BILL ANALYSIS                                                                                                                                                                                                    

                                                                    AB 2623

                                                                    Page  1

          Date of Hearing:  May 3, 2016


                                   Ed Chau, Chair

          AB 2623  
          (Gordon and Irwin) - As Amended April 28, 2016

          SUBJECT:  State information security costs: annual report

          SUMMARY:  Requires state agencies and entities to report their  
          information security expenditures on an annual basis to the  
          California Department of Technology (CDT).  Specifically, this  

          1)Requires, on or before February 1, 2017, and annually  
            thereafter, specified state agencies and state entities to  
            submit a summary of their actual and projected information  
            security costs, including personnel, for the immediately  
            preceding fiscal year and current fiscal year, showing current  
            expenses and projected expenses for the current fiscal year in  
            order to capture statewide information security expenditures,  
            including the expenditure of federal grant funds for  
            information security purposes. 

          2)Requires CDT to develop and provide instructions and a format  
            for state agencies and entities to report their information  
            security costs.


                                                                    AB 2623

                                                                    Page  2

          3)Makes other technical and nonsubstantive amendments.

          EXISTING LAW:  

          1)Establishes the California Department of Technology (CDT)  
            within the Government Operations Agency, under the supervision  
            of the Director of Technology, also known as the State Chief  
            Information Officer.  (Government Code Section (GC) 11545(a))

          2)Requires the Director to, among other things, advise the  
            Governor on the strategic management and direction of the  
            state's information technology resources and provide  
            technology direction to agency and department chief  
            information officers to ensure the integration of statewide  
            technology initiatives.  (GC 11545(b))

          3)Requires the Director to produce an annual information  
            technology performance report that assesses and measures the  
            state's progress toward specified goals.  (GC 11545(d))

          4)Requires specified state agencies and state entities to submit  
            annually, as instructed by CDT, a summary of their actual and  
            projected information technology and telecommunications costs,  
            including personnel, for the immediate preceding fiscal year  
            and current fiscal year, showing current expenses and  
            projected expenses for the current fiscal year, in a format  
            prescribed by CDT.  (GC 11546.2)


                                                                    AB 2623

                                                                    Page  3

          5)Defines a state agency, for purposes of the annual cost  
            report, to mean "the Transportation Agency, Department of  
            Corrections and Rehabilitation, Department of Veterans  
            Affairs, Business, Consumer Services, and Housing Agency,  
            Natural Resources Agency, California Health and Human Services  
            Agency, California Environmental Protection Agency, Labor and  
            Workforce Development Agency, and Department of Food and  
            Agriculture," as well as any "entity within the executive  
            branch that is under the direct authority of the Governor,  
            including, but not limited to, all departments, boards,  
            bureaus, commissions, councils, and offices" that are not  
            directly defined as a state agency.  (GC 11546.1(e)) 

          FISCAL EFFECT:  Unknown 


           1)Purpose of this bill  .  This bill is intended to increase state  
            government transparency in information security spending so  
            that CDT can better manage agency performance and resource  
            allocation for cybersecurity.  This bill is author-sponsored.   

           2)Author's statement  .  According to the author, "Our state has  
            many valuable resources, which makes it a prime target for  
            cyberattacks of ever-increasing sophistication and impact.   
            This year, the California State Auditor's report High Risk  
            Update - Information Security stated that cybersecurity  
            'weaknesses leave some of the State's sensitive data  
            vulnerable to unauthorized use, disclosure, or disruption.'   
            This Assembly Committee on Privacy and Consumer Protection  
            held oversight hearings to delve into the issue deeper, and  
            identified several opportunities for improved cybersecurity  
            for California.  The Committee also identified several key  


                                                                    AB 2623

                                                                    Page  4

            shortfalls, including a lack of knowledge of how much money  
            state departments spend on cybersecurity.  Understanding our  
            spending patterns on cybersecurity can help us identify where  
            departments might be overspending, where additional resources  
            might be needed, and how our investment as a state compares to  
            large companies or other states.  The task of defending  
            California from organized criminals, homegrown hackers, and  
            foreign cyberattacks is as difficult as it is important, and a  
            key first step will be ensuring that we can account for the  
            investments we make in this critical fight." 

           3)Questions regarding state oversight of cybersecurity  .  On  
            February 24, 2016, this Committee held an oversight hearing on  
            California's Cybersecurity Strategy.  Part of that hearing  
            examined the findings of a 2015 California State Auditor  
            (Auditor) report entitled "High Risk Update - Information  
            Security" (Report 2015-611).  The Auditor found that "many  
            state entities have weaknesses in their controls over  
            information security.  These weaknesses leave some of the  
            State's sensitive data vulnerable to unauthorized use,  
            disclosure, or disruption."

            The Auditor explained that "The California Department of  
            Technology (technology department) is responsible for ensuring  
            that state entities that are under the direct authority of the  
            governor (reporting entities) maintain the confidentiality,  
            integrity, and availability of their information systems and  
            protect the privacy of the State's information."  However,  
            when the Chief Information Security Officer (CISO) overseeing  
            the state's Office of Information Security within CDT was  
            asked during the hearing to explain how much state agencies  
            were actually spending on cybersecurity, the CISO revealed  
            that her office did not know or track this information.  

            State spending on cybersecurity is a topic of immediate  


                                                                    AB 2623

                                                                    Page  5

            importance.  A July 2015 article in Government Technology  
            magazine entitled "4 Critical Challenges to State and Local  
            Government Cybersecurity Efforts (Industry Perspective),"  
            notes that cybersecurity has become the number one strategic  
            priority for state and local government agencies: "A constant  
            stream of high-profile attacks by organized crime, hacktivists  
            and state-sponsored agents against both commercial and  
            government entities has raised awareness and created a  
            heightened sense of urgency.  Organizations of all types and  
            sizes are deeply concerned about data breaches by politically  
            motivated bad actors and the all-too-real potential for highly  
            sophisticated state-sponsored or terrorist attacks on critical  
            public infrastructure and services."

            Information about cybersecurity spending is an important part  
            of managing and overseeing progress in the area, especially if  
            certain agencies are underfunding the effort.  The Government  
            Technology article notes that: "The typical state or local  
            government agency spends less than 5 percent of its IT budget  
            on cybersecurity, compared to over 10 percent in the typical  
            commercial enterprise. If we bear in mind that some of the  
            world's most prominent enterprises have been successfully  
            hacked, and that government agencies are faced with precisely  
            the same security challenges as their commercial brethren, it  
            is alarmingly clear that state and local agencies'  
            cybersecurity efforts are woefully underfunded."
           4)Questions regarding the use of homeland security funds  .   
            Tracking state spending on cybersecurity is complicated by the  
            fact that some of the expended funds come to the state in the  
            form of federal grants.  According to the government  
            information website, "California has been the  
            recipient of at least $1.9 billion worth of major  
            anti-terrorism grants from Washington, D.C. since the  
            September 11, 2001, attacks, and a succession of reports by  
            the federal government indicate the money hasn't always been  
            spent wisely."


                                                                    AB 2623

                                                                    Page  6

            "While a U.S. Department of Homeland Security report released  
            in February 2011 found the state generally 'did an efficient  
            and effective job of administering the program requirements,  
            distributing grant funds, and ensuring that all of the  
            available funds were used,' its inspector general listed a  
            series of costly missteps.  The report, which looked at Urban  
            Areas Security Initiative Grants awarded from 2006-2008, did  
            not identify the particular localities within the state that  
            obtained the grants, which generally have three years to spend  
            their money.

            "California has established half a dozen 'fusion centers'  
            around the state to bring state, local and federal law  
            enforcement personnel and systems together to deal with  
            terrorism prevention, as well as cross-border crime, gangs and  
            drug trafficking.  The report cited one unidentified center as  
            wasting $700,000 on software that didn't work before spending  
            another $1.25 million to replace it.  Another center bought 55  
            large-screen digital televisions for $74,394 but hadn't  
            purchased the training system they were meant to implement.   
            On the day federal inspectors visited the site, all the TVs  
            were turned to a single station."

           5)This bill in practice  .  AB 2623 would mirror an existing  
            requirement for state agencies to annually report their  
            information technology and telecommunications costs to CDT, by  
            requiring a similar annual report for spending on information  
            security costs.  CDT would be responsible for developing  
            instructions and a format for those reports, and would have  
            the flexibility to determine the accounting methodology used  
            to collect the data. 

          The standardized reporting created by this bill would give CDT a  


                                                                    AB 2623

                                                                    Page  7

            valuable data set to better manage state agencies' spending on  
            cybersecurity, including the ability to make spending  
            comparisons between agencies and facilitate benchmarking with  
            other states, so that they can identify state entities that  
            may be over or under-resourcing cybersecurity efforts or  
            misspending available funds.    
           6)Related legislation  .  AB 1841 (Irwin) would require the state  
            Office of Emergency Services (OES) to develop, by July 1,  
            2017, a statewide emergency services response plan for  
            cybersecurity attacks against critical infrastructure, and  
            further requires OES to develop a comprehensive cybersecurity  
            strategy by July 1, 2018, with which all state agencies must  
            report compliance by January 1, 2019.  AB 1841 passed this  
            Committee on April 5, 2016, on an 11-0 vote and is currently  
            pending in the Assembly Appropriations Committee. 

            AB 1881 (Chang) would require the Director of CDT to develop  
            and update mandatory baseline security controls for state  
            networks based on industry and national standards, and  
            annually measure the state's progress towards compliance.  AB  
            1881 is currently pending in the Assembly Appropriations  

             AB 2595 (Linder) would establish the California Cybersecurity  
            Integration Center, require it to develop a cybersecurity  
            strategy for California, and authorize the administration of  
            federal homeland security grant funding by the Office of  
            Emergency Services.  AB 2595 is currently pending in the  
            Assembly Appropriations Committee.   

            SB 949 (Jackson) would authorize the Governor to require  
            owners and operators of critical infrastructure to submit  
            critical infrastructure information to OES or any other  
            designee for the purposes of gathering, analyzing,  
            communicating, or disclosing critical infrastructure  


                                                                    AB 2623

                                                                    Page  8

            information.  SB 949 is currently pending in the Senate  
            Governmental Organization Committee.
           7)Prior versions of this bill  .  This bill was gutted and amended  
            on April 28, 2016, to change the bill from a revision of  
            requirements for Internet privacy policies to its current  
            form.  As a result, support and opposition for the prior  
            versions of this bill are not addressed here.  

           8)Previous legislation  .  AB 670 (Irwin), Chapter 518, Statutes  
            of 2015, requires CDT to conduct, or require to be conducted,  
            no fewer than 35 independent security assessments of state  
            agencies, departments or offices annually.   



          None on file. 


          None on file.


                                                                    AB 2623

                                                                    Page  9

          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200