A year after a scathing report described California’s information security as weak and vulnerable, Gov. Jerry Brown on Friday signed legislation intended to beef up state agency response standards.
The Department of Technology has until July 2018 to craft incident response standards and update the state's Technology Recovery Plan, which hasn’t been updated in the last three years.
Bill author Jacqui Irwin, D-Thousand Oaks, described the standards as a critical step to ensuring California is prepared to respond to a potential cyberattack.
"The power grid, public health care, and the state’s massive, public water system are just a few examples of the state’s overall infrastructure, which now depend on digital controls,” Irwin said in a statement to Techwire after the governor signed her bill.
“Reliance on computers have made these processes more efficient, but also more vulnerable to cyberattacks,” she added.
Irwin, who chairs the Select Committee on Cybersecurity, was among the most vocal critics of the administration after the state auditor last year reported that many state entities had weaknesses in their controls over information security. That left sensitive data “vulnerable to unauthorized use, disclosure, or disruption," the auditor concluded. The report also faulted the Department of Technology for failing to ensure state agencies had complied with mandated security protocols.
During a legislative hearing examining California’s cybersecurity preparedness, it became apparent the issue of information security was one that crossed multiple jurisdictions. The Technology Department is just one of several entities charged with overseeing cybersecurity in California. The California Highway Patrol investigates reports of cybersecurity crimes on state property, the state Attorney General prosecutes cybercrimes, and the Office of Emergency Services provides intelligence about cyberthreats and crimes.
Frustrated with the lack of overall leadership on cybersecurity, several lawmakers had unsuccessfully sought to name a cyberczar or put the OES in charge of state cyberstrategy. Those efforts fizzled after it became clear the Brown administration was working to coordinate the varying state agencies that oversee cybersecurity through the launch of the California Cybersecurity Integration Center.
Today, representatives from OES, the Department of Technology, the California Highway Patrol, the state Attorney General and the California Military Department sit side-by-side in a secure room at OES headquarters where they share classified information about potential threats and gaps and collaborate on cyberstrategy.
Irwin said her measure, AB 1841, is one that builds upon the state’s ongoing cybersecurity efforts.
Under the new law, state agencies will be required to update their own incident recovery plans, detailing how to protect critical information assets so they are available after a disaster and how to get critical systems back online, according to the Assembly floor bill analysis. Agencies must develop those plans and report their compliance to the Department of Technology by July 2019.
