation . AB 1841 (Irwin) would requires OES to develop, by July 1, 2017, a statewide emergency services response plan for cybersecurity attacks against critical infrastructure, and further requires OES to develop a comprehensive cybersecurity strategy by July 1, 2018, with which all state agencies must report compliance by January 1, 2019. AB 1841 is currently pending in the Assembly Governmental Organization Committee. AB 1881 (Chang) would requires the Director of CDT to develop and update mandatory baseline security controls for state networks based on industry and national standards, and annually measure the state's progress towards compliance. AB 1881 is currently pending in the Assembly Privacy and Consumer Protection Committee. SB 949 (Jackson) would authorize the Governor to require AB 2595 Page 7 owners and operators of critical infrastructure to submit critical infrastructure information to OES or any other designee for the purposes of gathering, analyzing, communicating, or disclosing critical infrastructure information. SB 949 is pending hearing in the Senate Governmental Organizations Committee. 6)Double-referral . This bill is double-referred to the Assembly Governmental Organization Committee, where it will be heard if passed by this Committee. REGISTERED SUPPORT / OPPOSITION: Support None on file. Opposition None on file. Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200 AB 2595 Page 8