BILL ANALYSIS �Ó
AB 2720
Page 1
Date of Hearing: May 18, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
2720 (Chau) - As Amended March 17, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill authorizes the state Office of Information Security
(OIS) to establish a Cybersecurity Vulnerability Reporting
Reward Program that would provide a monetary reward to eligible
individuals who identify and report previously unknown
�
AB 2720
Page 2
vulnerabilities in state computer networks.
FISCAL EFFECT:
1)Unknown one-time administrative costs to OIS, likely in the
range of $100,000 to $150,000 (GF), in the 2017 calendar year,
to develop policies, standards, and procedures for the
program.
2)Unknown ongoing administrative costs to OIS, approximately
$100,000 (GF), to administer the program, including
determining eligibility for awards.
3)General Fund cost pressure, likely in the range of $25,000 to
$50,000 ongoing, to fund the awards program. Unawarded prize
money will revert to the General Fund after 12 months.
COMMENTS:
1)Purpose. This bill is intended to improve the cybersecurity of
state networks by creating a monetary incentive for private
individuals to report confidentially network vulnerabilities
to state cybersecurity experts so that they can be fixed
before they are exploited by hackers, a program commonly
referred to as a "bug bounty."
According to the author, "In recent years, many tech companies
have established vulnerability reporting programs, also called
'bug bounty' programs, to encourage and facilitate the
reporting of cybersecurity flaws by creating a means to
communicate - and reward - information about those
vulnerabilities. Private sector 'bug bounty' programs, such
as those at Google, Facebook, and Netflix, even honor security
researchers who report serious flaws in software or websites
by giving out monetary rewards and posting names on a public
�
AB 2720
Page 3
'hall of fame' website. This bill would borrow an industry
best practice from Silicon Valley and apply it state
government, establishing a first-of-its-kind program to
improve the cybersecurity of state websites, networks and
online services."
2)Private Sector Programs. Bug bounty programs have been in
existence in the private sector reportedly since 1996, when
one was invented by a fledgling Internet browser company as a
way to harness the knowledge and energy of outside users for
the purpose of identifying "bugs," or vulnerabilities in the
software. The term is now used to describe any program
offered by websites or software companies to give compensation
and recognition for reporting vulnerabilities, which allows
the company to resolve the problem early before awareness of
the flaw spreads and is exploited.
Bug bounty programs are now widely used in the tech industry,
including major companies such as Google, Facebook, and
Microsoft, which have their own programs. For example,
Google's Vulnerability Rewards Program has operated since
2010, and grants awards ranging from $100 to $20,000 for
qualifying vulnerabilities. Individuals can only target their
own accounts, and awards are made based on the severity of the
threat and the sensitivity of the target.
Facebook has operated a similar program since 2011, and the
program has grown consistently since its inception. According
to an August 2014 blog post, the company had received 14,763
submissions in 2013 alone, 6% of which it categorized as high
severity, and paid out $1.5 million that year to 330
researchers across the globe (average award was $2,204).
3)State Government Programs. Since 1950, the Department of Human
Resources has operated its Merit Award Program (MAP) program,
designed to operate as an "incentive award system to recognize
�
AB 2720
Page 4
employee's contributions to state government and its
operations. MAP incorporates three different awards, each
funded by the agency/department that benefit from the idea or
nomination: the Employee Suggestion Program (awards from $50
to $50,000), the Superior/Sustained Accomplishment Award ($50
to $250 per person), and a Special Act/Special Service Award
Nomination (lapel pin, certificate and citation). Awards
exceeding $5,000 are required to be approved by concurrent
resolution of the Legislature.
In 2014, AB 2138 (Gatto), Chapter 678, Statutes of 2014, created
a one-year "innovation awards" contest in state government for
the purpose of awarding up to $75,000 in cash prizes to
eligible California participants who are not state employees.
The underlying purpose was to solicit new procedures, plans,
designs, or ideas that would "contribute to the efficiency,
economy, or other improvement in the operations of the state
agency, including, but not limited to, streamlining an
existing process or system of the state agency or the design
of a feedback system for the state agency."
Ultimately named the "$25K Find a New Way" contest, the
Governor's Office named the Department of Transportation
(CalTrans), the Department of Alcoholic Beverage Control
(ABC), and the Department of General Services (DGS) as the
participating entities. Caltrans ultimately issued three
$7,000 awards for a suggestion related to improving highway
signs and a $4,000 award for an idea to develop a smart phone
application to enable smart travel habits. ABC awarded $7,500
for the development of a smart phone application to
anonymously report the sale of alcohol to minors. DGS focused
its program on "green government," and awarded first place to
another application developed during its first ever "GreenGov
Challenge" code-a-thon that would track how state agencies
perform in buying "greener, environmentally preferable
products."
�
AB 2720
Page 5
4)Related legislation. This is one of five
cybersecurity-related bills before this Committee today:
a) AB 1841 (Irwin) requires the state OES in conjunction
with the CDT to develop, by July 1, 2017, a statewide
emergency services response plan for cybersecurity attacks
against critical infrastructure (EF 18), and would require
OES and CDT to develop a comprehensive cybersecurity
strategy by January 1, 2018, with which all state agencies
must report compliance by January 1, 2019.
b) AB 1881 (Chang) requires the Director of CDT to develop
and update mandatory baseline security controls for state
networks based industry and national standards, and
annually measure the state's progress towards compliance.
c) AB 2595 (Linder) establishes the California
Cybersecurity Integration Center within the Office of
Emergency Services to develop a cybersecurity strategy for
California, and authorizes the administration of federal
homeland security grant funding by OES.
d) AB 2623 (Gordon) requires state agencies and entities to
report their information security expenditures on an annual
basis to the CDT, including the expenditure of federal
grant funds for information security purposes.
1)Previous legislation. AB 2138 (Gatto), Chapter 678, Statutes
of 2014, created a one-year "innovation awards" contest in
�
AB 2720
Page 6
state government for the purpose of awarding up to $75,000 in
cash prizes to eligible California participants who are not
employees of the State.
Analysis Prepared by:Jennifer Swenson / APPR. / (916)
319-2081