BILL ANALYSIS �Ó
AB 2595
Page 1
Date of Hearing: April 19, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2595
(Linder) - As Amended March 30, 2016
SUBJECT: California Cybersecurity Integration Center
SUMMARY: Establishes the California Cybersecurity Integration
Center, requires it to develop a cybersecurity strategy for
California, and authorizes the administration of federal
homeland security grant funding by the Office of Emergency
Services. Specifically, this bill:
1)Establishes the California Cybersecurity Integration Center
(Cal-CSIC) within the Governor's Office of Emergency Services
(OES).
2)Requires Cal-CSIC to develop a cybersecurity strategy for
California in coordination with the Cybersecurity Task Force
(Task Force), and in accordance with state and federal
requirements, consistent with applicable standards and best
practices.
3)Declares the primary mission of Cal-CSIC to be the reduction
�
AB 2595
Page 2
of the likelihood and severity of cyber incidents that could
damage California's economy, its critical infrastructure, or
public and private sector computer networks in our state.
4)Requires the Cal-CSIC to include, but not be limited to,
representatives of OES, the California Department of
Technology's (CDT) Office of Information Security (OIS), the
State Threat Assessment Center, the California Highway Patrol,
the California Military Department, the Office of the Attorney
General, the California Health and Human Services Agency, the
California Utilities Emergency Association, the California
State University, the University of California and the
California Community Colleges.
5)Authorizes the Director of OES, in consultation with OIS or
the Task Force, to administer, authorize, and allocate federal
homeland security grant funding in accordance with federal
grant guidelines, and prioritize grant funding for prevention
measures undertaken by the OIS in furtherance of the provision
in the Governor's Executive order B-34-15 that directs state
departments and agencies to "ensure compliance with existing
information security and privacy policies, promote awareness
of information security standards" with their workforce.
1)Provides that this authorization shall not preclude the
Director of OES from administering the grant programs to
respond to statewide emergencies requiring immediate
attention.
2)Defines the terms "prevention measures" and "federal homeland
security grant funding."
�
AB 2595
Page 3
EXISTING LAW:
1)Requires the Governor and OES, pursuant to the California
Emergency Services Act, to prepare for and mitigate the
effects of emergencies in the state. (Government Code (GC)
8550, et seq.)
2)Requires OES, and its appointed Director, to perform a variety
of duties with respect to specified emergency preparedness,
mitigation, and response activities in the state, including
emergency medical services. (GC 8585, 8585.1)
3)Establishes, within CDT, the OIS to ensure the
confidentiality, integrity, and availability of state systems
and applications, and to promote and protect privacy as part
of the development and operations of state systems and
applications to ensure the trust of the residents of this
state. (GC 11549)
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to accomplish two
goals related to state cybersecurity: the codification of a
new state CISC created by Executive Order in 2015, and
providing more specific guidance to OES regarding the
expenditure of federal grant money for cybersecurity purposes.
This measure is author-sponsored.
2)Author's statement . According to the author, "In 2013,
�
AB 2595
Page 4
Governor Brown reorganized government to address the growing
needs of technology by creating the California Department of
Technology and the Cybersecurity Task Force, which is
co-chaired by the department and the Governor's Office of
Emergency Services. Since that time, however, there has been
no accounting of federal homeland security grant dollars that
could be used to fund cybersecurity prevention efforts by the
state. There has been no scrutiny by the State Auditor or the
Legislature in an oversight role to determine whether those
funds are being spent wisely or for the right purposes."
"AB 2595 is needed to require the Office of Emergency Services
to administer homeland security grant funding in a way that
would be beneficial for the state to reach its proper
prevention levels to protect against a cyberattack, intrusion,
or data breach."
3)Governor Brown's Executive Order creating Cal-CSIC . On August
31, 2015, Governor Brown signed Executive Order B-34-15 (EO)
which noted the increasing number and complexity of
cyberattacks against public and private networks, and in
response announced the establishment of the Cal-CSIC.
Cal-CSIC is charged with reducing the likelihood and severity of
a damaging cyber incident in California, and would serve as
the "central organizing hub" of state government's
cybersecurity activities and coordinate information sharing"
with a variety of government agencies. It would be comprised
of representatives from at least 15 different state and
federal public entities.
According to the EO, its main functions would be threat
information sharing, risk assessment, threat prioritization,
supporting governmental audits and accountability measures,
enabling cross-sector coordination and sharing of best
�
AB 2595
Page 5
practices. Cal-CSIC would be responsible for developing a
statewide cybersecurity strategy. It would also be charged
with establishing a Cyber Incident Response Team (CIRT) to
serve as California's primary unit to lead cyber threat
detection, reporting, and response in coordination with public
and private entities across the state. CIRT would also
provide assistance to law enforcement agencies with primary
jurisdiction over cyber-crimes and state government
cybersecurity. The team would be populated with staff from
the agencies, departments and organizations represented on
Cal-CSIC.
The authorization provided by this bill differs from the EO in a
few substantial ways. This bill omits four federal partner
agencies and other members designated by OES, although they
could be added at the discretion of the Director of OES.
Also, the bill omits any mention of the creation of a Cyber
Incident Response Team, and also does not require that
information sharing be conducted in a manner that protects the
privacy and civil liberties of individuals, safeguards
sensitive information, and preserves business confidentiality.
It should be noted that the Executive Branch already has the
authority to create and operate Cal-CSIC, which is now far
along in the development stage. Codification would simply
remove the Governor's authority to unilaterally change any of
the provisions added to statute.
4)Homeland security grant funding . According to the author,
"OES is responsible for $1.6 billion in federal grant
funding". Of that total, there are two federal grants
intended to fund prevention programs: the State Homeland
Security Program, which "provides grant funds to address
prevention in urban areas" and the Urban Areas Security
Initiative, which "funds address the unique risk-driven and
capabilities-based planning, organization, equipment,
training, and exercise needs of high density urban areas."
The author contends that these two programs total $180 million
in federal funding for homeland security efforts in
California, but "there has been no accounting of these federal
homeland security grant dollars that could be used to fund
�
AB 2595
Page 6
cybersecurity prevention efforts for Californians."
Currently, the practical effect of the language of this bill
is to authorize the Director of OES to administer, authorize
and allocate federal homeland security grant funding, and to
prioritize that grant funding (except in state emergencies)
for preventative measures taken by OIS to ensure compliance by
state departments and agencies with existing information
security standards and policies, including the performance of
risk assessments. There is no obvious reason to believe that
the Director of OES lacks the authority to administer and
allocate such federal grants, as the administration of such
grants has presumably been ongoing for years.
The author and the Committee may wish to consider whether or
not more specific provisions related to transparency, such as
a requirement to annually report any expenditures or
allocations of federal homeland security grants funds, would
better achieve the stated aim of the bill.
5)Related legislation . AB 1841 (Irwin) would requires OES to
develop, by July 1, 2017, a statewide emergency services
response plan for cybersecurity attacks against critical
infrastructure, and further requires OES to develop a
comprehensive cybersecurity strategy by July 1, 2018, with
which all state agencies must report compliance by January 1,
2019. AB 1841 is currently pending in the Assembly
Governmental Organization Committee.
AB 1881 (Chang) would requires the Director of CDT to develop
and update mandatory baseline security controls for state
networks based on industry and national standards, and
annually measure the state's progress towards compliance. AB
1881 is currently pending in the Assembly Privacy and Consumer
Protection Committee.
SB 949 (Jackson) would authorize the Governor to require
�
AB 2595
Page 7
owners and operators of critical infrastructure to submit
critical infrastructure information to OES or any other
designee for the purposes of gathering, analyzing,
communicating, or disclosing critical infrastructure
information. SB 949 is pending hearing in the Senate
Governmental Organizations Committee.
6)Double-referral . This bill is double-referred to the Assembly
Governmental Organization Committee, where it will be heard if
passed by this Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 2595
Page 8