Two bills that proponents say would bolster the state's cybersecurity readiness cleared the Assembly Committee on Privacy and Consumer Protection on Tuesday.
Legislation that would push California to finish the state's cybersecurity emergency response plan passed by a 11-0 vote and now moves to the Committee on Governmental Organization.
The bill's author, Assemblymember Jacqui Irwin, D-Thousand Oaks, told the privacy committee that the bill, AB 1841, would establish a six-month time frame for incident response planning within the state government. In future years, agencies and departments also would be required to report to Cal OES on how they're adhering to cybersecurity preparedness standards.
Calling California's state government a "priority target" for hackers, Irwin asserted that California's response plan "remains incomplete."
"Despite years of effort to create such a plan for cybersecurity purposes, our state has yet to do so. As cybersecurity incidents become more frequent and more sophisticated, we see that this issue is too important to be left unfinished and without accountability," Irwin said.
Two Republicans members on the Assembly committee — Assemblymember Kristin Olsen, R-Modesto and Assemblymember Scott Wilk, R-Santa Clarita — discussed how AB 1841 would require information about the cyber emergency response plan to be posted online. Irwin responded that functions, not details about the plan, would be put on the Web.
Irwin’s bill would require OES to set standards by July 1, 2018, for state agencies and private entities to follow and mitigate such threats. State agencies would be required to submit a cybersecurity strategy to OES for review, and the private sector would be authorized to do so.
Irwin said Tuesday that several law enforcement agencies are supporting AB 1841.
Another bill that would authorize the Department of Technology's information security office to create a Cybersecurity Vulnerability Reporting Reward Program also cleared the privacy committee on an 11-0 vote. The so-called "bug bounty" program would pay monetary rewards of $100 to $5,000 to volunteers who discover and report unknown vulnerabilities in the state's computer systems.
"AB 2720 would borrow an industry best practice from Silicon Valley and apply it to the state government by establishing a first-of-its-kind program to improve the cybersecurity of state websites, networks and also online services, said Assemblymember Ed Chau, D-Monterey Park, the privacy committee's chair, about his bill.
CompTIA and the Internet Association said they support AB 2720, noting it would emulate what's being done in the private sector.
Wilk said he's afraid the state might not be competitive with payouts available from private-sector companies like Google. Chau said he'll be working with the Appropriations Committee to determine that total amount of funding for the bug bounties.
