BILL NUMBER: AB 1172 AMENDED BILL TEXT AMENDED IN SENATE AUGUST 31, 2015 AMENDED IN SENATE JULY 2, 2015 INTRODUCED BY Assembly Member Chau (Coauthor: Assembly Member Cooper) FEBRUARY 27, 2015 An act to add and repeal Article 3.9 (commencing with Section 8574.50) of Chapter 7 of Division 1 of Title 2 of the Government Code, relating to cyber security. LEGISLATIVE COUNSEL'S DIGEST AB 1172, as amended, Chau. California cyber security. Existing law establishes various advisory boards and commissions in state government with specified duties and responsibilities. Existing law establishes in state government the Governor's Office of Emergency Services and the Department of Technology. This bill would continue in existence the California Cyber Security Task Force, consisting of specified members, previously created by the Governor's Office of Emergency Services and the Department of Technology, in the Governor's Office of Emergency Services.ThisThe bill would authorize the task force to convene stakeholders to act in an advisory capacity and compile policy recommendations on cyber security for the state. The bill would require the task force to meet quarterly, or more often as necessitated by emergency circumstances.ThisThe bill would require the task force to complete and issue a report of policy recommendations to the Governor' s office and the Legislature.ThisThe bill would also require the task force to perform specified functions relating to cyber security.ThisThe bill would create a State Director of Cyber Security with specified duties within the Governor's Office of Emergency Services.ThisThe bill would repeal these provisions on January 1, 2020. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Article 3.9 (commencing with Section 8574.50) is added to Chapter 7 of Division 1 of Title 2 of the Government Code, to read: Article 3.9. California Cyber Security 8574.50. (a) There is hereby continued in existence the California Cyber Security Task Force, created in 2013 by the Governor' s Office of Emergency Services and the Department of Technology, in the Governor's Office of Emergency Services. (b) The California Cyber Security Task Force shall consist of the following members: (1) The Director of Emergency Services, or his or her designee with knowledge, expertise, and decisionmaking authority with respect to the Office of Emergency Services' information technology and information security duties. (2) The Director of the Department of Technology, or his or her designee with knowledge, expertise, and decisionmaking authority with respect to the director's information technology and information security duties set forth in Chapter 5.6 (commencing with Section 11545). (3) The Attorney General, or his or her designee with knowledge, expertise, and decisionmaking authority with respect to the Department of Justice's information technology and information security. (4) The Adjutant General of the Military Department, or his or her designee with knowledge, expertise, and decisionmaking authority with respect to the Military Department's information technology and information security. (5) The Commissioner of the California Highway Patrol, or his or her designee with knowledge, expertise, and decisionmaking authority with respect to the Department of the California Highway Patrol's information technology and information security. (6) A representative of the Public Utilities Commission or California Energy Commission with knowledge, expertise, and decisionmaking authority with respect to information technology and information security, who shall be appointed by the Governor. (7) A representative from the utility or energy industry, who shall be appointed by the Governor. (8) A representative from law enforcement, who shall be appointed by the Governor. (9) Three individuals with cyber security expertise, who shall be appointed, one each, by the Governor, the Senate Rules Committee, and the Speaker of the Assembly. (c) The California Cyber Security Task Force may convene stakeholders, both public and private, to act in an advisory capacity and compile policy recommendations on cyber security for the State of California. The California Cyber Security Task Force shall complete and issue a report of policy recommendations to the Governor' s office and the Legislature on an annual basis. The report shall be completed in compliance with Section 9795. (d) The California Cyber Security Task Force shall meet quarterly, or more often as necessitated by emergency circumstances, within existing resources to ensure that the policy recommendations from the report are implemented and any necessary modifications that may arise are addressed in a timely manner. (e) The Governor's Office of Emergency Services and the Department of Technology may conduct the strategic direction of risk assessments performed by the Military Department's Computer Network Defense Team as budgeted in Item 8940-001-0001 of the Budget Act of 2014. 8574.51. There is within the Governor's Office of Emergency Services a State Director of Cyber Security, appointed by the Governor andconfirmed by the Senate,subject to Senate confirmation, who shall do all of the following: (a) Be the Executive Director of the California Cyber Security Task Force. (b) Provide strategic direction of risk assessments performed with state resources. (c) Complete a risk profile of state assets and capabilities for the purpose of compiling statewide contingency plans including, but not limited to, Emergency Function 18 of the State Emergency Plan. (d) Act as point of contact to the federal government and private entities within the state in the event of a relevant emergency as declared by the Governor. (e) Be an adviser to the Governor's Office of Emergency Services and the Department of Technology on cyber security. 8574.52. The Cyber Security Task Force shall perform the following functions based on the following priorities: (a) Develop within state government cyber prevention, defense, and response strategies and define a hierarchy of command within the state for this purpose. This duty includes, but is not limited to, the following activities: (1) Ensuring the continual performance of risk assessments on state information technology systems. The assessments shall include penetration tests, vulnerability scans, and other industry-standard methods that identify potential risk. (2) Using assessment results and other state-level data to create a risk profile of public assets, critical infrastructure, public networks, and private operations susceptible to cyber-attacks. The risk profile shall include the development of statewide contingency plans including, but not limited to, Emergency Function 18 of the State Emergency Plan. (b) Partner with the United States Department of Homeland Security to develop an appropriate information sharing system that allows for a controlled and secure process to effectively disseminate cyber threat and response information and data to relevant private and public sector entities. This information sharing system shall reflect state priorities and target identified threat and capability gaps. (c) Provide recommendations for information technology security standards for all state agencies using, among other things, protocols established by the National Institute for Standards and Technology and reflective of appropriate state priorities. (d) Compile and integrate, as appropriate, the research conducted by academic institutions, federal laboratories, and other cyber security experts into state operations and functions. (e) Expand the state's public-private cyber security partnership network. (f) Expand collaboration with the state's law enforcement apparatus assigned jurisdiction to prevent, deter, investigate, and prosecute cyber attacks and information technology crime, including collaboration with entities like the High-Tech Theft Apprehension Program, and its five regional task forces, the Department of the California Highway Patrol, and the Attorney General's eCrimes unit. Collaboration shall include information sharing that will enhance their capabilities including assistance to better align their activities with federal and local resources, provide additional resources, and extend their efforts into regions of the state not currently represented. (g) Propose, where appropriate, potential operational or functional enhancement to the state's cyber security assessment and response capabilities, as well as investment or spending recommendation and guidance for the state's information technology budget and procurement. 8574.53. The California Cyber Security Task Force shall take all necessary steps to protect personal information and privacy, public and private sector data, and the constitutional rights and liberties of individuals, when implementing its duties. 8574.54. (a) The California Cyber Security Task Force may issue reports, in addition to the report described in subdivision (c) of Section 8574.51, to the Governor's office and the Legislature detailing the activities of the task force, including, but not limited to, progress on the California Cyber Security Task Force's various tasks and actions taken and recommended in response to an incident, as appropriate. (b) The reports shall be submitted in compliance with Section 9795. 8574.55. The California Cyber Security Task Force may engage or accept the services of agency or department personnel, accept the services of stakeholder organizations, and accept federal, private, or other nonstate funding, to operate, manage, or conduct the business of the California Cyber Security Task Force. 8574.56. Each department and agency shall cooperate with the California Cyber Security Task Force and furnish it with information and assistance that is necessary or useful to further the purposes of this article. 8574.57. This article shall become inoperative on January 1, 2020, and shall be repealed as of that date.