In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."
The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.
The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice.
Among other things, AB 2200 requires the Cyber Security Commission to work with the U.S. Department of Homeland Security to define information sharing systems regarding cyber threat monitoring and response; expand public-private cyber security partnerships; recommend minimum security standards for all state agencies; and establish cyber-attack response strategies and a hierarchy of command in the state.
AB 2200 is the latest in the state's recent efforts to address cyber security threats:
• In 2012, the California Public Utilities Commission authorized the state's three large electric utilities to contract with the Lawrence Livermore National Laboratory to spend up to $150 million on research and development ("R&D") projects related to, among other things, cyber security and grid integration. Subsequently, in 2013, a law was passed to allow recovery from electric utility ratepayers as to R&D costs for cyber security and grid integration projects (SB 1286 was recently introduced in February 2014 to increase the limits of such recovery from $35 million to $60 million).
• In May 2013, the State established a Cyber Security Task Force to identify critical threats, increasing awareness of state compliance with federal National Institute of Standards and Technology (NIST) standards.
• In February 2014, the California Attorney General's Office issued an advisory to businesses on how to protect themselves against cybercrime and data breaches.
Stating that "[c]yber criminals could create significant problems for the state's electrical grid, water treatment plants, and air traffic control systems," Assembly Speaker Perez emphasized that "it is imperative that we form a state-led commission that allows California to take a leading role on cybersecurity issues, and to take a critical step in helping ensure public safety on this front."
The State is clearly taking a lead in this area, just as it did in the consumer privacy realm. Here, the two disciplines may intersect, with privacy or confidentiality issues creating additional issues in sharing cyber security information. The recently released NIST framework encourages organizations to leverage information sharing processes, but also advises them to establish processes "to assess and address whether, when, how, and the extent to which personal information is shared outside the organization as part of cybersecurity information sharing activities." Concerns about sharing personal information in order to address cybersecurity threats, however, presented an insurmountable obstacle in previously introduced federal legislation regarding a similar proposal. Specifically, the Cyber Intelligence Sharing and Protection Act (2011) was passed by the House in 2012, but stalled in the Senate. It would have allowed for voluntary information sharing between private companies and the government in the event of a cyber-attack and provided a "safe harbor" for private companies that shared such information, but was criticized by privacy advocates who feared potential abuse of such information. It remains to be seen how these privacy issues will be addressed if this bill was passed, but the proposed committee may look to already established Information Sharing and Analysis Centers (ISACs), such as in the financial and technology industries, where members can share security and vulnerability threats.