April 21, 2022

 

 

TO THE MISSISSIPPI SENATE:

 

GOVERNOR’S VETO MESSAGE FOR SENATE BILL 2530

 

            I am returning Senate Bill 2530: AN ACT TO AMEND SECTION 25-53-201, MISSISSIPPI CODE OF 1972,  TO PROVIDE THAT THE MISSISSIPPI DEPARTMENT OF INFORMATION  TECHNOLOGY SERVICES SHALL EVALUATE THE OPPORTUNITIES FOR EXPANDING  THE ENTERPRISE SECURITY PROGRAM AND THE COORDINATED OVERSIGHT OF CYBERSECURITY EFFORTS TO INCLUDE THOSE GOVERNING AUTHORITIES DEFINED IN SECTION 25-53-3(F); TO REQUIRE THE DEPARTMENT TO DEVELOP A REPORT ON THESE OPPORTUNITIES AND TO PRESENT THE REPORT TO THE CHAIRMEN OF THE SENATE AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES, ATTORNEY GENERAL AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE BY NOVEMBER 1, 2022; TO PROVIDE THAT FROM AND AFTER JULY 1, 2022, ALL STATE AGENCIES AND GOVERNING AUTHORITIES AS DEFINED IN SECTION  25-53-3 SHALL REPORT TO THE MISSISSIPPI DEPARTMENT OF INFORMATION TECHNOLOGY SERVICES ANY DEMAND FOR PAYMENT OR ANY PAYMENT MADE AS A RESULT OF RANSOMWARE; TO DEFINE RANSOMWARE; TO REQUIRE THESE AGENCIES AND AUTHORITIES TO REPORT THIS INFORMATION NO LATER THAN THE NEXT BUSINESS DAY UPON DISCOVERY OF THE RANSOMWARE; TO REQUIRE THE DEPARTMENT TO RECORD ALL INFORMATION SUBMITTED FROM THESE AGENCIES AND AUTHORITIES AND DEVELOP A REPORT ON THIS INFORMATION; TO REQUIRE THE DEPARTMENT TO PRESENT THIS REPORT TO THE LIEUTENANT GOVERNOR, SPEAKER OF THE HOUSE, ATTORNEY GENERAL, CHAIRMEN OF THE SENATE AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE; TO REQUIRE THE DEPARTMENT TO PRESENT A YEARLY SUMMARY OF ALL RANSOMWARE INCIDENTS BY NOVEMBER 1 OF EACH YEAR TO THE LIEUTENANT GOVERNOR, SPEAKER OF THE HOUSE, CHAIRMEN OF THE SENATE  AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE; AND FOR RELATED PURPOSES.

Senate Bill 2530 amends Miss. Code Ann. § 25-53-201 to requires the Mississippi Department of Information Technology Services to compile and record incidences of demand for payment as result of ransomware attacks made against state agencies and other governing authorities and provide a report of same to various members of the Mississippi Legislature.  Thereafter by November 1, 2022, the Mississippi Department of Information Technology Services must make a further yearly summary report of such incidences to the same members of the Mississippi Legislature.

It is certain that malicious cyber-attacks and other vulnerabilities such as ransomware are continually evolving and escalating. Enhanced cybersecurity mitigation strategies and solutions are therefore needed not only to protect and defend, but to prepare and equip, the state, its agencies and other governing authorities.  I applaud and share the intent of Senate Bill 2530 and both its concern to prepare and protect state agencies and other governing authorities and their associated information systems as well as the need to expand and enhance coordinated oversight over such cybersecurity events and threats. 

The risk of publication or disclosure of the reports and related work on such potential vulnerabilities, even from inadvertent dissemination, can lead to further threats and exploitation of such vulnerabilities. For such work to continue, its confidentiality and protection is essential.   Accordingly, it is essential to ensure that the security and confidentiality of the entire ransomware reporting contemplated by Senate Bill 2530 including ransomware and all other related cyber vulnerabilities submitted by agency reporting as well as the subsequent reports compiled and submitted by the Mississippi Department of Information Technology Services be clearly and statutorily protected as a matter of law under provisions such as Miss. Code Ann. § 25-61-11.2 and § 25-53-201(f).

Additionally, while collecting and reporting such events established in Senate Bill 2530 is an important step, cybersecurity is broader than statewide concerns.  It is national and frequently international in scope, requiring additional coordination from other offices and stakeholders, such as the Mississippi Office of Homeland Security and the coordinated federal as well as other state resources they can bring to ensure wider cooperation and more effective assessment and implementation of cybersecurity measures.

Despite important goals and intent proposed by Senate Bill 2530, for the reasons above, I am compelled at this time to veto the bill.  I encourage all stakeholders to come together to revisit this important issue of state-wide importance prior to the 2023 Legislative session and reach consensus on a unified approach that addresses these concerns with all resources and stakeholders engaged and with all appropriate security and confidentiality measures clearly established.

Respectfully submitted,

 

 

 

 

                                                                        TATE REEVES

                                                                        GOVERNOR