Skip to main content
Tech

New CISA cybersecurity measures to fight ransomware raise privacy concerns


Ransomware attacks are causing significant damage to organizations of all sizes, exploiting unknown vulnerabilities. To combat this, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, has initiated the Ransomware Vulnerability Warning Pilot. This program notifies organizations about potential ransomware threats, potentially preventing millions in damages.

QR code for SAN app download

Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.

Point phone camera here

For example, UnitedHealth Group, suffered a ransomware attack earlier this year, resulting in nationwide health care service outages and costing the company $872 million. The attackers allegedly stole 6 terabytes of patient data and demanded a $22 million ransom.

“We’ve normalized the fact that we have shifted the burden of cybersecurity onto individuals and small businesses, which are least prepared to bear that burden,” CISA Director Jen Easterly said. “We’ve normalized this crazy misalignment of incentives where technology companies have prioritized speed to market and driving down cost and cool features over security.”

By addressing these vulnerabilities, organizations can significantly reduce their risk of becoming victims of cyber extortion and avoid the severe financial consequences that follow.

The pilot program, which currently includes 7,000 organizations, is expected to be fully operational by the end of 2024. It works by CISA identifying vulnerabilities and alerting organizations, providing them with necessary information to patch their systems and prevent attacks.

However, privacy advocates are concerned about one of the tools used in the program — the administrative subpoena. A 2022 review of CISA’s procedures showed that the agency can issue subpoenas to organizations or individuals to gather information on internet-based systems without a court order, as these subpoenas do not require judicial review, and opting out is not possible.

These subpoenas can be issued secretly, without the knowledge or consent of those targeted. CISA can retain personally identifiable information for six months if it relates to a suspected cybersecurity incident.

CISA ensures that personally identifiable information is promptly deleted in accordance with established procedures. Despite this, the lack of judicial oversight and the secretive nature of these subpoenas have raised concerns about potential privacy violations and abuses of power.

CISA also offers its own cybersecurity tools and has started a process for organizations to submit their own free tools and services for both the public and private sectors.

Tags: , , , , ,

[LAUREN TAYLOR]

RANSOMWARE ATTACKS WREAK HAVOC ON ORGANIZATIONS OF ALL SIZES, LEAVING A TRAIL OF DEVASTATION IN THEIR WAKE. THE CULPRIT? MALICIOUS CYBER ATTACKERS EXPLOITING VULNERABILITIES, BUSINESSES AND ORGANIZATIONS ARE UNAWARE OF.

TO COUNTER THIS, THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, PART OF THE DEPARTMENT OF HOMELAND SECURITY, HAS LAUNCHED THE RANSOMWARE VULNERABILITY WARNING PILOT. THIS PROGRAM ALERTS ORGANIZATIONS TO POTENTIAL RANSOMWARE THREATS, POTENTIALLY SAVING MILLIONS IN DAMAGES.

TAKE UNITEDHEALTH GROUP, FOR EXAMPLE, WHICH WAS HIT BY A RANSOMWARE ATTACK EARLIER THIS YEAR, CAUSING NATIONWIDE OUTAGES FOR HEALTHCARE SERVICES. THE ATTACK COST THE COMPANY $872 MILLION IN DAMAGES. HACKERS ALLEGEDLY STOLE 6 TERABYTES OF PATIENT DATA, AND THE RANSOMWARE GROUP CLAIMED A $22 MILLION RANSOM FROM UNITEDHEALTH.

JEN EASTERLY
DIRECTOR | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

“We’ve normalized the fact that we have shifted the burden of cyber security onto individuals and small businesses, which are least prepared to bear that burden. We’ve normalized this crazy mal alignment of incentives where technology companies have prioritized speed to market and driving down cost and cool features over security.”

[LAUREN TAYLOR]

BY PATCHING THESE WEAKNESSES, ORGANIZATIONS CAN DRASTICALLY REDUCE THEIR RISK OF FALLING PREY TO THESE CYBER EXTORTIONISTS AND AVOID THE COSTLY CONSEQUENCES THAT FOLLOW.

THE RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM, CURRENTLY IN ITS PILOT PHASE WITH 7,000 ORGANIZATIONS PARTICIPATING, AIMS TO BE FULLY OPERATIONAL BY THE END OF 2024.

HERE’S HOW IT WORKS: CISA IDENTIFIES VULNERABILITIES AND ALERTS PARTICIPATING ORGANIZATIONS, PROVIDING THEM WITH THE NECESSARY INFORMATION TO PATCH THEIR SYSTEMS AND PREVENT ATTACKS.

HOWEVER, PRIVACY ADVOCATES HAVE RAISED CONCERNS ABOUT CISA’S IMPLEMENTATION OF ONE OF THEIR PROGRAM’S TOOLS – THE ADMINISTRATIVE SUBPOENA.

A 2022 REVIEW OF CISA’S PROCEDURES SHOWED THAT THE AGENCY CAN SUBPOENA ORGANIZATIONS OR INDIVIDUALS TO PROVIDE INFORMATION ON INTERNET-BASED SYSTEMS WITHOUT A COURT ORDER — THESE SUBPOENAS DO NOT REQUIRE JUDICIAL REVIEW. AND OPTING OUT OR DECLINING IS NOT POSSIBLE.

ADDITIONALLY, THE SUBPOENAS CAN BE ISSUED IN SECRET, WITHOUT THE KNOWLEDGE OR CONSENT OF THE INDIVIDUAL OR ORGANIZATION BEING TARGETED. CISA CAN HOLD ONTO PERSONALLY IDENTIFIABLE INFORMATION THEY FIND FOR SIX MONTHS IF THEY FIND ANY SUSPECTED CYBER SECURITY INCIDENT.

CISA ENSURES THAT EMPLOYEES PROMPTLY DELETE PERSONALLY IDENTIFIABLE INFORMATION IN LINE WITH ESTABLISHED PROCEDURES. HOWEVER, THE ABSENCE OF JUDICIAL OVERSIGHT AND THE SECRETIVE NATURE OF THESE SUBPOENAS HAVE SPARKED WORRIES ABOUT POTENTIAL PRIVACY VIOLATIONS AND ABUSE OF POWER.

CISA OFFERS THEIR OWN CYBER SECURITY TOOLS AND STARTED A PROCESS FOR ORGANIZATIONS TO SUBMIT THEIR OWN FREE TOOLS AND SERVICES FOR THE PUBLIC AND PRIVATE SECTOR.