Reports of government computers breached, state election databases penetrated, hospital networks held hostage by hackers and private retailers asking customers to change their passwords.
In this era of burgeoning cybercrime, California lawmakers this year have sent Gov. Jerry Brown a series of bills intended to bolster the state’s cybersecurity and craft response plans should an attack occur.
“As we have seen just this week with breaches to election databases in Arizona and Illinois, states are under constant assault from cyberattacks,” Kelly Hitt, director of state government for California and Hawaii at CompTIA, said in an email to Techwire.
“It is incumbent upon state governments, much like our member organizations, to secure their computer systems and networks to safeguard users’ data,” she said.
On the governor’s desk are bills that seek to crack down on ransomware attacks, require government entities to inventory data that contain personal information, and mandate state agencies to report annual cybersecurity spending.
The Department of Technology could be tasked with crafting incident response standards that agencies must follow. AB 1841 by Assemblymember Jacqui Irwin, D-Thousand Oaks, would require the standards be incorporated into the State Administrative Manual by 2018.
While a number of state agencies already have crafted incident response plans, some haven’t had the money to implement them, said Srinivas Atluri, vice president of Cyber Security Services at Anvaya Solutions Inc., based in Folsom, Calif.
“What this bill does now, it requires the plans and it will help the agencies get funding to formulate a recovery plan,” said Atluri, whose company provides cybersecurity services to public sector, utilities and private-sector organizations.
“State agencies need to catch up to the security that’s done in the private sector,” Atluri added.
The focus on cybersecurity comes amid reports of security breaches at the White House, U.S. health-care companies, the Democratic National Committee, universities and retailers. Most recently, the FBI this month disclosed it had discovered breaches of voter registration systems in Illinois and Arizona, and it urged states to beef up their computer systems ahead of the November election.
California lawmakers were especially sensitive to cyberissues after a 2015 state auditor report concluded many entities had weaknesses in their controls over information security, leaving some of the state’s sensitive data “vulnerable to unauthorized use, disclosure, or disruption." The report also faulted the Department of Technology for failing to ensure state entities had complied with mandated security protocols.
That led Sen. Bob Hertzberg, D-Van Nuys, to introduce legislation that would require state agencies to inventory all computerized data that contains personal information, a move security experts say is a critical step to protecting IT assets and responding quickly in the event of a breach. State agencies hold records detailing personal information of millions of Californians in their systems.
SB 1444 also calls for agencies to establish communication procedures between an incident response team, agency officials, and individuals affected by a breach.
The state auditor report also triggered lawmaker curiosity about how much California spends on cybersecurity, an amount the administration could not provide earlier this year during a legislative hearing on cybersecurity. AB 2623 by Assemblymember Rich Gordon, D-Menlo Park, would require state agencies to report their information security spending to the Department of Technology every year.
In an effort to deter hackers in both the public and private sector, lawmakers also approved legislation that would make ransomware a crime of extortion under the state penal code. Under SB 1137, also by Hertzberg, hackers who render computer systems unusable until a ransom is paid could face a two- to four-year jail term and fine of up to $10,000.
While the identity of hackers can often be hard to trace, especially those overseas, security experts welcomed Hertzberg’s push to classify ransomware as extortion.
“Just because it’s hard to go after criminals, doesn’t mean you shouldn’t have something on the books,” Atluri said.
Not all bills that sought to target cybercrime won approval from the Legislature.
Lawmakers earlier this year rejected AB 1881 by Assemblymember Ling Ling Chang, R-Diamond Bar, that would have required the state Chief Information Security Officer to develop baseline security controls for all agencies and departments under its jurisdiction.
They also held back AB 2595 by Assemblymember Eric Linder, R-Corona, that would have codified into law the California Cybersecurity Integration Center. The bill also would have required the Office of Emergency Services to develop a state cybersecurity strategy for California and authorize the OES to administer federal homeland security grant funding.
And the state won’t be administering a so-called “bug bounty” program where individuals who find network vulnerabilities could be eligible for a monetary reward. AB 2720 by Assemblymember Ed Chau, D-Arcadia, sought to replicate programs used widely by the tech industry in an effort to fix bugs before they can be exploited by hackers.
