BILL ANALYSIS �Ó
AB 2623
Page 1
Date of Hearing: May 3, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2623
(Gordon and Irwin) - As Amended April 28, 2016
SUBJECT: State information security costs: annual report
SUMMARY: Requires state agencies and entities to report their
information security expenditures on an annual basis to the
California Department of Technology (CDT). Specifically, this
bill:
1)Requires, on or before February 1, 2017, and annually
thereafter, specified state agencies and state entities to
submit a summary of their actual and projected information
security costs, including personnel, for the immediately
preceding fiscal year and current fiscal year, showing current
expenses and projected expenses for the current fiscal year in
order to capture statewide information security expenditures,
including the expenditure of federal grant funds for
information security purposes.
2)Requires CDT to develop and provide instructions and a format
for state agencies and entities to report their information
security costs.
�
AB 2623
Page 2
3)Makes other technical and nonsubstantive amendments.
EXISTING LAW:
1)Establishes the California Department of Technology (CDT)
within the Government Operations Agency, under the supervision
of the Director of Technology, also known as the State Chief
Information Officer. (Government Code Section (GC) 11545(a))
2)Requires the Director to, among other things, advise the
Governor on the strategic management and direction of the
state's information technology resources and provide
technology direction to agency and department chief
information officers to ensure the integration of statewide
technology initiatives. (GC 11545(b))
3)Requires the Director to produce an annual information
technology performance report that assesses and measures the
state's progress toward specified goals. (GC 11545(d))
4)Requires specified state agencies and state entities to submit
annually, as instructed by CDT, a summary of their actual and
projected information technology and telecommunications costs,
including personnel, for the immediate preceding fiscal year
and current fiscal year, showing current expenses and
projected expenses for the current fiscal year, in a format
prescribed by CDT. (GC 11546.2)
�
AB 2623
Page 3
5)Defines a state agency, for purposes of the annual cost
report, to mean "the Transportation Agency, Department of
Corrections and Rehabilitation, Department of Veterans
Affairs, Business, Consumer Services, and Housing Agency,
Natural Resources Agency, California Health and Human Services
Agency, California Environmental Protection Agency, Labor and
Workforce Development Agency, and Department of Food and
Agriculture," as well as any "entity within the executive
branch that is under the direct authority of the Governor,
including, but not limited to, all departments, boards,
bureaus, commissions, councils, and offices" that are not
directly defined as a state agency. (GC 11546.1(e))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to increase state
government transparency in information security spending so
that CDT can better manage agency performance and resource
allocation for cybersecurity. This bill is author-sponsored.
2)Author's statement . According to the author, "Our state has
many valuable resources, which makes it a prime target for
cyberattacks of ever-increasing sophistication and impact.
This year, the California State Auditor's report High Risk
Update - Information Security stated that cybersecurity
'weaknesses leave some of the State's sensitive data
vulnerable to unauthorized use, disclosure, or disruption.'
This Assembly Committee on Privacy and Consumer Protection
held oversight hearings to delve into the issue deeper, and
identified several opportunities for improved cybersecurity
for California. The Committee also identified several key
�
AB 2623
Page 4
shortfalls, including a lack of knowledge of how much money
state departments spend on cybersecurity. Understanding our
spending patterns on cybersecurity can help us identify where
departments might be overspending, where additional resources
might be needed, and how our investment as a state compares to
large companies or other states. The task of defending
California from organized criminals, homegrown hackers, and
foreign cyberattacks is as difficult as it is important, and a
key first step will be ensuring that we can account for the
investments we make in this critical fight."
3)Questions regarding state oversight of cybersecurity . On
February 24, 2016, this Committee held an oversight hearing on
California's Cybersecurity Strategy. Part of that hearing
examined the findings of a 2015 California State Auditor
(Auditor) report entitled "High Risk Update - Information
Security" (Report 2015-611). The Auditor found that "many
state entities have weaknesses in their controls over
information security. These weaknesses leave some of the
State's sensitive data vulnerable to unauthorized use,
disclosure, or disruption."
The Auditor explained that "The California Department of
Technology (technology department) is responsible for ensuring
that state entities that are under the direct authority of the
governor (reporting entities) maintain the confidentiality,
integrity, and availability of their information systems and
protect the privacy of the State's information." However,
when the Chief Information Security Officer (CISO) overseeing
the state's Office of Information Security within CDT was
asked during the hearing to explain how much state agencies
were actually spending on cybersecurity, the CISO revealed
that her office did not know or track this information.
State spending on cybersecurity is a topic of immediate
�
AB 2623
Page 5
importance. A July 2015 article in Government Technology
magazine entitled "4 Critical Challenges to State and Local
Government Cybersecurity Efforts (Industry Perspective),"
notes that cybersecurity has become the number one strategic
priority for state and local government agencies: "A constant
stream of high-profile attacks by organized crime, hacktivists
and state-sponsored agents against both commercial and
government entities has raised awareness and created a
heightened sense of urgency. Organizations of all types and
sizes are deeply concerned about data breaches by politically
motivated bad actors and the all-too-real potential for highly
sophisticated state-sponsored or terrorist attacks on critical
public infrastructure and services."
Information about cybersecurity spending is an important part
of managing and overseeing progress in the area, especially if
certain agencies are underfunding the effort. The Government
Technology article notes that: "The typical state or local
government agency spends less than 5 percent of its IT budget
on cybersecurity, compared to over 10 percent in the typical
commercial enterprise. If we bear in mind that some of the
world's most prominent enterprises have been successfully
hacked, and that government agencies are faced with precisely
the same security challenges as their commercial brethren, it
is alarmingly clear that state and local agencies'
cybersecurity efforts are woefully underfunded."
4)Questions regarding the use of homeland security funds .
Tracking state spending on cybersecurity is complicated by the
fact that some of the expended funds come to the state in the
form of federal grants. According to the government
information website Allgov.com, "California has been the
recipient of at least $1.9 billion worth of major
anti-terrorism grants from Washington, D.C. since the
September 11, 2001, attacks, and a succession of reports by
the federal government indicate the money hasn't always been
spent wisely."
�
AB 2623
Page 6
"While a U.S. Department of Homeland Security report released
in February 2011 found the state generally 'did an efficient
and effective job of administering the program requirements,
distributing grant funds, and ensuring that all of the
available funds were used,' its inspector general listed a
series of costly missteps. The report, which looked at Urban
Areas Security Initiative Grants awarded from 2006-2008, did
not identify the particular localities within the state that
obtained the grants, which generally have three years to spend
their money.
"California has established half a dozen 'fusion centers'
around the state to bring state, local and federal law
enforcement personnel and systems together to deal with
terrorism prevention, as well as cross-border crime, gangs and
drug trafficking. The report cited one unidentified center as
wasting $700,000 on software that didn't work before spending
another $1.25 million to replace it. Another center bought 55
large-screen digital televisions for $74,394 but hadn't
purchased the training system they were meant to implement.
On the day federal inspectors visited the site, all the TVs
were turned to a single station."
5)This bill in practice . AB 2623 would mirror an existing
requirement for state agencies to annually report their
information technology and telecommunications costs to CDT, by
requiring a similar annual report for spending on information
security costs. CDT would be responsible for developing
instructions and a format for those reports, and would have
the flexibility to determine the accounting methodology used
to collect the data.
The standardized reporting created by this bill would give CDT a
�
AB 2623
Page 7
valuable data set to better manage state agencies' spending on
cybersecurity, including the ability to make spending
comparisons between agencies and facilitate benchmarking with
other states, so that they can identify state entities that
may be over or under-resourcing cybersecurity efforts or
misspending available funds.
6)Related legislation . AB 1841 (Irwin) would require the state
Office of Emergency Services (OES) to develop, by July 1,
2017, a statewide emergency services response plan for
cybersecurity attacks against critical infrastructure, and
further requires OES to develop a comprehensive cybersecurity
strategy by July 1, 2018, with which all state agencies must
report compliance by January 1, 2019. AB 1841 passed this
Committee on April 5, 2016, on an 11-0 vote and is currently
pending in the Assembly Appropriations Committee.
AB 1881 (Chang) would require the Director of CDT to develop
and update mandatory baseline security controls for state
networks based on industry and national standards, and
annually measure the state's progress towards compliance. AB
1881 is currently pending in the Assembly Appropriations
Committee.
AB 2595 (Linder) would establish the California Cybersecurity
Integration Center, require it to develop a cybersecurity
strategy for California, and authorize the administration of
federal homeland security grant funding by the Office of
Emergency Services. AB 2595 is currently pending in the
Assembly Appropriations Committee.
SB 949 (Jackson) would authorize the Governor to require
owners and operators of critical infrastructure to submit
critical infrastructure information to OES or any other
designee for the purposes of gathering, analyzing,
communicating, or disclosing critical infrastructure
�
AB 2623
Page 8
information. SB 949 is currently pending in the Senate
Governmental Organization Committee.
7)Prior versions of this bill . This bill was gutted and amended
on April 28, 2016, to change the bill from a revision of
requirements for Internet privacy policies to its current
form. As a result, support and opposition for the prior
versions of this bill are not addressed here.
8)Previous legislation . AB 670 (Irwin), Chapter 518, Statutes
of 2015, requires CDT to conduct, or require to be conducted,
no fewer than 35 independent security assessments of state
agencies, departments or offices annually.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
Opposition
None on file.
�
AB 2623
Page 9
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200