BILL ANALYSIS                                                                                                                                                                                                    Ó



          SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
                              Senator Isadore Hall, III
                                        Chair
                                2015 - 2016  Regular 

          Bill No:           SB 949           Hearing Date:    4/12/2016
           ----------------------------------------------------------------- 
          |Author:    |Jackson                                              |
          |-----------+-----------------------------------------------------|
          |Version:   |2/4/2016    Introduced                               |
           ----------------------------------------------------------------- 
           ------------------------------------------------------------------ 
          |Urgency:   |No                     |Fiscal:      |Yes             |
           ------------------------------------------------------------------ 
           ----------------------------------------------------------------- 
          |Consultant:|Felipe Lopez                                         |
          |           |                                                     |
           ----------------------------------------------------------------- 
          

          SUBJECT: Emergency services:  critical infrastructure  
          information


            DIGEST:    This bill authorizes the Governor to require owners  
          and operators of critical infrastructure, as defined, to submit  
          critical infrastructure information, as defined, to the  
          California Office of Emergency Services, or any other designee,  
          for the purposes of gathering, analyzing, communicating, or  
          disclosing critical infrastructure information, as provided.

          ANALYSIS:
          
          Existing law:
          
          1)Requires, under the California Emergency Services Act, the  
            Governor to coordinate the State Emergency Plan and any  
            programs necessary for the mitigation of the effects of an  
            emergency in this state, as specified.

          2)Establishes, within the office of the Governor, the Office of  
            Emergency Services (OES) and requires it to perform various  
            duties with respect to specified emergency preparedness,  
            mitigation, and response activities in the state. 

          3)Requires, under the California Public Records Act, state and  
            local agencies to make their records available for public  
            inspection, unless an exemption from disclosure applies.  The  
            act exempts from these disclosure requirements, among other  







          SB 949 (Jackson)                                   Page 2 of ?
          
          
            documents, critical infrastructure information, as defined,  
            that is voluntarily submitted to OES. 

          4)Requires that a statute that limits the right of access to the  
            meetings of public bodies or the writings of public officials  
            and agencies be adopted with findings demonstrating the  
            interest protected by the limitation and the need for  
            protecting that interest. 

          This bill:

          1)Authorizes the Governor to require owners and operators of  
            critical infrastructure to submit critical infrastructure  
            information to OES, or any other designee, for the following  
            purposes:

             a)   To gather and analyze critical infrastructure  
               information in order to better understand security problems  
               and interdependencies related to critical infrastructure,  
               so as to ensure the availability, integrity, and  
               reliability of that critical infrastructure.
             b)   To communicate or disclose critical infrastructure  
               information to help prevent, detect, mitigate, or recover  
               from the effects of interference, compromise, or  
               incapacitation problem related to critical infrastructure.

          2)Provides that critical infrastructure information obtained  
            pursuant to this bill shall be confidential and privileged and  
            shall not be subject to disclosure pursuant to the California  
            Public Records Act, subpoena, or discovery, or admissible as  
            evidence in any private civil action.

          3)Defines "critical infrastructure" as systems and assets so  
            vital to the state that the incapacity or destruction of those  
            systems or assets would have a debilitating impact on  
            security, economic security, public health and safety, or any  
            combination of those matters. 

          4)Defines "critical infrastructure information" as information  
            not customarily in the public domain pertaining to any of the  
            following:

             a)   Actual, potential, or threatened interference, or an  
               attack on, compromise of, or incapacitation of critical  
               infrastructure by either physical or computer-based attack  








          SB 949 (Jackson)                                   Page 3 of ?
          
          
               or other similar conduct, including the misuse of, or  
               unauthorized access to, all types of communications and  
               data transmission systems, that violates federal, state, or  
               local laws, harms economic security, or threatens public  
               health or safety. 
             b)   The ability of critical infrastructure to resist any  
               interference, compromise, or incapacitation, including any  
               planned or past assessment or estimate of the vulnerability  
               of critical infrastructure, including security testing,  
               risk evaluation, risk management planning, or risk audits.
             c)   Any planned or past operational problem or solution  
               regarding critical infrastructure, including repair,  
               recovery, reconstruction, insurance, or continuity, to the  
               extent it is related to interference, compromise, or  
               incapacitation of critical infrastructure.

          5)Makes legislative findings demonstrating the interest  
            protected by the limitation and the need for protecting that  
            interest. 

          Background

          Purpose of the bill.  According to the author, "In recent years,  
          critical infrastructure in the United States has been subject to  
          a number of attacks by cybercriminals, including a 2014 incident  
          where an overseas hacker gained access to systems regulating the  
          flow of natural gas.  These incidents have prompted state and  
          federal leaders to warn operators of critical infrastructure of  
          the need to bolster cyber defenses to protect against  
          debilitating attacks that threaten our public safety and  
          economic well-being."

          The author further argues that, "however, since many of these  
          actors are hesitant to admit to weaknesses in their defenses,  
          getting sufficient information to accurately assess California's  
          critical infrastructure cyber defenses has proven difficult."

          Snapshot of California's Critical Infrastructure.  According to  
          OES, the following represents a snapshot of California's  
          critical infrastructure:

             -    Water: 1468 dams, of which 140 have capacities greater  
               than 10,000 acre-fee; 701 miles of canals and pipelines;  
               and 1.595 miles of levees.
             -    Electrical Power: 1,008 in state power plants, nearly  








          SB 949 (Jackson)                                   Page 4 of ?
          
          
               70,000 megawatts install generation capacity, and  
               substations and transmission lines deliver over 200 billion  
               kilowatt hours to customers annually.
             -    Oil and Natural Gas: over 115,000 miles of oil and  
               natural gas pipelines, 20 refineries and over 100 oil and  
               natural gas terminal facilities, and more than a dozen of  
               the U.S.'s largest oil fields.
             -    Transportation: over 170,000 miles of public roads; over  
               50,000 lane miles of highways; over 12,000 bridges; 246  
               public use airports, 30 of which provide scheduled  
               passenger service.  Los Angeles Airport is the seventh  
               busiest worldwide.
             -    California has 11 seaports handling more than half of  
               all the US shipping freight.  Three of the country's  
               largest container ports are in California: Los Angeles,  
               Long Beach and Oakland.  Nationally, Los Angeles is the  
               busiest container volume, internationally the eight  
               busiest, and when combined with Long Beach is the fifth  
               busiest. 
             -    Public Health: 450 acute care hospitals.
             -    Emergency Services: 1,974 fire stations.
             -    Chemical: Approximately 95 "high risk" facilities

             -    Agriculture: 81,500 farms; more than 400 commodities; in  
               2012 total agriculture-related sales for output was $44.7  
               billion, representing 11.3% of the national total.
             -    Finance: 7,374 commercial banks with deposits totaling  
               $753 billion; 410 credit unions with assets totaling $115  
               billion.

          Critical Infrastructure Protection Division.  The Critical  
          Infrastructure Protection Division's (CIP), within OES, focus is  
          to better protect, secure, and reduce vulnerabilities to the  
          state's critical infrastructure assets using risk-based  
          methodologies, vulnerability and security assessments, and  
          information sharing practices and tools among different critical  
          infrastructure sectors. 

          The CIP assesses risk to California's critical infrastructure,  
          fulfills federal data requests for homeland security and  
          emergency management programs, and develops related guidelines  
          and/or policies.  Additionally, the CIP develops and implements  
          California's Critical Infrastructure Protection Program to  
          include risk management and analyses for the identification,  
          prioritization and protection of California's critical assets  








          SB 949 (Jackson)                                   Page 5 of ?
          
          
          from natural and technological hazards, human caused threats,  
          and for situational awareness and emergency management/incident  
          response and planning.  In addition, The CIP and partner  
          assessors provide infrastructure owners and managers with risk  
          reductions options, as well as tools and training to help manage  
          risk to their assets, systems, and networks. 

          Critical Infrastructure Information Act of 2002.  Enacted as  
          part of the Homeland Security Act of 2002, the Critical  
          Infrastructure Act of 2002 created a framework, known as the  
          Protected Critical Infrastructure Information (PCII) Program,  
          that enables members of the private sector and others to  
          voluntarily submit sensitive information regarding the nation's  
          critical infrastructure to the Department of Homeland Security  
          (DHS) with the assurance that the information, if it satisfies  
          certain requirements, will be protected from public disclosure. 

          The Act specifies that if an individual will be working with  
          PCII, the individual would have to be a federal, state, tribal,  
          or local government employee, complete training on the proper  
          handling and safeguarding of PCII, have homeland security  
          responsibilities, and sign a non-disclosure agreement.  Once an  
          individual becomes an authorized user, their access to  
          individual items of PCII will be determined by a need-to-known  
          basis.   Becoming an authorized user is a necessary step to  
          accessing PCII, but it is not the only requirement. 

          Staff Comments:  While the committee must first determine the  
          merits of allowing the Governor the power to request critical  
          infrastructure information from private businesses, the author  
          may wish to consider amendments to the bill to require Cal OES  
          to develop a training program similar to the federal PCII  
          Program including restrictions on who can access PCII and  
          training on the proper handling and safeguarding of PCII.  This  
          should include requirements that if an individual will be  
          working with PCII, the individual would have to be a federal,  
          state, tribal, or local government employee, complete training  
          on the proper handling and safeguarding of PCII, have homeland  
          security responsibilities, and sign a non-disclosure agreement.   


          In addition, the current definition of "critical infrastructure"  
          includes "systems and assets so vital to the state that the  
          incapacity or destruction of those systems or assets would have  
          a debilitating impact on security, economic security, public  








          SB 949 (Jackson)                                   Page 6 of ?
          
          
          health, and safety, or any combination of those matters." While  
          this definition mirrors the definition used by DHS, it is quite  
          vague and could include most businesses throughout the state as  
          long as the Governor determines that those businesses fall under  
          the definition of critical infrastructure.  The author may wish  
          to amend the bill to narrow the definition of "critical  
          infrastructure" to more closely reflect the intention of the  
          bill. 

          Prior/Related Legislation
          
          AB 1841 (Irwin, 2016)  would require OES to transmit to the  
          Legislature, on or before July 1, 2017, the Cyber Security Annex  
          to the State Emergency Plan and would require OES to develop a  
          comprehensive cybersecurity strategy setting standards for state  
          agencies.  (Pending in the Assembly Governmental Organization  
          Committee) 

          SB 1444 (Hertzberg, 2016) would require an agency that owns or  
          licenses computerized data that includes personal information to  
          prepare a computerized personal information security plan that  
          details the agency's strategy to respond to a security breach of  
          computerized personal information and associated consequences  
          caused by the disclosed personal information.  (Pending in  
          Senate Judiciary Committee)

          AB 670 (Irwin, Chapter 518, Statutes of 2015) requires the  
          Office of Information Security, in consultation with OES, to  
          require no fewer than 35 independent security assessments of  
          state entities each year and determine basic standards of  
          services to be performed as part of an independent security  
          assessment.

          AB 1172 (Chau, 2015) would continue in existence the California  
          Cyber Security Task Force which is tasked with developing a  
          comprehensive cyber-security strategy to assess and enhance the  
          state's preparedness and response capabilities to cyber-attacks.  
          (Pending on the Senate Inactive File)

          SB 573 (Pan, 2015) would create the position of Chief Data  
          Officer to be appointed by the Governor on or before June 1,  
          2016, who is tasked with creating a statewide open data portal  
          to provide public access to data sets from state agencies. (Held  
          in the Assembly Appropriations Committee) 









          SB 949 (Jackson)                                   Page 7 of ?
          
          
          AB 2091 (Conway, Chapter 205, Statutes of 2010) exempts from  
          disclosure under the California Public Records Act information  
          security records that would reveal vulnerabilities of an  
          information technology system or increase the potential for  
          cyber-attacks.

          FISCAL EFFECT:                 Appropriation:  No    Fiscal  
          Com.:             Yes          Local:          No


            SUPPORT:  

          Los Angeles County Professional Peace Officers Association

          OPPOSITION:

          American Insurance Association
          California Cable & Telecommunications Association
          California Chamber of Commerce
          California Hospital Association
          California Manufacturers and Technology Association
          California Railroad Industry
          Computing Technology Industry Association - Comp TIA
          CTIA - The Wireless Association
          Silicon Valley Leadership Group
          State Privacy and Security Coalition, Inc.

          ARGUMENTS IN SUPPORT:    The Los Angeles County Professional  
          Peace Officers Association argues that, "in recent years,  
          critical infrastructure in the United States has been subject to  
          a number of attacks by cybercriminals, including a 2014 incident  
          where an overseas hacker gained access to systems regulating the  
          flow of natural gas.  These incidents have prompted state and  
          federal leaders to warn operators of critical infrastructure of  
          the need to bolster cyber defenses to protect against  
          debilitating attacks that threaten our public safety and  
          economic well-being.  Recognizing the sensitive nature of the  
          information disclosed to OES, this bill protects critical  
          infrastructure information from public disclosure or from being  
          used in private litigation."

          ARGUMENTS IN OPPOSITION:    The California Chamber of Commerce  
          argues that, "SB 949 increases security risks by tasking state  
          agencies with protecting private industry's security information  
          collected under the new authority.  Housing this sensitive  








          SB 949 (Jackson)                                   Page 8 of ?
          
          
          information within the state creates a high value target to  
          hackers; they can acquire massive amounts of information  
          effectuating a few breaches.  Compounding this security issue is  
          a recent state audit and legislative hearing that revealed  
          issues with the State's cybersecurity strategies, systems and  
          protocols.  Specifically, the audit found that 73 of 77 state  
          agencies audited did not meet cybersecurity standards."

          The California Cable & Telecommunications Association believes  
          that "the Cybersecurity Act and the Critical Infrastructure  
          Information Act provide for the essential exchange of  
          information with federal, state, and local governments, to  
          protect our national security with appropriate safeguards.  SB  
          949 would create similar requirements without providing any of  
          the protections offered at the federal level and could subject  
          critical infrastructure providers to the very risks that the  
          federal law's voluntary reporting mechanism sought to avoid."
          
          DUAL REFERRAL:  Senate Judiciary Committee