Ransomware vulnerability warning pilot yielding valuable lessons, CISA official says
The program aims to improve information sharing on cyber vulnerabilities across all levels of government, focusing on resource-poor organizations such as state, local, tribal and territorial agencies.
An interagency pilot project aiming to bolster national cybersecurity has been a critical force in expanding proactive information sharing about ransomware vulnerabilities across the public and private sectors, according to an official from the Cybersecurity and Infrastructure Security Agency.
Gabriel Davis, risk operations federal lead within the vulnerability subdivision of CISA's cybersecurity arm, said at FCW's 2023 Cyber Summit Wednesday that the ransomware vulnerability warning pilot launched in March has already served as a valuable learning process.
“The number one indicator of whether or not a vulnerability is going to be exploited is whether it’s been exploited before,” said Davis during a keynote discussion on protecting critical infrastructure. “Gone are the days where we passively vulnerability scan at the perimeter and hope everything is OK – the threat actors are moving too fast.”
Congress required the establishment of the ransomware vulnerability warning pilot under the Cyber Incident Reporting for Critical Infrastructure Act to help cope with a rise in cyberattacks targeting resource-poor environments like hospitals, schools and water systems. CISA has spearheaded the pilot, along with the Joint Ransomware Task Force, which CIRCIA also established and which the FBI co-chairs.
The program is “designed to be shared amongst a large group of government agencies and the private sector” to address known vulnerabilities that can potentially impact critical infrastructure owners and operators across the country, Davis said.
The pilot kicked off with an initial round of warning notifications related to the ProxyNotShell vulnerability, Davis said, which targeted Microsoft Exchange servers and left more than 60,000 of those servers susceptible to attacks. The exploited flaws were reported late last year and impacted both on-premises and hybrid Microsoft Exchange server networks.
Davis added that his team is prioritizing their efforts in resource-poor organizations, including state, local, tribal and territorial governments “that don’t have multimillion dollar budgets that can defend themselves effectively.”
“We know where the troubles are,” he said. “We’re seeing more and more information sharing, and again, that community defense approach is the only way we’re going to get through this.”
As the pilot continues, Davis said his team will be reviewing historic data to measure progress in proactively mitigating threats associated with ransomware attacks and known vulnerabilities.
CISA has launched a number of similar interagency partnerships, including the Joint Cyber Defense Collaborative, an information-sharing public-private collaborative that leverages expanded authorities under the fiscal 2021 National Defense Authorization Act.
“It’s all about the relationships,” Davis added, noting the importance of building partnerships across the federal government and the private sector. “It’s about letting those organizations know this is what we see, this is what we’re encountering, we understand that you’re resource constrained – let us help you.”