BILL ANALYSIS Ó AB 2623 Page 1 Date of Hearing: May 3, 2016 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Ed Chau, Chair AB 2623 (Gordon and Irwin) - As Amended April 28, 2016 SUBJECT: State information security costs: annual report SUMMARY: Requires state agencies and entities to report their information security expenditures on an annual basis to the California Department of Technology (CDT). Specifically, this bill: 1)Requires, on or before February 1, 2017, and annually thereafter, specified state agencies and state entities to submit a summary of their actual and projected information security costs, including personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year in order to capture statewide information security expenditures, including the expenditure of federal grant funds for information security purposes. 2)Requires CDT to develop and provide instructions and a format for state agencies and entities to report their information security costs. AB 2623 Page 2 3)Makes other technical and nonsubstantive amendments. EXISTING LAW: 1)Establishes the California Department of Technology (CDT) within the Government Operations Agency, under the supervision of the Director of Technology, also known as the State Chief Information Officer. (Government Code Section (GC) 11545(a)) 2)Requires the Director to, among other things, advise the Governor on the strategic management and direction of the state's information technology resources and provide technology direction to agency and department chief information officers to ensure the integration of statewide technology initiatives. (GC 11545(b)) 3)Requires the Director to produce an annual information technology performance report that assesses and measures the state's progress toward specified goals. (GC 11545(d)) 4)Requires specified state agencies and state entities to submit annually, as instructed by CDT, a summary of their actual and projected information technology and telecommunications costs, including personnel, for the immediate preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in a format prescribed by CDT. (GC 11546.2) AB 2623 Page 3 5)Defines a state agency, for purposes of the annual cost report, to mean "the Transportation Agency, Department of Corrections and Rehabilitation, Department of Veterans Affairs, Business, Consumer Services, and Housing Agency, Natural Resources Agency, California Health and Human Services Agency, California Environmental Protection Agency, Labor and Workforce Development Agency, and Department of Food and Agriculture," as well as any "entity within the executive branch that is under the direct authority of the Governor, including, but not limited to, all departments, boards, bureaus, commissions, councils, and offices" that are not directly defined as a state agency. (GC 11546.1(e)) FISCAL EFFECT: Unknown COMMENTS: 1)Purpose of this bill . This bill is intended to increase state government transparency in information security spending so that CDT can better manage agency performance and resource allocation for cybersecurity. This bill is author-sponsored. 2)Author's statement . According to the author, "Our state has many valuable resources, which makes it a prime target for cyberattacks of ever-increasing sophistication and impact. This year, the California State Auditor's report High Risk Update - Information Security stated that cybersecurity 'weaknesses leave some of the State's sensitive data vulnerable to unauthorized use, disclosure, or disruption.' This Assembly Committee on Privacy and Consumer Protection held oversight hearings to delve into the issue deeper, and identified several opportunities for improved cybersecurity for California. The Committee also identified several key AB 2623 Page 4 shortfalls, including a lack of knowledge of how much money state departments spend on cybersecurity. Understanding our spending patterns on cybersecurity can help us identify where departments might be overspending, where additional resources might be needed, and how our investment as a state compares to large companies or other states. The task of defending California from organized criminals, homegrown hackers, and foreign cyberattacks is as difficult as it is important, and a key first step will be ensuring that we can account for the investments we make in this critical fight." 3)Questions regarding state oversight of cybersecurity . On February 24, 2016, this Committee held an oversight hearing on California's Cybersecurity Strategy. Part of that hearing examined the findings of a 2015 California State Auditor (Auditor) report entitled "High Risk Update - Information Security" (Report 2015-611). The Auditor found that "many state entities have weaknesses in their controls over information security. These weaknesses leave some of the State's sensitive data vulnerable to unauthorized use, disclosure, or disruption." The Auditor explained that "The California Department of Technology (technology department) is responsible for ensuring that state entities that are under the direct authority of the governor (reporting entities) maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the State's information." However, when the Chief Information Security Officer (CISO) overseeing the state's Office of Information Security within CDT was asked during the hearing to explain how much state agencies were actually spending on cybersecurity, the CISO revealed that her office did not know or track this information. State spending on cybersecurity is a topic of immediate AB 2623 Page 5 importance. A July 2015 article in Government Technology magazine entitled "4 Critical Challenges to State and Local Government Cybersecurity Efforts (Industry Perspective)," notes that cybersecurity has become the number one strategic priority for state and local government agencies: "A constant stream of high-profile attacks by organized crime, hacktivists and state-sponsored agents against both commercial and government entities has raised awareness and created a heightened sense of urgency. Organizations of all types and sizes are deeply concerned about data breaches by politically motivated bad actors and the all-too-real potential for highly sophisticated state-sponsored or terrorist attacks on critical public infrastructure and services." Information about cybersecurity spending is an important part of managing and overseeing progress in the area, especially if certain agencies are underfunding the effort. The Government Technology article notes that: "The typical state or local government agency spends less than 5 percent of its IT budget on cybersecurity, compared to over 10 percent in the typical commercial enterprise. If we bear in mind that some of the world's most prominent enterprises have been successfully hacked, and that government agencies are faced with precisely the same security challenges as their commercial brethren, it is alarmingly clear that state and local agencies' cybersecurity efforts are woefully underfunded." 4)Questions regarding the use of homeland security funds . Tracking state spending on cybersecurity is complicated by the fact that some of the expended funds come to the state in the form of federal grants. According to the government information website Allgov.com, "California has been the recipient of at least $1.9 billion worth of major anti-terrorism grants from Washington, D.C. since the September 11, 2001, attacks, and a succession of reports by the federal government indicate the money hasn't always been spent wisely." AB 2623 Page 6 "While a U.S. Department of Homeland Security report released in February 2011 found the state generally 'did an efficient and effective job of administering the program requirements, distributing grant funds, and ensuring that all of the available funds were used,' its inspector general listed a series of costly missteps. The report, which looked at Urban Areas Security Initiative Grants awarded from 2006-2008, did not identify the particular localities within the state that obtained the grants, which generally have three years to spend their money. "California has established half a dozen 'fusion centers' around the state to bring state, local and federal law enforcement personnel and systems together to deal with terrorism prevention, as well as cross-border crime, gangs and drug trafficking. The report cited one unidentified center as wasting $700,000 on software that didn't work before spending another $1.25 million to replace it. Another center bought 55 large-screen digital televisions for $74,394 but hadn't purchased the training system they were meant to implement. On the day federal inspectors visited the site, all the TVs were turned to a single station." 5)This bill in practice . AB 2623 would mirror an existing requirement for state agencies to annually report their information technology and telecommunications costs to CDT, by requiring a similar annual report for spending on information security costs. CDT would be responsible for developing instructions and a format for those reports, and would have the flexibility to determine the accounting methodology used to collect the data. The standardized reporting created by this bill would give CDT a AB 2623 Page 7 valuable data set to better manage state agencies' spending on cybersecurity, including the ability to make spending comparisons between agencies and facilitate benchmarking with other states, so that they can identify state entities that may be over or under-resourcing cybersecurity efforts or misspending available funds. 6)Related legislation . AB 1841 (Irwin) would require the state Office of Emergency Services (OES) to develop, by July 1, 2017, a statewide emergency services response plan for cybersecurity attacks against critical infrastructure, and further requires OES to develop a comprehensive cybersecurity strategy by July 1, 2018, with which all state agencies must report compliance by January 1, 2019. AB 1841 passed this Committee on April 5, 2016, on an 11-0 vote and is currently pending in the Assembly Appropriations Committee. AB 1881 (Chang) would require the Director of CDT to develop and update mandatory baseline security controls for state networks based on industry and national standards, and annually measure the state's progress towards compliance. AB 1881 is currently pending in the Assembly Appropriations Committee. AB 2595 (Linder) would establish the California Cybersecurity Integration Center, require it to develop a cybersecurity strategy for California, and authorize the administration of federal homeland security grant funding by the Office of Emergency Services. AB 2595 is currently pending in the Assembly Appropriations Committee. SB 949 (Jackson) would authorize the Governor to require owners and operators of critical infrastructure to submit critical infrastructure information to OES or any other designee for the purposes of gathering, analyzing, communicating, or disclosing critical infrastructure AB 2623 Page 8 information. SB 949 is currently pending in the Senate Governmental Organization Committee. 7)Prior versions of this bill . This bill was gutted and amended on April 28, 2016, to change the bill from a revision of requirements for Internet privacy policies to its current form. As a result, support and opposition for the prior versions of this bill are not addressed here. 8)Previous legislation . AB 670 (Irwin), Chapter 518, Statutes of 2015, requires CDT to conduct, or require to be conducted, no fewer than 35 independent security assessments of state agencies, departments or offices annually. REGISTERED SUPPORT / OPPOSITION: Support None on file. Opposition None on file. AB 2623 Page 9 Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200