S03407 Summary:

BILL NOS03407A
 
SAME ASSAME AS A06130-A
 
SPONSORCROCI
 
COSPNSRAVELLA, CARLUCCI, DEFRANCISCO, FLANAGAN, FUNKE, GOLDEN, MARTINS, NOZZOLIO
 
MLTSPNSR
 
Add §719, Exec L
 
Requires the formation of a cyber security advisory board and the implementation of a cyber security initiative.
Go to top    

S03407 Actions:

BILL NOS03407A
 
02/06/2015REFERRED TO RULES
02/09/2015ORDERED TO THIRD READING CAL.77
02/25/2015PASSED SENATE
02/25/2015DELIVERED TO ASSEMBLY
02/25/2015referred to governmental operations
01/06/2016died in assembly
01/06/2016returned to senate
01/06/2016REFERRED TO VETERANS, HOMELAND SECURITY AND MILITARY AFFAIRS
01/07/2016AMEND AND RECOMMIT TO VETERANS, HOMELAND SECURITY AND MILITARY AFFAIRS
01/07/2016PRINT NUMBER 3407A
01/11/2016REPORTED AND COMMITTED TO FINANCE
04/11/20161ST REPORT CAL.587
04/12/20162ND REPORT CAL.
05/03/2016ADVANCED TO THIRD READING
05/04/2016PASSED SENATE
05/04/2016DELIVERED TO ASSEMBLY
05/04/2016referred to governmental operations
Go to top

S03407 Committee Votes:

Go to top

S03407 Floor Votes:

There are no votes for this bill in this legislative session.
Go to top

S03407 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         3407--A
 
                               2015-2016 Regular Sessions
 
                    IN SENATE
 
                                    February 6, 2015
                                       ___________
 
        Introduced  by  Sens.  CROCI, AVELLA, CARLUCCI, FLANAGAN, FUNKE, GOLDEN,
          MARTINS, NOZZOLIO -- read twice and ordered printed, and when  printed
          to  be  committed  to  the  Committee  on  Rules -- recommitted to the
          Committee on Veterans,  Homeland  Security  and  Military  Affairs  in
          accordance  with  Senate  Rule 6, sec. 8 -- committee discharged, bill
          amended, ordered reprinted as amended and recommitted to said  commit-
          tee
 
        AN  ACT  to  amend  the  executive  law, in relation to a cyber security
          initiative
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section 1. The executive law is amended by adding a new section 719 to
     2  read as follows:
     3    § 719. New York state cyber security initiative.  1. Legislative find-
     4  ings.  The legislature finds and declares that repeated cyber intrusions
     5  into critical infrastructure, effecting government, private sector busi-
     6  ness, and citizens of the state of New York, have demonstrated the  need
     7  for improved cyber security.
     8    The  legislature  further  finds  and  declares that this cyber threat
     9  continues to grow and represents one of the most serious public security
    10  challenges that New York must confront. Moreover, the  security  of  the
    11  state  of  New  York  depends  on  the  reliable functioning of New York
    12  state's critical infrastructure, and private sector business  interests,
    13  as  well  as  the protection of the finances and individual liberties of
    14  every citizen, in the face of such threats.
    15    The legislature additionally finds and declares that  to  enhance  the
    16  security, protection and resilience of New York state's critical infras-
    17  tructure,  and  private  sector  business  interests,  as  well  as  the
    18  protection of the finances and individual liberties  of  every  citizen,
    19  the  state  of New York must promote a cyber environment that encourages
    20  efficiency, innovation, and economic prosperity, and  that  can  operate
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD09031-02-5

        S. 3407--A                          2
 
     1  with  safety,  security,  business  confidentiality,  privacy, and civil
     2  liberty.
     3    The  legislature further finds and declares that to create such a safe
     4  and secure cyber environment for government, private sector business and
     5  individual citizens, New York must advance, in addition to  its  current
     6  efforts  in this field, a New York state cyber security initiative, that
     7  establishes a New York state cyber security advisory board; a  New  York
     8  state  cyber  security partnership program with the owners and operators
     9  of critical infrastructure, private sector business, academia, and indi-
    10  vidual citizens to improve, develop and implement  risk-based  standards
    11  for government, private sector businesses and individual citizens; and a
    12  New York state cyber security information sharing program.
    13    2.  Critical  infrastructure  and information systems. As used in this
    14  section, the term  "critical  infrastructure  and  information  systems"
    15  shall mean all systems and assets, whether physical or virtual, so vital
    16  to  the government, private sector businesses and individual citizens of
    17  the state of New York that the incapacity or destruction of such systems
    18  and assets would have a debilitating impact to the security, economy, or
    19  public health of the individual citizens, government, or private  sector
    20  businesses of the state of New York.
    21    3.  New  York  state cyber security advisory board. (a) There shall be
    22  within the division of homeland security and emergency services,  a  New
    23  York  state cyber security advisory board, which shall advise the gover-
    24  nor and the legislature on  developments  in  cyber  security  and  make
    25  recommendations  for  protecting the state's critical infrastructure and
    26  information systems.
    27    (b) The board members shall consist of eleven members appointed by the
    28  governor, with three members appointed upon recommendation of the tempo-
    29  rary president of the senate, and three members appointed at the  recom-
    30  mendation of the speaker of the assembly. All members so appointed shall
    31  have  expertise  in cyber security, telecommunications, internet service
    32  delivery, public protection, computer systems and/or computer networks.
    33    (c) The board shall  investigate,  discuss  and  make  recommendations
    34  concerning  cyber  security issues involving both the public and private
    35  sectors and what steps can be taken by New York state to  protect  crit-
    36  ical   cyber   infrastructure,   financial  systems,  telecommunications
    37  networks, electrical grids, security systems,  first  responder  systems
    38  and  infrastructure,  physical  infrastructure  systems,  transportation
    39  systems, and such other and further sectors of state government and  the
    40  private sector as the advisory board shall deem prudent.
    41    (d) The purpose of the advisory board shall be to promote the develop-
    42  ment of innovative, actionable policies to ensure that New York state is
    43  in the forefront of public cyber security defense.
    44    (e)  The  members  of the advisory board shall receive no compensation
    45  for their services, but may receive actual and necessary  expenses,  and
    46  shall not be disqualified for holding any other public office or employ-
    47  ment by means of their service as a member of the advisory board.
    48    (f)  The  advisory board shall be entitled to request and receive, and
    49  shall be provided with, such facilities, resources and data of any agen-
    50  cy, department, division, board, bureau, commission, or public authority
    51  of the state, as they may reasonably  request,  to  carry  out  properly
    52  their powers, duties and purpose.
    53    4.  New  York  state  cyber  security information sharing and analysis
    54  program. (a) The division of homeland security and  emergency  services,
    55  in  consultation with the division of the state police, the state office
    56  of information technology services, and the center for internet  securi-

        S. 3407--A                          3
 
     1  ty,  shall  establish,  within  sixty days of the effective date of this
     2  section, a voluntary New York state cyber security  information  sharing
     3  and analysis program.
     4    (b)  It  shall  be  the  purpose  of the New York state cyber security
     5  information sharing and analysis program to increase the volume, timeli-
     6  ness, and quality of cyber threat information shared with New York state
     7  public and private sector entities so that  these  entities  may  better
     8  protect  and  defend themselves against cyber threats and to promote the
     9  development of effective defenses and strategies to combat, and  protect
    10  against, cyber threats and attacks.
    11    (c)  To  facilitate  the purposes of the New York state cyber security
    12  information sharing and analysis program, the division of homeland secu-
    13  rity and emergency services, shall promulgate regulations, in accordance
    14  with the provisions of this subdivision.
    15    (d) The regulations shall provide for the timely production of unclas-
    16  sified reports of cyber threats to New York state  and  its  public  and
    17  private  sector  entities,  including  threats  that identify a specific
    18  targeted entity.
    19    (e) The regulations shall address the need to protect intelligence and
    20  law enforcement sources, methods, operations,  and  investigations,  and
    21  shall  further establish a process that rapidly disseminates the reports
    22  produced pursuant to paragraph (d) of  this  subdivision,  to  both  any
    23  targeted  entity  as  well  as such other and further public and private
    24  entities as the division shall deem necessary to advance the purposes of
    25  this subdivision.
    26    (f) The regulations shall provide for protections from  liability  for
    27  entities sharing and receiving information with the New York State cyber
    28  security  information  and analysis program, so long as the entity acted
    29  in good faith.
    30    (g) The regulations shall further establish a system for tracking  the
    31  production,  dissemination,  and  disposition of the reports produced in
    32  accordance with the provisions of this subdivision.
    33    (h) The regulations shall also establish an  enhanced  cyber  security
    34  services  program,  within  New  York  state, to provide for procedures,
    35  methods and directives, for a  voluntary  information  sharing  program,
    36  that  will provide cyber threat and technical information collected from
    37  both public and private sector entities,  to  such  private  and  public
    38  sector  entities as the division deems prudent, to advise eligible crit-
    39  ical infrastructure companies or commercial service providers that offer
    40  security services to critical infrastructure on cyber  security  threats
    41  and defense measures.
    42    (i)  The regulations shall also seek to develop strategies to maximize
    43  the utility of cyber threat information sharing between and  across  the
    44  private and public sectors, and shall further seek to promote the use of
    45  private  and public sector subject matter experts to address cyber secu-
    46  rity needs in New York state, with these subject matter experts  provid-
    47  ing  advice  regarding  the content, structure, and types of information
    48  most useful to critical infrastructure owners and operators in  reducing
    49  and mitigating cyber risks.
    50    (j)  The  regulations  shall  further seek to establish a consultative
    51  process to coordinate improvements to the  cyber  security  of  critical
    52  infrastructure,  where  as  part of the consultative process, the public
    53  and private entities of the state of New York shall engage and  consider
    54  the  advice of the division of homeland security and emergency services,
    55  the division of the state police, the state office of information  tech-
    56  nology  services,  the  center for internet security, the New York state

        S. 3407--A                          4
 
     1  cyber security advisory board, the programs established by this subdivi-
     2  sion, and such other and further private  and  public  sector  entities,
     3  universities,  and  cyber  security  experts as the division of homeland
     4  security and emergency services may deem prudent.
     5    (k)  The regulations shall further seek to establish a baseline frame-
     6  work to reduce cyber risk to critical infrastructure, and shall seek  to
     7  have  the  division  of  homeland  security  and  emergency services, in
     8  consultation with the division of state  police,  the  state  office  of
     9  information  technology  services, and the center for internet security,
    10  lead the development of a voluntary framework to reduce cyber  risks  to
    11  critical  infrastructure,  to  be known as the cyber security framework,
    12  which shall:
    13    (i) include a set of standards, methodologies, procedures,  and  proc-
    14  esses  that  align  policy,  business,  and  technological approaches to
    15  address cyber risks;
    16    (ii) incorporate voluntary consensus standards and industry best prac-
    17  tices to the fullest extent possible;
    18    (iii) provide a prioritized, flexible, repeatable,  performance-based,
    19  and cost-effective approach, including information security measures and
    20  controls,  to help owners and operators of critical infrastructure iden-
    21  tify, assess, and manage cyber risk;
    22    (iv) focus on identifying cross-sector security standards  and  guide-
    23  lines applicable to critical infrastructure;
    24    (v)  identify  areas  for improvement that should be addressed through
    25  future collaboration with particular  sectors  and  standards-developing
    26  organizations;
    27    (vi)  enable  technical  innovation  and  account  for  organizational
    28  differences, to provide guidance that is  technology  neutral  and  that
    29  enables  critical  infrastructure  sectors to benefit from a competitive
    30  market for products and services that meet the standards, methodologies,
    31  procedures, and processes developed to address cyber risks;
    32    (vii) include guidance for measuring the performance of an  entity  in
    33  implementing the cyber security framework;
    34    (viii)  include  methodologies to identify and mitigate impacts of the
    35  cyber security framework and associated information security measures or
    36  controls on business confidentiality, and to protect individual  privacy
    37  and civil liberties; and
    38    (ix)  engage in the review of threat and vulnerability information and
    39  technical expertise.
    40    (l) The regulations shall additionally establish a voluntary  critical
    41  infrastructure  cyber  security  program  to support the adoption of the
    42  cyber security framework by owners and operators of critical infrastruc-
    43  ture and any other interested entities, where under this program  imple-
    44  mentation  guidance  or  supplemental  materials  would  be developed to
    45  address sector-specific risks and operating environments, and  recommend
    46  legislation for enactment to address cyber security issues.
    47    (m)  In developing the New York state cyber security information shar-
    48  ing and analysis program in  accordance  with  the  provisions  of  this
    49  subdivision,  the  division of homeland security and emergency services,
    50  in consultation with the division of state police, the state  office  of
    51  information  technology  services, and the center for internet security,
    52  shall produce and submit a report, to the governor, the temporary presi-
    53  dent of the senate, and the speaker of the assembly, making  recommenda-
    54  tions  on  the  feasibility,  security  benefits, and relative merits of
    55  incorporating security standards into acquisition planning and  contract
    56  administration.  Such  report  shall  further  address what steps can be

        S. 3407--A                          5
 
     1  taken to harmonize and make consistent existing procurement requirements
     2  related to cyber security and the feasibility  of  including  risk-based
     3  security standards into procurement and contract administration.
     4    5.  New York state cyber security critical infrastructure risk assess-
     5  ment report.  (a)  The  division  of  homeland  security  and  emergency
     6  services,  in  consultation with the division of state police, the state
     7  office of information technology services, and the center  for  internet
     8  security,  within  one hundred twenty days of the effective date of this
     9  section, shall produce a New York state cyber security critical  infras-
    10  tructure risk assessment report.
    11    (b)  The  production  of  the  New  York state cyber security critical
    12  infrastructure risk assessment report shall use a risk-based approach to
    13  identify critical infrastructure where a cyber security  incident  could
    14  reasonably  result  in  catastrophic  regional  or state-wide effects on
    15  public health or  safety,  economic  distress,  and/or  threaten  public
    16  protection of the people and/or property of New York state.
    17    (c)  The  production  of the report shall further use the consultative
    18  process and draw upon the expertise of and advice  of  the  division  of
    19  homeland  security and emergency services, the division of state police,
    20  the state office of information  technology  services,  the  center  for
    21  internet security, the New York state cyber security advisory board, the
    22  programs established by this section, and such other and further private
    23  and  public sector entities, universities, and cyber security experts as
    24  the division of  homeland  security  and  emergency  services  may  deem
    25  prudent.
    26    (d)  The  New  York  state cyber security critical infrastructure risk
    27  assessment report shall be delivered  to  the  governor,  the  temporary
    28  president  of  the senate, the speaker of the assembly, the chair of the
    29  senate standing committee on veterans, homeland  security  and  military
    30  affairs,  and  the  chair  of the assembly standing committee on govern-
    31  mental operations.
    32    (e) Where compliance with this section shall require the disclosure of
    33  confidential information, or the  disclosure  of  sensitive  information
    34  which  in  the  judgment of the commissioner of the division of homeland
    35  security and emergency services would jeopardize the cyber  security  of
    36  the state:
    37    (i)  such  confidential  or sensitive information shall be provided to
    38  the persons entitled to receive the report, in the  form  of  a  supple-
    39  mental appendix to the report; and
    40    (ii)  such supplemental appendix to the report shall not be subject to
    41  the provisions of the freedom of information law pursuant to article six
    42  of the public officers law; and
    43    (iii) the persons entitled to receive  the  report  may  disclose  the
    44  supplemental  appendix  to  the  report to their professional staff, but
    45  shall not otherwise publicly disclose such confidential or secure infor-
    46  mation.
    47    § 2. This act shall take effect immediately.
Go to top