Assemblymember Irwin has served as the Chair of the Assembly Select Committee on Cybersecurity since its creation by Speaker Toni Atkins during the 2015-2016 Legislative Session. Speaker Anthony Rendon has continued the Select Committee for the '17-'18, '19-'20, and '21-'22 Legislative Sessions.
The Committee’s work so far has uncovered important and valuable information on the state of cybersecurity in California. As a result of the Committee’s hearings numerous legislative proposals were authored, many became law, and the executive branch has changed both policy and personnel. However, even with our accomplishments this issue is one of rapidly growing, not declining, importance. The State still bears a continuing responsibility to assess, prepare, educate, and protect our private and public operations from the rising threat of cyber-attacks.
The current membership of the Select Committee:
Jacqui Irwin, Chair
The scope of the Select Committee includes the following:
- Identifying the existing resources, jurisdiction, and capabilities of the State. Currently, a clear understanding of the cybersecurity relationship between the federal, state, and local governments is lacking. Even among state agencies there is work to be done regarding clarifying cybersecurity responsibility. Defining the resources and activities within the state, public and private, that can be utilized in a comprehensive state-wide cybersecurity effort will help illustrate weaknesses and gaps in security that need to be addressed, as well as produce guidance for policy, procurement, and investments.
- Grow California’s cybersecurity workforce, training programs, and educational opportunities. Considering the development of job training programs with the state’s higher education and labor entities to produce a credentialed and qualified state cybersecurity workforce to meet growing demand. Invite testimony from businesses that employ cyber professionals and those experiencing a shortage of qualified labor. Compile and consider the integration of the research conducted by academic institutions, federal laboratories, and other cybersecurity experts into state operations.
- Promote legislative, administrative, and regulatory actions to enhance cybersecurity assessment, preparedness, and response capability in California. Examining current cybersecurity policy for state networks and the level of compliance, as well as the recommended standards for the private sector. This includes evaluation of appropriate levels of information sharing with the federal government and private sector for the purpose of preventative actions.
- Pursue funding opportunities, private-public partnerships, and economic development. The Select Committee will coordinate the pursuit of fiscal resources including federal grants, requests for proposals, and private funding opportunities that will enhance the State’s cybersecurity goals. This includes building partnerships between government and private companies and demonstrating the reciprocity and economic benefit of safe networks.
Wednesday February 23rd, 2022 Room 126, State Capitol
Topic: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the State’s Ability to Ensure Information Security (2021-602)
The work the Select Committee completed in prior sessions includes ten informational hearings (Click icon to view more):
The work of the Select Committee has also informed the consideration of a number of bills signed into law including:
- AB 670 (Irwin) (Chapter 518 of 2015) AB 670 requires the Office of Information Security, in consultation with the Office of Emergency Services, to require at least 35 assessments of state agencies and departments per year based upon a prioritized risk index. These assessments will ensure that California’s resources are targeted to known risks, such as large stores of personal data, health and financial information, or records of non-compliance.
- AB 1841 (Irwin) (Chapter 508 of 2016) AB 1841 requires the inclusion of cybersecurity strategy incident response standards in the Technology Recovery Plans for each state agency to secure its critical infrastructure controls and critical infrastructure information.
- AB 2623 (Gordon, Irwin) (Chapter 389 of 2016) AB 2623 requires agencies and departments to annually report to the Department of Technology a summary of its actual and projected information security costs.
- AB 1580 (Gatto, Irwin) (Chapter 494 of 2016) AB 1580 requires consumer credit reporting agencies to place security freezes on at the request of protected consumers, including minors under the age of 16, to mitigate the impacts of data breaches on the financial futures of children.
- AB 1022 (Irwin) (Chapter 790 of 2017) AB 1022 requires agencies and departments, and allows local entities, to report an inventory of their critical infrastructure controls to the California Department of Technology (CDT). By reporting inventories to CDT, oversight of projects, budgets, and security will be increased and allow for efficient use of taxpayer funds.
- AB 1906 (Irwin) (Chapter 860 of 2018) AB 1906 requires Internet of Things (IoT) devices sold in California to have reasonable security features. With the widespread adoption of IoT devices in Smart Homes and Smart Cities, the lack of security on these devices has left millions of devices vulnerable to hacking. This threatens the privacy of users but also the internet ecosystem, with IoT botnets using consumer devices to attack and take down major websites.
- AB 2813 (Irwin) (Chapter 768 of 2018) AB 2813 establishes in statute the California Cybersecurity Integration Center (Cal-CSIC) within the Office of Emergency Services, with its primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state.
- AB 1043 (Irwin) (Chapter 46 of 2019) AB 1043 safeguards our elections by allowing candidates for public office and their staff to use campaign funds to purchase cyber security technology and services.
- AB 1044 (Irwin) (Chapter 106 of 2019) AB 1044 authorizes the Secretary of State to require individuals who apply for access to voter registration information to complete free cybersecurity training
- AB 531 (Irwin) (Vetoed) AB 531 would have required the Office of Information Security to review the current data security practices of the State, evaluate any new data security technologies available, and then create a plan to implement the best available security technologies.