BILL ANALYSIS �Ó
AB 2595
Page 1
Date of Hearing: May 18, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
2595 (Linder) - As Amended March 30, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11-0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| |Governmental Organization | |19 - 0 |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY: This bill establishes the California Cybersecurity
Integration Center (Cal-CSIC) to develop a cybersecurity
strategy for California, and authorizes the administration of
federal homeland security grant funding by the Office of
Emergency Services. Specifically, this bill:
�
AB 2595
Page 2
1)Establishes the California Cybersecurity Integration Center
(Cal-CSIC) within the Governor's Office of Emergency Services
(OES).
2)Requires Cal-CSIC to develop a cybersecurity strategy for
California in coordination with the Cybersecurity Task Force
(Task Force), and in accordance with state and federal
requirements, consistent with applicable standards and best
practices.
3)Requires the Cal-CSIC to include, but not be limited to,
representatives of OES, the California Department of
Technology's (CDT) Office of Information Security (OIS), the
State Threat Assessment Center, the California Highway Patrol,
the California Military Department, the Office of the Attorney
General, the California Health and Human Services Agency, the
California Utilities Emergency Association, the California
State University, the University of California and the
California Community Colleges.
4)Authorizes the Director of OES, in consultation with OIS or
the Task Force, to administer, authorize, and allocate federal
homeland security grant funding in accordance with federal
grant guidelines, and prioritize grant funding for prevention
measures undertaken by the OIS in furtherance of the provision
in the Governor's Executive order B-34-15.
5)Provides that this authorization shall not preclude the
�
AB 2595
Page 3
Director of OES from administering the grant programs to
respond to statewide emergencies requiring immediate
attention.
FISCAL EFFECT:
By codifying an existing Executive Order, this bill creates
ongoing General Fund cost pressures to fund Cal-CSIC in
perpetuity, thereby removing the authority of the Governor to
modify or otherwise adjust the program in response to future
budget constraints.
COMMENTS:
1)Purpose. This bill is intended to codify the new state CISC
created by Executive Order in 2015, and to provide more
specific guidance to OES regarding the expenditure of federal
grant money for cybersecurity purposes.
According to the author, "In 2013, Governor Brown reorganized
government to address the growing needs of technology by
creating the CDT and the Cybersecurity Task Force, which is
co-chaired by the department and the Governor's Office of
Emergency Services. Since that time, however, there has been
no accounting of federal homeland security grant dollars that
could be used to fund cybersecurity prevention efforts by the
state. This bill is needed to require OES to administer
homeland security grant funding in a way that would be
beneficial for the state to reach its proper prevention levels
to protect against a cyberattack, intrusion, or data breach."
2)Executive Order creating Cal-CSIC. On August 31, 2015,
�
AB 2595
Page 4
Governor Brown signed Executive Order B-34-15 which noted the
increasing number and complexity of cyberattacks against
public and private networks, and in response announced the
establishment of the Cal-CSIC.
Cal-CSIC is charged with reducing the likelihood and severity of
a damaging cyber incident in California, and would serve as
the "central organizing hub" of state government's
cybersecurity activities and coordinate information sharing"
with a variety of government agencies. It would be comprised
of representatives from at least 15 different state and
federal public entities, and its main functions would be
threat information sharing, risk assessment, threat
prioritization, supporting governmental audits and
accountability measures, enabling cross-sector coordination
and sharing of best practices. Cal-CSIC would also be
responsible for developing a statewide cybersecurity strategy.
The authorization provided by this bill differs from the
Executive Order in a few substantial ways. This bill omits
four federal partner agencies and other members designated by
OES, although they could be added at the discretion of the
Director of OES. Also, the bill omits any mention of the
creation of a Cyber Incident Response Team, and also does not
require that information sharing be conducted in a manner that
protects the privacy and civil liberties of individuals,
safeguards sensitive information, and preserves business
confidentiality. Staff notes that the Executive Branch
already has the authority to create and operate Cal-CSIC,
which is now far along in the development stage. Codification
would remove the Governor's authority to unilaterally change
any of the provisions added to statute.
3)Related legislation. This is one of five
�
AB 2595
Page 5
cybersecurity-related bills before this Committee today:
a) AB 1841 (Irwin) would require the state OES in
conjunction with the CDT to develop, by July 1, 2017, a
statewide emergency services response plan for
cybersecurity attacks against critical infrastructure (EF
18), and would require OES and CDT to develop a
comprehensive cybersecurity strategy by January 1, 2018,
with which all state agencies must report compliance by
January 1, 2019.
b) AB 1881 (Chang) would require the Director of CDT to
develop and update mandatory baseline security controls for
state networks based industry and national standards, and
annually measure the state's progress towards compliance.
c) AB 2623 (Gordon) would require state agencies and
entities to report their information security expenditures
on an annual basis to the CDT, including the expenditure of
federal grant funds for information security purposes.
d) AB 2720 (Chau) would authorize the creation of a
Cybersecurity Vulnerability Reporting Reward Program that
would provide a monetary reward to eligible individuals who
identify and report previously unknown vulnerabilities in
state computer networks.
�
AB 2595
Page 6
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081