CISA expects upcoming industry rules to show ‘scope and scale’ of ransomware problem

LAS VEGAS — Ransomware experts have spent much of 2023 debating whether the attacks are increasing or decreasing. Multiple reports have provided conflicting data, while positive developments have been overshadowed by headline-grabbing attacks on major cities like Dallas and Oakland.

But Cybersecurity and Infrastructure Security Agency Director Jen Easterly expressed hope this weekend that the upcoming incident reporting rules for critical infrastructure would finally provide some certainty about whether government efforts were making a dent in the pernicious ransomware problem.

At the DEF CON cybersecurity conference on Saturday, Easterly said that powers created under the Cyber Incident Reporting for Critical Infrastructure Act — which CISA officials refer to by its acronym CIRCIA — will give the agency invaluable data on ransomware trends that they have long begged for.

The watershed legislation will force critical infrastructure organizations to report significant cyber incidents. CISA is currently in the final stages of writing the specifics of the rules and a “notice of rulemaking” will come out next year, Easterly said. The rules eventually will be implemented next year, she added.

“You read so much about ransomware going up, ransomware going down. My general belief is we just don't know. We just don't have a really good handle on the scope and scale of the ecosystem of cyber incidents because frankly, it's not mandatory to report across the board,” she said.

Read more: The latest figures from The Record’s ransomware tracker

“For the first time we will actually be able to understand what the scope is of incidents, whether all the work that we've been doing across the federal government, across industry, across state and local, across the globe, is actually leading to reduced risk,” Easterly said. “Because at the end of the day, that's what we're trying to do. We're not trying to create punishments. We're really trying to work with industry in a collaborative, consultative way to ensure that we can help them reduce risk.”

A personal angle

Easterly noted that she believes the law would never have been passed by Congress without the Colonial Pipeline ransomware attack, which paralyzed 55% of the oil and gas supply on the East Coast for several days in 2021.

Easterly said the issue of ransomware has taken a personal tinge for her in recent years with dozens of ransomware attacks on the healthcare industry.

Easterly mentioned the recent attack on Prospect Medical Holdings as an example of the kind of incidents that frightened her because of her 90-year-old mother, who is in and out of the hospital.

The CISA director noted that with the attacks on Prospect Medical Holdings forced several hospitals to divert ambulances and cancel appointments for days.

The agency has made it a point to focus on several priority “target-rich, cyber-poor” sectors in recent months, including rural hospitals, K-12 schools and water facilities, she said, adding that as the 2024 election season comes, CISA also plans to focus on local election offices.

CISA now provides timely threat intelligence — as it did with the Prospect Medical attack — and sits at the center of U.S. civilian cyberdefense, managing sector risk management agencies to ensure that they “have the information, the resources, the capabilities, the best practices that we all need to be able to reduce risk to the critical infrastructure that Americans rely on every hour of every day,” she said.

CIRCIA and more

Easterly was asked whether she had the regulation-backed tools she needs to get her job done. She said she doesn't want CISA to become a regulator and would prefer to focus on providing technical expertise.

She noted that dozens of the Cyberspace Solarium Commission recommendations that have made it into law provide her with the kind of tools her predecessor, Chris Krebs, long begged for.

“Chris Krebs may have wanted the ability to hunt persistently on federal networks, the ability to work directly with our sector risk management agencies to actually put measures in place to keep sectors safe. The authority we have to stand up the Joint Cyber Defense Collaborative,” she said.

“And with CIRCIA, I feel like we're in a very positive place with respect to our authorities. CISA doesn't want to be a regulator. We've worked very closely with regulators. But at the end of the day, the magic of CISA is our ability — through our technical expertise and our trusted partnerships — to be able to work across industry in a way that, frankly, is a little bit harder with regulators.”

One way officials have been able to provide tangible assistance to organizations across the country and internationally is through CISA’s Pre Ransomware Notification Initiative.

Easterly explained that in more than 600 instances, the agency has been able to warn hospitals, schools and more that malware is embedded into their systems before the full-blown ransomware attack is launched.

The initiative takes tips and information from researchers, industry experts and more that generally come five to 48 hours before attacks are typically launched, she said. Through CISA’s field offices in every state, they have been able to provide help to those in need of it most.

More than anything, the success of the effort was an indication that researchers, many of those at events like DEF CON, trusted them enough to provide them with this level of notification, she said.