IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Appropriations Committee Delays Action on Cybersecurity Bills

Five cybersecurity bills were moved to the suspense file, giving lawmakers time to address concerns involved with securing the state’s information systems against potential hackers.

The Assembly Appropriations Committee on Wednesday delayed action on a handful of bills intended to boost California’s cybersecurity, including the completion of a statewide cybersecurity plan and implementation of baseline security controls.

Five cyber bills were moved to the suspense file, giving lawmakers time to address concerns involved with securing the state’s information systems against potential hackers.

To help reduce the cost of AB 1881, author Assemblymember Ling Ling Chang, R-Diamond Bar, has drafted amendments that would spread annual security updates to every three years.

Her measure would require the state chief information security officer to develop baseline security controls for all agencies and departments under its jurisdiction.

A 2015 report by the state auditor found that 95 percent of surveyed departments and agencies stated they were not fully in compliance with state security standards.

Chang’s bill would codify the federal National Institute of Standards and Technology standards into state law, as well as give the Department of Technology the ability to use additional standards.

Assemblymember Jacqui Irwin, D-Thousand Oaks, is also working to fine-tune legislation that would require the Office of Emergency Services (OES) to finish a statewide emergency services response plan for cybersecurity threats on critical infrastructure.

OES has been working on such a plan for the last five years, and it has not said when the document would be finalized.

Just two of the five steps have been completed to develop the response plan — identifying and engaging stakeholders and forming a working group, according to a Department of Technology briefing document referenced in the latest bill analysis. Three steps remain: clarify authorities, roles and responsibilities; develop functional annex; and develop concept of operations.

Irwin’s bill would require a response plan be completed by July 1, 2017, and a comprehensive cybersecurity strategy in place by Jan. 1, 2018.

Other measures moved to the suspense calendar include:

  • AB 2623 by Assemblymember Rich Gordon, D-Menlo Park, that would require state agencies and entities to report information security expenditures to the Department of Technology. Lawmakers have said such information would help them decide where to allocate resources when budget requests come before them.
  • AB 2595 by Assemblymember Eric Linder, R-Corona, would codify the California Cybersecurity Integration Center that Gov. Jerry Brown created in a 2015 executive order. The bill would also require the Office of Emergency Services to develop a state cybersecurity strategy for California and authorize the OES to administer federal homeland security grant funding.
  • AB 2720 by Assemblymember Ed Chau, D-Arcadia, authorizes the state to create a “bug bounty” program that offers a monetary reward to individuals who find network vulnerabilities and report them to state cybersecurity experts. Such programs are used by widely in the tech industry in an effort to fix bugs before they can be exploited by hackers.