Calling California’s cybersecurity efforts disjointed, Assemblymember Jacqui Irwin is pushing legislation that would charge the Governor’s Office of Emergency Services with helping government and the private sector counter threats against critical infrastructure.
The Democrat from Thousand Oaks introduced AB 1841 on Feb. 9 in response to a state auditor report last August that found most state agencies woefully unprepared for a cyberattack.
“The governance structure for California’s cybersecurity is disjointed and accountability is falling through the cracks,” Irwin said in a statement provided to Techwire. “As cybersecurity increasingly threatens the critical infrastructure we rely on for vital services such as health care, transportation and clean drinking water, we must do better.”
Irwin is among a number of lawmakers who have expressed concern that no one agency is leading California’s cybersecurity efforts.
The Department of Technology provides training and guidelines to state entities seeking to boost their cybersecurity, the California Highway Patrol investigates cybercrimes on state property, the state attorney general prosecutes cybercrimes, and the Office of Emergency Services provides intelligence about cyberthreats and crimes.
Last year, Gov. Jerry Brown signed an executive order that created the California Cybersecurity Integration Center under OES in a bid to strengthen the state’s cybersecurity strategy. However, lawmakers say the state needs more coordination.
Irwin’s bill states that OES is up to the task of creating a statewide cybersecurity response plan because it is the lead executive entity that coordinates state resources for emergency preparedness, response and damage mitigation.
Specifically, the bill directs OES to develop a statewide emergency services response plan for cybersecurity threats on critical infrastructure by July 1, 2017.
At an Assembly hearing last week on cybersecurity, several lawmakers warned of the disruption in services that could result from a major data breach or cyberattack on critical infrastructure. For example, power plants, water treatment facilities and refineries all use digital controls to operate — making them more susceptible to a cyberattack.
In the first half of 2015 alone, the Department of Homeland Security responded to 108 cyberincidents impacting electricity, water, health care, communications, financial and manufacturing systems, and other critical infrastructure, according to Irwin’s office.
Irwin’s bill would require OES to set standards by July 1, 2018 for state agencies and private entities to follow and mitigate such threats. State agencies would be required to submit a cybersecurity strategy to OES for review, and the private sector would be authorized to do so.
The bill is before the Privacy and Consumer Protection and the Governmental Organization committees in the Assembly.
