The head of the Cybersecurity and Infrastructure Security Agency (CISA) said Wednesday that some of the agency’s key ransomware initiatives have sent out more than 2,000 warnings of vulnerabilities over the last year.
CISA Director Jen Easterly said about 7,000 entities across all sectors have signed up for the agency’s Ransomware Vulnerability Warning Pilot (RVWP) – and she expects that number to grow by the end of 2024.
In March 2023, CISA launched the RVWP to reduce the “prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly said during the Ransomware Task Force’s annual convening in D.C. on April 24.
“We’ll send out notifications to elements that have signed up for our cyber hygiene scanning … and will let them know you need to patch this vulnerability and it’s got that extra urgency if it’s one that’s been used for ransomware,” Easterly said. “Since we started that, we’ve done that 2,049 times to all sectors.”
“We have 7,000 folks, entities, across the country that are signed up for cyber hygiene,” she continued. “That number will go up I think precipitously in the coming year when we kick off the new program, which is called ReadySetCyber.”
CISA launched the ReadySetCyber initiative in August to collect information and provide tailored technical assistance, services, and resources to critical infrastructure organizations.
Easterly said the new initiative is currently in a piloting phase, but CISA hopes to be able to formally launch it by the end of the year.
“That will help us automate these capabilities so that you can get this information much more rapidly,” she added.
The CISA lead also noted that the agency’s Pre-Ransomware Notification Initiative has also sent out about 2,000 warnings.
“Folks who can see malware being laid down on entities, they reach out to us,” Easterly explained. “[We] notify vulnerable entities that are either in early stages of ransomware or early stages of impact, so it’s reducing the impact and lets them know that you’re going to have a bad day if you don’t do X, Y, and Z.”
“I imagine [ransomware] numbers would be much, much higher, frankly, if this community had not come together over the last three years to try and put some of this in place,” Easterly added.
CISA recently published its long-awaited cyber incident reporting rule for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which Easterly said “is one of the most important things that are out there in order for us to understand the breadth and depth of the ransomware ecosystem.”
The 460-page rule is currently open for public comment until June 3. “What you can do is comment on it, help us get it right, and so we can publish it next year,” Easterly said.
Separately, Easterly said CISA will be unveiling the next iteration of its “Secure Our World” campaign at the RSA Conference next month. The three-minute cartoon jingle – reminiscent of the ‘70s animated shorts “Schoolhouse Rock!” – will highlight four basic tasks that can prevent 98 percent of cyberattacks: install updates; make better passwords; think before you click; and enable multi-factor authentication.
“We have to make cyber hygiene as common as brushing your teeth and washing your hands and it’s four very basic things to secure our world,” Easterly concluded.