BILL ANALYSIS �Ó
SENATE COMMITTEE ON GOVERNMENTAL ORGANIZATION
Senator Isadore Hall, III
Chair
2015 - 2016 Regular
Bill No: SB 949 Hearing Date: 4/12/2016
-----------------------------------------------------------------
|Author: |Jackson |
|-----------+-----------------------------------------------------|
|Version: |2/4/2016 Introduced |
-----------------------------------------------------------------
------------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
------------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|Felipe Lopez |
| | |
-----------------------------------------------------------------
SUBJECT: Emergency services: critical infrastructure
information
DIGEST: This bill authorizes the Governor to require owners
and operators of critical infrastructure, as defined, to submit
critical infrastructure information, as defined, to the
California Office of Emergency Services, or any other designee,
for the purposes of gathering, analyzing, communicating, or
disclosing critical infrastructure information, as provided.
ANALYSIS:
Existing law:
1)Requires, under the California Emergency Services Act, the
Governor to coordinate the State Emergency Plan and any
programs necessary for the mitigation of the effects of an
emergency in this state, as specified.
2)Establishes, within the office of the Governor, the Office of
Emergency Services (OES) and requires it to perform various
duties with respect to specified emergency preparedness,
mitigation, and response activities in the state.
3)Requires, under the California Public Records Act, state and
local agencies to make their records available for public
inspection, unless an exemption from disclosure applies. The
act exempts from these disclosure requirements, among other
�
SB 949 (Jackson) Page 2 of ?
documents, critical infrastructure information, as defined,
that is voluntarily submitted to OES.
4)Requires that a statute that limits the right of access to the
meetings of public bodies or the writings of public officials
and agencies be adopted with findings demonstrating the
interest protected by the limitation and the need for
protecting that interest.
This bill:
1)Authorizes the Governor to require owners and operators of
critical infrastructure to submit critical infrastructure
information to OES, or any other designee, for the following
purposes:
a) To gather and analyze critical infrastructure
information in order to better understand security problems
and interdependencies related to critical infrastructure,
so as to ensure the availability, integrity, and
reliability of that critical infrastructure.
b) To communicate or disclose critical infrastructure
information to help prevent, detect, mitigate, or recover
from the effects of interference, compromise, or
incapacitation problem related to critical infrastructure.
2)Provides that critical infrastructure information obtained
pursuant to this bill shall be confidential and privileged and
shall not be subject to disclosure pursuant to the California
Public Records Act, subpoena, or discovery, or admissible as
evidence in any private civil action.
3)Defines "critical infrastructure" as systems and assets so
vital to the state that the incapacity or destruction of those
systems or assets would have a debilitating impact on
security, economic security, public health and safety, or any
combination of those matters.
4)Defines "critical infrastructure information" as information
not customarily in the public domain pertaining to any of the
following:
a) Actual, potential, or threatened interference, or an
attack on, compromise of, or incapacitation of critical
infrastructure by either physical or computer-based attack
�
SB 949 (Jackson) Page 3 of ?
or other similar conduct, including the misuse of, or
unauthorized access to, all types of communications and
data transmission systems, that violates federal, state, or
local laws, harms economic security, or threatens public
health or safety.
b) The ability of critical infrastructure to resist any
interference, compromise, or incapacitation, including any
planned or past assessment or estimate of the vulnerability
of critical infrastructure, including security testing,
risk evaluation, risk management planning, or risk audits.
c) Any planned or past operational problem or solution
regarding critical infrastructure, including repair,
recovery, reconstruction, insurance, or continuity, to the
extent it is related to interference, compromise, or
incapacitation of critical infrastructure.
5)Makes legislative findings demonstrating the interest
protected by the limitation and the need for protecting that
interest.
Background
Purpose of the bill. According to the author, "In recent years,
critical infrastructure in the United States has been subject to
a number of attacks by cybercriminals, including a 2014 incident
where an overseas hacker gained access to systems regulating the
flow of natural gas. These incidents have prompted state and
federal leaders to warn operators of critical infrastructure of
the need to bolster cyber defenses to protect against
debilitating attacks that threaten our public safety and
economic well-being."
The author further argues that, "however, since many of these
actors are hesitant to admit to weaknesses in their defenses,
getting sufficient information to accurately assess California's
critical infrastructure cyber defenses has proven difficult."
Snapshot of California's Critical Infrastructure. According to
OES, the following represents a snapshot of California's
critical infrastructure:
- Water: 1468 dams, of which 140 have capacities greater
than 10,000 acre-fee; 701 miles of canals and pipelines;
and 1.595 miles of levees.
- Electrical Power: 1,008 in state power plants, nearly
�
SB 949 (Jackson) Page 4 of ?
70,000 megawatts install generation capacity, and
substations and transmission lines deliver over 200 billion
kilowatt hours to customers annually.
- Oil and Natural Gas: over 115,000 miles of oil and
natural gas pipelines, 20 refineries and over 100 oil and
natural gas terminal facilities, and more than a dozen of
the U.S.'s largest oil fields.
- Transportation: over 170,000 miles of public roads; over
50,000 lane miles of highways; over 12,000 bridges; 246
public use airports, 30 of which provide scheduled
passenger service. Los Angeles Airport is the seventh
busiest worldwide.
- California has 11 seaports handling more than half of
all the US shipping freight. Three of the country's
largest container ports are in California: Los Angeles,
Long Beach and Oakland. Nationally, Los Angeles is the
busiest container volume, internationally the eight
busiest, and when combined with Long Beach is the fifth
busiest.
- Public Health: 450 acute care hospitals.
- Emergency Services: 1,974 fire stations.
- Chemical: Approximately 95 "high risk" facilities
- Agriculture: 81,500 farms; more than 400 commodities; in
2012 total agriculture-related sales for output was $44.7
billion, representing 11.3% of the national total.
- Finance: 7,374 commercial banks with deposits totaling
$753 billion; 410 credit unions with assets totaling $115
billion.
Critical Infrastructure Protection Division. The Critical
Infrastructure Protection Division's (CIP), within OES, focus is
to better protect, secure, and reduce vulnerabilities to the
state's critical infrastructure assets using risk-based
methodologies, vulnerability and security assessments, and
information sharing practices and tools among different critical
infrastructure sectors.
The CIP assesses risk to California's critical infrastructure,
fulfills federal data requests for homeland security and
emergency management programs, and develops related guidelines
and/or policies. Additionally, the CIP develops and implements
California's Critical Infrastructure Protection Program to
include risk management and analyses for the identification,
prioritization and protection of California's critical assets
�
SB 949 (Jackson) Page 5 of ?
from natural and technological hazards, human caused threats,
and for situational awareness and emergency management/incident
response and planning. In addition, The CIP and partner
assessors provide infrastructure owners and managers with risk
reductions options, as well as tools and training to help manage
risk to their assets, systems, and networks.
Critical Infrastructure Information Act of 2002. Enacted as
part of the Homeland Security Act of 2002, the Critical
Infrastructure Act of 2002 created a framework, known as the
Protected Critical Infrastructure Information (PCII) Program,
that enables members of the private sector and others to
voluntarily submit sensitive information regarding the nation's
critical infrastructure to the Department of Homeland Security
(DHS) with the assurance that the information, if it satisfies
certain requirements, will be protected from public disclosure.
The Act specifies that if an individual will be working with
PCII, the individual would have to be a federal, state, tribal,
or local government employee, complete training on the proper
handling and safeguarding of PCII, have homeland security
responsibilities, and sign a non-disclosure agreement. Once an
individual becomes an authorized user, their access to
individual items of PCII will be determined by a need-to-known
basis. Becoming an authorized user is a necessary step to
accessing PCII, but it is not the only requirement.
Staff Comments: While the committee must first determine the
merits of allowing the Governor the power to request critical
infrastructure information from private businesses, the author
may wish to consider amendments to the bill to require Cal OES
to develop a training program similar to the federal PCII
Program including restrictions on who can access PCII and
training on the proper handling and safeguarding of PCII. This
should include requirements that if an individual will be
working with PCII, the individual would have to be a federal,
state, tribal, or local government employee, complete training
on the proper handling and safeguarding of PCII, have homeland
security responsibilities, and sign a non-disclosure agreement.
In addition, the current definition of "critical infrastructure"
includes "systems and assets so vital to the state that the
incapacity or destruction of those systems or assets would have
a debilitating impact on security, economic security, public
�
SB 949 (Jackson) Page 6 of ?
health, and safety, or any combination of those matters." While
this definition mirrors the definition used by DHS, it is quite
vague and could include most businesses throughout the state as
long as the Governor determines that those businesses fall under
the definition of critical infrastructure. The author may wish
to amend the bill to narrow the definition of "critical
infrastructure" to more closely reflect the intention of the
bill.
Prior/Related Legislation
AB 1841 (Irwin, 2016) would require OES to transmit to the
Legislature, on or before July 1, 2017, the Cyber Security Annex
to the State Emergency Plan and would require OES to develop a
comprehensive cybersecurity strategy setting standards for state
agencies. (Pending in the Assembly Governmental Organization
Committee)
SB 1444 (Hertzberg, 2016) would require an agency that owns or
licenses computerized data that includes personal information to
prepare a computerized personal information security plan that
details the agency's strategy to respond to a security breach of
computerized personal information and associated consequences
caused by the disclosed personal information. (Pending in
Senate Judiciary Committee)
AB 670 (Irwin, Chapter 518, Statutes of 2015) requires the
Office of Information Security, in consultation with OES, to
require no fewer than 35 independent security assessments of
state entities each year and determine basic standards of
services to be performed as part of an independent security
assessment.
AB 1172 (Chau, 2015) would continue in existence the California
Cyber Security Task Force which is tasked with developing a
comprehensive cyber-security strategy to assess and enhance the
state's preparedness and response capabilities to cyber-attacks.
(Pending on the Senate Inactive File)
SB 573 (Pan, 2015) would create the position of Chief Data
Officer to be appointed by the Governor on or before June 1,
2016, who is tasked with creating a statewide open data portal
to provide public access to data sets from state agencies. (Held
in the Assembly Appropriations Committee)
�
SB 949 (Jackson) Page 7 of ?
AB 2091 (Conway, Chapter 205, Statutes of 2010) exempts from
disclosure under the California Public Records Act information
security records that would reveal vulnerabilities of an
information technology system or increase the potential for
cyber-attacks.
FISCAL EFFECT: Appropriation: No Fiscal
Com.: Yes Local: No
SUPPORT:
Los Angeles County Professional Peace Officers Association
OPPOSITION:
American Insurance Association
California Cable & Telecommunications Association
California Chamber of Commerce
California Hospital Association
California Manufacturers and Technology Association
California Railroad Industry
Computing Technology Industry Association - Comp TIA
CTIA - The Wireless Association
Silicon Valley Leadership Group
State Privacy and Security Coalition, Inc.
ARGUMENTS IN SUPPORT: The Los Angeles County Professional
Peace Officers Association argues that, "in recent years,
critical infrastructure in the United States has been subject to
a number of attacks by cybercriminals, including a 2014 incident
where an overseas hacker gained access to systems regulating the
flow of natural gas. These incidents have prompted state and
federal leaders to warn operators of critical infrastructure of
the need to bolster cyber defenses to protect against
debilitating attacks that threaten our public safety and
economic well-being. Recognizing the sensitive nature of the
information disclosed to OES, this bill protects critical
infrastructure information from public disclosure or from being
used in private litigation."
ARGUMENTS IN OPPOSITION: The California Chamber of Commerce
argues that, "SB 949 increases security risks by tasking state
agencies with protecting private industry's security information
collected under the new authority. Housing this sensitive
�
SB 949 (Jackson) Page 8 of ?
information within the state creates a high value target to
hackers; they can acquire massive amounts of information
effectuating a few breaches. Compounding this security issue is
a recent state audit and legislative hearing that revealed
issues with the State's cybersecurity strategies, systems and
protocols. Specifically, the audit found that 73 of 77 state
agencies audited did not meet cybersecurity standards."
The California Cable & Telecommunications Association believes
that "the Cybersecurity Act and the Critical Infrastructure
Information Act provide for the essential exchange of
information with federal, state, and local governments, to
protect our national security with appropriate safeguards. SB
949 would create similar requirements without providing any of
the protections offered at the federal level and could subject
critical infrastructure providers to the very risks that the
federal law's voluntary reporting mechanism sought to avoid."
DUAL REFERRAL: Senate Judiciary Committee