BILL ANALYSIS Ó SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION Senator Isadore Hall, III Chair 2015 - 2016 Regular Bill No: SB 949 Hearing Date: 4/12/2016 ----------------------------------------------------------------- |Author: |Jackson | |-----------+-----------------------------------------------------| |Version: |2/4/2016 Introduced | ----------------------------------------------------------------- ------------------------------------------------------------------ |Urgency: |No |Fiscal: |Yes | ------------------------------------------------------------------ ----------------------------------------------------------------- |Consultant:|Felipe Lopez | | | | ----------------------------------------------------------------- SUBJECT: Emergency services: critical infrastructure information DIGEST: This bill authorizes the Governor to require owners and operators of critical infrastructure, as defined, to submit critical infrastructure information, as defined, to the California Office of Emergency Services, or any other designee, for the purposes of gathering, analyzing, communicating, or disclosing critical infrastructure information, as provided. ANALYSIS: Existing law: 1)Requires, under the California Emergency Services Act, the Governor to coordinate the State Emergency Plan and any programs necessary for the mitigation of the effects of an emergency in this state, as specified. 2)Establishes, within the office of the Governor, the Office of Emergency Services (OES) and requires it to perform various duties with respect to specified emergency preparedness, mitigation, and response activities in the state. 3)Requires, under the California Public Records Act, state and local agencies to make their records available for public inspection, unless an exemption from disclosure applies. The act exempts from these disclosure requirements, among other SB 949 (Jackson) Page 2 of ? documents, critical infrastructure information, as defined, that is voluntarily submitted to OES. 4)Requires that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest. This bill: 1)Authorizes the Governor to require owners and operators of critical infrastructure to submit critical infrastructure information to OES, or any other designee, for the following purposes: a) To gather and analyze critical infrastructure information in order to better understand security problems and interdependencies related to critical infrastructure, so as to ensure the availability, integrity, and reliability of that critical infrastructure. b) To communicate or disclose critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of interference, compromise, or incapacitation problem related to critical infrastructure. 2)Provides that critical infrastructure information obtained pursuant to this bill shall be confidential and privileged and shall not be subject to disclosure pursuant to the California Public Records Act, subpoena, or discovery, or admissible as evidence in any private civil action. 3)Defines "critical infrastructure" as systems and assets so vital to the state that the incapacity or destruction of those systems or assets would have a debilitating impact on security, economic security, public health and safety, or any combination of those matters. 4)Defines "critical infrastructure information" as information not customarily in the public domain pertaining to any of the following: a) Actual, potential, or threatened interference, or an attack on, compromise of, or incapacitation of critical infrastructure by either physical or computer-based attack SB 949 (Jackson) Page 3 of ? or other similar conduct, including the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local laws, harms economic security, or threatens public health or safety. b) The ability of critical infrastructure to resist any interference, compromise, or incapacitation, including any planned or past assessment or estimate of the vulnerability of critical infrastructure, including security testing, risk evaluation, risk management planning, or risk audits. c) Any planned or past operational problem or solution regarding critical infrastructure, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure. 5)Makes legislative findings demonstrating the interest protected by the limitation and the need for protecting that interest. Background Purpose of the bill. According to the author, "In recent years, critical infrastructure in the United States has been subject to a number of attacks by cybercriminals, including a 2014 incident where an overseas hacker gained access to systems regulating the flow of natural gas. These incidents have prompted state and federal leaders to warn operators of critical infrastructure of the need to bolster cyber defenses to protect against debilitating attacks that threaten our public safety and economic well-being." The author further argues that, "however, since many of these actors are hesitant to admit to weaknesses in their defenses, getting sufficient information to accurately assess California's critical infrastructure cyber defenses has proven difficult." Snapshot of California's Critical Infrastructure. According to OES, the following represents a snapshot of California's critical infrastructure: - Water: 1468 dams, of which 140 have capacities greater than 10,000 acre-fee; 701 miles of canals and pipelines; and 1.595 miles of levees. - Electrical Power: 1,008 in state power plants, nearly SB 949 (Jackson) Page 4 of ? 70,000 megawatts install generation capacity, and substations and transmission lines deliver over 200 billion kilowatt hours to customers annually. - Oil and Natural Gas: over 115,000 miles of oil and natural gas pipelines, 20 refineries and over 100 oil and natural gas terminal facilities, and more than a dozen of the U.S.'s largest oil fields. - Transportation: over 170,000 miles of public roads; over 50,000 lane miles of highways; over 12,000 bridges; 246 public use airports, 30 of which provide scheduled passenger service. Los Angeles Airport is the seventh busiest worldwide. - California has 11 seaports handling more than half of all the US shipping freight. Three of the country's largest container ports are in California: Los Angeles, Long Beach and Oakland. Nationally, Los Angeles is the busiest container volume, internationally the eight busiest, and when combined with Long Beach is the fifth busiest. - Public Health: 450 acute care hospitals. - Emergency Services: 1,974 fire stations. - Chemical: Approximately 95 "high risk" facilities - Agriculture: 81,500 farms; more than 400 commodities; in 2012 total agriculture-related sales for output was $44.7 billion, representing 11.3% of the national total. - Finance: 7,374 commercial banks with deposits totaling $753 billion; 410 credit unions with assets totaling $115 billion. Critical Infrastructure Protection Division. The Critical Infrastructure Protection Division's (CIP), within OES, focus is to better protect, secure, and reduce vulnerabilities to the state's critical infrastructure assets using risk-based methodologies, vulnerability and security assessments, and information sharing practices and tools among different critical infrastructure sectors. The CIP assesses risk to California's critical infrastructure, fulfills federal data requests for homeland security and emergency management programs, and develops related guidelines and/or policies. Additionally, the CIP develops and implements California's Critical Infrastructure Protection Program to include risk management and analyses for the identification, prioritization and protection of California's critical assets SB 949 (Jackson) Page 5 of ? from natural and technological hazards, human caused threats, and for situational awareness and emergency management/incident response and planning. In addition, The CIP and partner assessors provide infrastructure owners and managers with risk reductions options, as well as tools and training to help manage risk to their assets, systems, and networks. Critical Infrastructure Information Act of 2002. Enacted as part of the Homeland Security Act of 2002, the Critical Infrastructure Act of 2002 created a framework, known as the Protected Critical Infrastructure Information (PCII) Program, that enables members of the private sector and others to voluntarily submit sensitive information regarding the nation's critical infrastructure to the Department of Homeland Security (DHS) with the assurance that the information, if it satisfies certain requirements, will be protected from public disclosure. The Act specifies that if an individual will be working with PCII, the individual would have to be a federal, state, tribal, or local government employee, complete training on the proper handling and safeguarding of PCII, have homeland security responsibilities, and sign a non-disclosure agreement. Once an individual becomes an authorized user, their access to individual items of PCII will be determined by a need-to-known basis. Becoming an authorized user is a necessary step to accessing PCII, but it is not the only requirement. Staff Comments: While the committee must first determine the merits of allowing the Governor the power to request critical infrastructure information from private businesses, the author may wish to consider amendments to the bill to require Cal OES to develop a training program similar to the federal PCII Program including restrictions on who can access PCII and training on the proper handling and safeguarding of PCII. This should include requirements that if an individual will be working with PCII, the individual would have to be a federal, state, tribal, or local government employee, complete training on the proper handling and safeguarding of PCII, have homeland security responsibilities, and sign a non-disclosure agreement. In addition, the current definition of "critical infrastructure" includes "systems and assets so vital to the state that the incapacity or destruction of those systems or assets would have a debilitating impact on security, economic security, public SB 949 (Jackson) Page 6 of ? health, and safety, or any combination of those matters." While this definition mirrors the definition used by DHS, it is quite vague and could include most businesses throughout the state as long as the Governor determines that those businesses fall under the definition of critical infrastructure. The author may wish to amend the bill to narrow the definition of "critical infrastructure" to more closely reflect the intention of the bill. Prior/Related Legislation AB 1841 (Irwin, 2016) would require OES to transmit to the Legislature, on or before July 1, 2017, the Cyber Security Annex to the State Emergency Plan and would require OES to develop a comprehensive cybersecurity strategy setting standards for state agencies. (Pending in the Assembly Governmental Organization Committee) SB 1444 (Hertzberg, 2016) would require an agency that owns or licenses computerized data that includes personal information to prepare a computerized personal information security plan that details the agency's strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal information. (Pending in Senate Judiciary Committee) AB 670 (Irwin, Chapter 518, Statutes of 2015) requires the Office of Information Security, in consultation with OES, to require no fewer than 35 independent security assessments of state entities each year and determine basic standards of services to be performed as part of an independent security assessment. AB 1172 (Chau, 2015) would continue in existence the California Cyber Security Task Force which is tasked with developing a comprehensive cyber-security strategy to assess and enhance the state's preparedness and response capabilities to cyber-attacks. (Pending on the Senate Inactive File) SB 573 (Pan, 2015) would create the position of Chief Data Officer to be appointed by the Governor on or before June 1, 2016, who is tasked with creating a statewide open data portal to provide public access to data sets from state agencies. (Held in the Assembly Appropriations Committee) SB 949 (Jackson) Page 7 of ? AB 2091 (Conway, Chapter 205, Statutes of 2010) exempts from disclosure under the California Public Records Act information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber-attacks. FISCAL EFFECT: Appropriation: No Fiscal Com.: Yes Local: No SUPPORT: Los Angeles County Professional Peace Officers Association OPPOSITION: American Insurance Association California Cable & Telecommunications Association California Chamber of Commerce California Hospital Association California Manufacturers and Technology Association California Railroad Industry Computing Technology Industry Association - Comp TIA CTIA - The Wireless Association Silicon Valley Leadership Group State Privacy and Security Coalition, Inc. ARGUMENTS IN SUPPORT: The Los Angeles County Professional Peace Officers Association argues that, "in recent years, critical infrastructure in the United States has been subject to a number of attacks by cybercriminals, including a 2014 incident where an overseas hacker gained access to systems regulating the flow of natural gas. These incidents have prompted state and federal leaders to warn operators of critical infrastructure of the need to bolster cyber defenses to protect against debilitating attacks that threaten our public safety and economic well-being. Recognizing the sensitive nature of the information disclosed to OES, this bill protects critical infrastructure information from public disclosure or from being used in private litigation." ARGUMENTS IN OPPOSITION: The California Chamber of Commerce argues that, "SB 949 increases security risks by tasking state agencies with protecting private industry's security information collected under the new authority. Housing this sensitive SB 949 (Jackson) Page 8 of ? information within the state creates a high value target to hackers; they can acquire massive amounts of information effectuating a few breaches. Compounding this security issue is a recent state audit and legislative hearing that revealed issues with the State's cybersecurity strategies, systems and protocols. Specifically, the audit found that 73 of 77 state agencies audited did not meet cybersecurity standards." The California Cable & Telecommunications Association believes that "the Cybersecurity Act and the Critical Infrastructure Information Act provide for the essential exchange of information with federal, state, and local governments, to protect our national security with appropriate safeguards. SB 949 would create similar requirements without providing any of the protections offered at the federal level and could subject critical infrastructure providers to the very risks that the federal law's voluntary reporting mechanism sought to avoid." DUAL REFERRAL: Senate Judiciary Committee