BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
                              Senator Isadore Hall, III
                                        Chair
                                2015 - 2016  Regular 

          Bill No:           AB 2623          Hearing Date:    6/28/2016
           ----------------------------------------------------------------- 
          |Author:    |Gordon                                               |
          |-----------+-----------------------------------------------------|
          |Version:   |4/28/2016    Amended                                 |
           ----------------------------------------------------------------- 
           ------------------------------------------------------------------ 
          |Urgency:   |No                     |Fiscal:      |Yes             |
           ------------------------------------------------------------------ 
           ----------------------------------------------------------------- 
          |Consultant:|Felipe Lopez                                         |
          |           |                                                     |
           ----------------------------------------------------------------- 
          

          SUBJECT: State information security costs:  annual report


            DIGEST:    This bill requires state agencies to report their  
          information security expenditures on an annual basis to the  
          California Department of Technology (CDT).

          ANALYSIS:
          
          Existing law:
          
          1)Establishes CDT within the Government Operations Agency, under  
            the supervision of the Director of Technology.

          2)Requires specified state agencies and state entities to submit  
            annually, as instructed by CDT, a summary of their actual and  
            projected information technology and telecommunications costs,  
            including personnel, for the immediate preceding fiscal year  
            and current fiscal year, showing current expenses and  
            projected expenses for the current fiscal year, in a format  
            prescribed by CDT. 

          3)Defines a state agency, for purposes of the annual cost  
            report, to mean the Transportation Agency, Department of  
            Corrections and Rehabilitation, Department of Veterans  
            Affairs, Business, Consumer Services, and Housing Agency,  
            Natural Resources Agency, California Health and Human Services  
            Agency, California Environmental Protection Agency, Labor and  
            Workforce Development Agency, and Department of Food and  







          AB 2623 (Gordon)                                   Page 2 of ?
          
          
            Agriculture,  as well as any entity within the executive  
            branch that is under the direct authority of the Governor,  
            including but not limited to, all departments, boards,  
            bureaus, commissions, councils, and offices that are not  
            directly defined as a state agency.

          4)Requires the Director of CDT to advise the Governor on the  
            strategic management and direction of the state's information  
            technology resources and provide technology direction to state  
            agencies and departments to ensure the integration of  
            statewide technologies initiatives. 

          5)Provides that the Office of Information Security may conduct,  
            or require to be conducted, an independent security assessment  
            of every state agency, department, or office. 

          This bill:

          1)Requires, on or before February 1, 2017, and annually  
            thereafter, specified state agencies and state entities to  
            submit a summary of their actual and projected information  
            security costs, including personnel, for the immediately  
            preceding fiscal year and current fiscal year, showing current  
            expenses and projected expenses for the current fiscal year,  
            in a format prescribed by CDT, in order to capture statewide  
            information security expenditures, including the expenditure  
            of federal grant funds for information security purposes. 

          2)Makes other technical and nonsubstantive amendments.

          Background

          Purpose of the bill.  According to the author, "a critical part  
          of our ability to organize and develop cybersecurity  
          capabilities is knowledge of what we are spending and where.   
          Without having oversight over whether state agencies are under  
          or over investing in cybersecurity, it makes it difficult to  
          prioritize spending, compare state spending with industry, and  
          ensure that state dollars are being used as effectively as  
          possible to bolster our cyber defenses.  AB 2623 would include a  
          requirement for state agencies to report their annual spending  
          on cybersecurity.  This knowledge will ensure that our state  
          leaders have strong understanding of how agencies are responding  
          to this new risk and mitigating appropriately. 









          AB 2623 (Gordon)                                   Page 3 of ?
          
          
          This bill would mirror an existing requirement for state  
          agencies to annually report their information technology and  
          telecommunications to CDT, by requiring a similar annual report  
          for spending on information security costs.

          Current spending.  On February 24, 2016, the Assembly Privacy  
          and Consumer Protection Committee and the Select Committee on  
          Cybersecurity held a joint oversight hearing on California's  
          cybersecurity strategies.  Part of that hearing examined the  
          findings of a 2015 California State Auditor (Auditor) report  
          entitled "High Risk Update - Information Security."  The Auditor  
          found that "many state entities have weaknesses in their  
          controls over information security.  These weaknesses leave some  
          of the State's sensitive data vulnerable to unauthorized use,  
          disclosure, or disruption."


          The Auditor explained that " CDT is responsible for ensuring  
          that state entities that are under the direct authority of the  
          governor maintain the confidentiality, integrity, and  
          availability of their information systems and protect the  
          privacy of the State's information."  However, when the Chief  
          Information Security Officer (CISO) within CDT was asked during  
          the hearing to explain how much state agencies were actually  
          spending on cybersecurity, the CISO revealed that her office did  
          not know or track this information.  

          Cyber Threats in California. According to the California  
          Military Department (CMD), California's size and importance  
          makes it vulnerable to cyber incidents that disrupt business,  
          shutdown critical infrastructure, and compromise intellectual  
          property or national security.  

          CMD calls cybercrime "a growth industry" causing $400 billion in  
          negative impacts annually on the global economy.  Thirty percent  
          of all cyber-attacks and other malicious activity are targeted  
          at the government, making these networks and systems the most  
          vulnerable target of cybercrime.  

          According to CMD, the threat to government networks has never  
          been higher.  "Hacktivists", nation states, cyber criminals and  
          other threat groups are attacking government networks to steal  
          sensitive information and make a political/economic statement.   
          It is not known how many attacks, whether successful or  
          unsuccessful, have been made against state agency computers over  








          AB 2623 (Gordon)                                   Page 4 of ?
          
          
          the past year.

          Prior/Related Legislation
          
          AB 1841 (Irwin, 2016) requires the Office of Emergency Services  
          in conjunction with CDT to transmit to the Legislature, by July  
          1, 2017, a statewide emergency services response plan for  
          cybersecurity, and further requires OES and CDT to develop a  
          comprehensive cybersecurity strategy against critical  
          infrastructure by January 1, 2018.  (Pending in Senate  
          Appropriations Committee)

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information to OES.  (Never heard in  
          Senate Governmental Organization Committee)

          AB 1346 (Gray, 2016) requires OES to update the State Emergency  
          Plan on or before January 1, 2018, and every 5 years thereafter,  
          and would require the plan to be consistent with specified state  
          climate adaptation strategies.  (Pending in Senate  
          Appropriations Committee).

          AB 2595 (Linder, 2016) establishes in statute the California  
          Cybersecurity Integration Center within OES to develop a  
          cybersecurity strategy for California in coordination with the  
          Cybersecurity Task Force.  (Held in Assembly Appropriations  
          Committee) 

          AB 670 (Irwin, Chapter 518, Statutes of 2015) required CDT to  
          conduct, or require to be conducted, no fewer than 35  
          independent security assessments of state agencies, departments,  
          or offices annually.  

          AB 739 (Irwin, 2015) provides legal immunity for civil or  
          criminal liability for private entities that communicate  
          anonymized cyber security threat information and meet specified  
          requirements, until January 1, 2020.  (Held in Assembly  
          Judiciary Committee) 

          AB 1172 (Chau, 2015) continues in existence the California  
          Cybersecurity Task Force, created in 2013 by OES and CDT.   
          (Senate Inactive File)

          FISCAL EFFECT:                 Appropriation:  No    Fiscal  








          AB 2623 (Gordon)                                   Page 5 of ?
          
          
          Com.:             Yes          Local:          No


           SUPPORT:  

          None received

          OPPOSITION:

          None received