BILL ANALYSIS �Ó
SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
Senator Isadore Hall, III
Chair
2015 - 2016 Regular
Bill No: AB 2623 Hearing Date: 6/28/2016
-----------------------------------------------------------------
|Author: |Gordon |
|-----------+-----------------------------------------------------|
|Version: |4/28/2016 Amended |
-----------------------------------------------------------------
------------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
------------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|Felipe Lopez |
| | |
-----------------------------------------------------------------
SUBJECT: State information security costs: annual report
DIGEST: This bill requires state agencies to report their
information security expenditures on an annual basis to the
California Department of Technology (CDT).
ANALYSIS:
Existing law:
1)Establishes CDT within the Government Operations Agency, under
the supervision of the Director of Technology.
2)Requires specified state agencies and state entities to submit
annually, as instructed by CDT, a summary of their actual and
projected information technology and telecommunications costs,
including personnel, for the immediate preceding fiscal year
and current fiscal year, showing current expenses and
projected expenses for the current fiscal year, in a format
prescribed by CDT.
3)Defines a state agency, for purposes of the annual cost
report, to mean the Transportation Agency, Department of
Corrections and Rehabilitation, Department of Veterans
Affairs, Business, Consumer Services, and Housing Agency,
Natural Resources Agency, California Health and Human Services
Agency, California Environmental Protection Agency, Labor and
Workforce Development Agency, and Department of Food and
�
AB 2623 (Gordon) Page 2 of ?
Agriculture, as well as any entity within the executive
branch that is under the direct authority of the Governor,
including but not limited to, all departments, boards,
bureaus, commissions, councils, and offices that are not
directly defined as a state agency.
4)Requires the Director of CDT to advise the Governor on the
strategic management and direction of the state's information
technology resources and provide technology direction to state
agencies and departments to ensure the integration of
statewide technologies initiatives.
5)Provides that the Office of Information Security may conduct,
or require to be conducted, an independent security assessment
of every state agency, department, or office.
This bill:
1)Requires, on or before February 1, 2017, and annually
thereafter, specified state agencies and state entities to
submit a summary of their actual and projected information
security costs, including personnel, for the immediately
preceding fiscal year and current fiscal year, showing current
expenses and projected expenses for the current fiscal year,
in a format prescribed by CDT, in order to capture statewide
information security expenditures, including the expenditure
of federal grant funds for information security purposes.
2)Makes other technical and nonsubstantive amendments.
Background
Purpose of the bill. According to the author, "a critical part
of our ability to organize and develop cybersecurity
capabilities is knowledge of what we are spending and where.
Without having oversight over whether state agencies are under
or over investing in cybersecurity, it makes it difficult to
prioritize spending, compare state spending with industry, and
ensure that state dollars are being used as effectively as
possible to bolster our cyber defenses. AB 2623 would include a
requirement for state agencies to report their annual spending
on cybersecurity. This knowledge will ensure that our state
leaders have strong understanding of how agencies are responding
to this new risk and mitigating appropriately.
�
AB 2623 (Gordon) Page 3 of ?
This bill would mirror an existing requirement for state
agencies to annually report their information technology and
telecommunications to CDT, by requiring a similar annual report
for spending on information security costs.
Current spending. On February 24, 2016, the Assembly Privacy
and Consumer Protection Committee and the Select Committee on
Cybersecurity held a joint oversight hearing on California's
cybersecurity strategies. Part of that hearing examined the
findings of a 2015 California State Auditor (Auditor) report
entitled "High Risk Update - Information Security." The Auditor
found that "many state entities have weaknesses in their
controls over information security. These weaknesses leave some
of the State's sensitive data vulnerable to unauthorized use,
disclosure, or disruption."
The Auditor explained that " CDT is responsible for ensuring
that state entities that are under the direct authority of the
governor maintain the confidentiality, integrity, and
availability of their information systems and protect the
privacy of the State's information." However, when the Chief
Information Security Officer (CISO) within CDT was asked during
the hearing to explain how much state agencies were actually
spending on cybersecurity, the CISO revealed that her office did
not know or track this information.
Cyber Threats in California. According to the California
Military Department (CMD), California's size and importance
makes it vulnerable to cyber incidents that disrupt business,
shutdown critical infrastructure, and compromise intellectual
property or national security.
CMD calls cybercrime "a growth industry" causing $400 billion in
negative impacts annually on the global economy. Thirty percent
of all cyber-attacks and other malicious activity are targeted
at the government, making these networks and systems the most
vulnerable target of cybercrime.
According to CMD, the threat to government networks has never
been higher. "Hacktivists", nation states, cyber criminals and
other threat groups are attacking government networks to steal
sensitive information and make a political/economic statement.
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
�
AB 2623 (Gordon) Page 4 of ?
the past year.
Prior/Related Legislation
AB 1841 (Irwin, 2016) requires the Office of Emergency Services
in conjunction with CDT to transmit to the Legislature, by July
1, 2017, a statewide emergency services response plan for
cybersecurity, and further requires OES and CDT to develop a
comprehensive cybersecurity strategy against critical
infrastructure by January 1, 2018. (Pending in Senate
Appropriations Committee)
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure, as defined, to submit
critical infrastructure information to OES. (Never heard in
Senate Governmental Organization Committee)
AB 1346 (Gray, 2016) requires OES to update the State Emergency
Plan on or before January 1, 2018, and every 5 years thereafter,
and would require the plan to be consistent with specified state
climate adaptation strategies. (Pending in Senate
Appropriations Committee).
AB 2595 (Linder, 2016) establishes in statute the California
Cybersecurity Integration Center within OES to develop a
cybersecurity strategy for California in coordination with the
Cybersecurity Task Force. (Held in Assembly Appropriations
Committee)
AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to
conduct, or require to be conducted, no fewer than 35
independent security assessments of state agencies, departments,
or offices annually.
AB 739 (Irwin, 2015) provides legal immunity for civil or
criminal liability for private entities that communicate
anonymized cyber security threat information and meet specified
requirements, until January 1, 2020. (Held in Assembly
Judiciary Committee)
AB 1172 (Chau, 2015) continues in existence the California
Cybersecurity Task Force, created in 2013 by OES and CDT.
(Senate Inactive File)
FISCAL EFFECT: Appropriation: No Fiscal
�
AB 2623 (Gordon) Page 5 of ?
Com.: Yes Local: No
SUPPORT:
None received
OPPOSITION:
None received