Amended  IN  Assembly  May 25, 2018
Amended  IN  Assembly  April 30, 2018
Amended  IN  Assembly  March 23, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 2748

Introduced by Assembly Member Chau
(Coauthor: Assembly Member Berman)

February 16, 2018

An act to add and repeal Section 11549.45 of the Government Code, relating to election infrastructure.


LEGISLATIVE COUNSEL'S DIGEST


AB 2748, as amended, Chau. Election infrastructure: independent security assessments.
Existing federal law charges various federal agencies with responsibilities related to the security of critical infrastructure, including election infrastructure. By Executive Order, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center, with its primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state. Existing state law authorizes the Chief of the Office of Information Security in the Department of Technology to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office, as specified. Existing state law also requires the Secretary of State and county elections official to perform specified tasks related to the security of voting systems, ballots, and other election materials.
This bill would require the Office of Information Security in the Department of Technology, the Office of Emergency Services, and the California Military Department to establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure that is accessible through an Internet connection in up to 5 counties that voluntarily choose to participate in the pilot program, as specified. The bill would require the Office of Information Security in the Department of Technology, the Office of Emergency Services, and the California Military Department to transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the elections official of the county in which the assessment was conducted and the Secretary of State. The bill would require these agencies to also prepare and submit a joint report to the Legislature regarding any assessments conducted.
The bill would repeal these provisions on January 1, 2023.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) Information technology networks and critical infrastructure are threatened by increasingly sophisticated cyberattacks. These cyberattacks present a major cybersecurity risk and increase the state’s vulnerability to economic disruption, critical infrastructure damage, potential disruption to our election systems, and violations of individuals’ rights.
(b) The federal Critical Infrastructures Protection Act of 2001 defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
(c) Presidential Policy Directive 21, released on February 12, 2013, states the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The directive identifies 16 critical infrastructure sectors, including the Government Facilities Sector for which the Department of Homeland Security and General Services Administration have responsibilities.
(d) This state recognizes the 16 critical infrastructure sections identified by the federal government.
(e) On January 6, 2017, the Department of Homeland Security designated election systems as critical infrastructure and created the Election Infrastructure Subsector within the existing Government Facilities Sector to enable the Department of Homeland Security to prioritize its cybersecurity assistance to state and local elections officials. The department clarified that its reference to “election infrastructure” means “storage facilities, polling places, and centralized vote tabulations locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”
(f) In 2015, in Executive Order B-34-15, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (Cal-CSIC), with the primary mission to reduce the likelihood and severity of cyber incidents that could damage this state’s economy, its critical infrastructure, or the public and private sector computer networks in this state. Cal-CSIC is required to serve as the central organizing hub of the state government’s cybersecurity activities and coordinate information sharing with local, state, and federal agencies, tribal governments, utilities, and other service providers, academic institutions, and nongovernmental organizations.
(g) Protecting our election infrastructure from cybersecurity threats is of vital importance to this state and to our national interests.
(h) It is the intent of the Legislature to leverage the state’s cybersecurity resources to assist county elections officials in their assessments of election infrastructure in order to be best prepared for future cybersecurity threats. It is also the intent of the Legislature to recognize election infrastructure as critical infrastructure and an important subsector within the existing Government Facilities Sector identified by the federal government and this state.

SEC. 2.

 Section 11549.45 is added to the Government Code, to read:

11549.45.
 (a) (1) The office, the Office of Emergency Services, and the California Military Department shall establish a pilot program to conduct, or require to be conducted, an independent security assessment of election infrastructure that is accessible through an Internet connection in up to five counties that voluntarily choose to participate in the pilot program. The office, the Office of Emergency Services, and the California Military Department shall consult with county elections officials to identify and select counties to participate in the pilot program. The independent security assessments for the first group of participating counties shall be completed no later than January 1, 2020. After completion of those assessments, the office, the Office of Emergency Services, and the California Military Department may conduct additional independent security assessments of election infrastructure in other counties.
(2) In selecting the counties to participate in the pilot program, the following criteria shall be considered to ensure that a diverse and representative group of counties and election systems are assessed through the pilot program:
(A) The type of election management system used by the county.
(B) The election cybersecurity resources available to the county.
(C) Whether the county election department has dedicated information technology or cybersecurity staff or whether the election department shares information technology or cybersecurity staff with other county departments.
(D) Whether the county has undergone, or will undergo, a cybersecurity evaluation performed by the United States Department of Homeland Security.
(E) The size of the voting population of the county.
(b) The office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials in the participating counties, shall do all of the following:
(1) Determine criteria and rank counties participating in the pilot program based on an information security risk index that may include analysis of the relative amount of the following factors within counties:
(A) Personally identifiable information protected by law.
(B) Voter registration information.
(C) Information on voted ballots.
(D) Self-certification of compliance and indicators of unreported noncompliance with security provisions in the following areas:
(i) Information asset management.
(ii) Risk management.
(iii) Information security program management.
(iv) Information security incident management.
(v) Technology recovery planning.
(E) Other information identified by the office, the Office of Emergency Services, and the California Military Department, in coordination with the county elections officials, that may present a security risk.
(2) Determine the basic standards of services to be performed as part of independent security assessments required by this subdivision.
(c) The office, the Office of Emergency Services, and the California Military Department shall transmit the complete results of each independent security assessment and recommendations for mitigating system vulnerabilities, if any, to the elections official of the county in which the assessment was conducted and the Secretary of State.
(d) (1) Notwithstanding any other law, during the process of conducting an independent security assessment pursuant to this section, information and records concerning the independent security assessment are confidential and shall not be disclosed, except that the information and records may be transmitted to state employees, state contractors, county employees, and county contractors who have been approved as necessary to receive the information and records to perform that independent security assessment, subsequent remediation activity, or monitoring of remediation activity.
(2) The results of a completed independent security assessment performed pursuant to this section, and any related information, shall be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1), including, but not limited to, Section 6254.19.
(e) The office, the Office of Emergency Services, and the California Military Department shall notify the Department of the California Highway Patrol and the Department of Justice regarding any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government, and shall notify the district attorney of the county regarding any criminal or alleged criminal cyber activity affecting any county entity or critical infrastructure of the county government.
(f) (1) If one or more independent security assessments are conducted pursuant to this section, the office, the Office of Emergency Services, and the California Military Department shall prepare and submit, pursuant to Section 9795 and by January 1, 2022, a joint report to the Legislature regarding the assessments conducted.
(2) The office, the Office of Emergency Services, and the California Military Department shall develop the report in consultation with the counties in which the assessments were performed.
(3) The report shall include, but not be limited to, all of the following:
(A) An identification of the counties in which assessments were performed.
(B) Information about the costs of the assessments.
(C) A summary of relevant performance metrics, including county satisfaction with the performance of the assessments and a summary of the results of completed assessments, subject to all confidentiality provided for in state law, including, but not limited to, Section 6254.19.
(D) Any legislative recommendations.
(g) For purposes of this section, the following terms have the following meanings:
(1) “Election infrastructure” means storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, vote tabulating devices, and other systems to manage the election process and report and display results.
(2) “Program” means the pilot program established pursuant to this section.
(h) It is the intent of the Legislature to appropriate federal funds dedicated for election cybersecurity to pay for the pilot program created by this section. The pilot program shall not be implemented until either federal funds or other funds, including state funds, are made available for the purpose of this section.

(h)

(i) This section shall remain in effect only until January 1, 2023, and as of that date is repealed, unless a later enacted statute, that is enacted before January 1, 2023, deletes or extends that date.