CISA loses key employee behind early ransomware warnings Cybersecurity Dive
p
Let Cybersecurity Dives free newsletter keep you informed straight from your inbox
ppppThe future of a program that has helped prevent an estimated 9 billion in economic damages is now unclearppA Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignmentppDavid Stern the driving force behind CISAs PreRansomware Notification Initiative PRNI through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data resigned on Dec 19 according to four people familiar with the matter The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit and Stern chose the latter three of the people saidppSterns departure from CISA first reported by Cybersecurity Dive could significantly hamper one of the most impactful programs at an agency already strained by a massive workforce purge cuts to key services and embarrassing leadership strugglesppSince late 2022 CISA has used tips from the intelligence community cybersecurity firms and internet infrastructure operators to identify ransomware actors preparatory activities on US computer networks and warn their owners that the threat actors are preparing to strike The agency sent more than 1200 warnings in 2023 and more than 2100 warnings in 2024 helping to prevent ransomware attacks on water systems energy utilities healthcare organizations schools and other critical infrastructure operatorsppAs the lone CISA employee sending those notifications Stern was absolutely critical to national security said one person familiar with the matter who like the others requested anonymity to speak candidly Sharing this urgent information to CISAs CI stakeholders truly solidified our relationships and showed that we cared about themppSterns work has saved enterprises many billions in prevented damages said a second personppThe fate of the warning initiative is now unclear In a statement CISA Director of Public Affairs Marci McCarthy said the program has not stopped and continues to operate as a key element in CISAs efforts to defeat ransomware attacks One person familiar with the matter said the agency is preparing several staffers to take over for Stern But others said the program relied heavily on Sterns trusted relationships with the organizations that alert CISA to pending ransomware attacksppDave has relationships that wont be portable to someone new said the second person familiar with the matterppA third person said the ransomware program depends entirely on tips from the cybersecurity researcher community with which Stern had a fantastic relationshipppSterns ouster has exacerbated growing tensions between CISA and its partners according to a fourth person familiar with the matterppThis program mostly relied on information from trust groups run by privatesector entities this person said and they are reassessing how they want to engage with CISAppCISA declined to comment specifically on Sterns departure McCarthy said the agency was focused squarely on executing its statutory mission and was delivering timely actionable cyber threat intelligence supporting federal state and local partners and defending against both nationstate and criminal cyber threatsppOther CISA employees are responsible for contacting companies that have been hacked but the PRNI is the agencys only operation focused on preventing the encryption and extortion attacks that have crippled small businesses and disrupted lifeline services across the USppThe PRNI work is some of the most impactful work CISA does and has saved US companies billions of dollars by tipping them to ransomware attacks before they happen said the second person familiar with the matter No other federal agency is doing this workppStern received his reassignment to FEMA shortly before the government shutdown that began on Oct 1 and spent months fighting it according to the second person familiar with the matter There was a ton of back and forth and attempts to get it rescinded this person said but in the end they told him to move to Massachusetts or resign and he resigned on FridayppCybersecurity Dive was unable to reach Stern for commentppIn an interview with the SANS Institute in August Stern said the total number of ransomware notifications had reached 4300 including warnings to at least 60 foreign governments about looming attacks on their organizationsppCISA estimates that its notifications have saved victims more than 9 billion in potential economic damage Stern said a figure that includes operational disruptions incidentresponse costs and litigationppWe hope to continue to make the ransomware business model as unsustainable as possible working with our partners Stern said in August We hope that were making a dent and were making an impactppGet the free daily newsletter read by industry expertsppThe agency is cracking down on the use of prohibited technologies following a series of hacks into US telecommunications firmsppThe information security industry feared a lapse would lead to industrywide exposures of software vulnerabilitiesppKeep up with the story Subscribe to the Cybersecurity Dive free daily newsletterppSubscribe to Cybersecurity Dive for top news trends analysisppGet the free daily newsletter read by industry expertsppWant to share a company announcement with your peerspp
Get started
ppThe agency is cracking down on the use of prohibited technologies following a series of hacks into US telecommunications firmsppThe information security industry feared a lapse would lead to industrywide exposures of software vulnerabilitiesppThe free newsletter covering the top industry headlinesp
Let Cybersecurity Dives free newsletter keep you informed straight from your inbox
ppppThe future of a program that has helped prevent an estimated 9 billion in economic damages is now unclearppA Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignmentppDavid Stern the driving force behind CISAs PreRansomware Notification Initiative PRNI through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data resigned on Dec 19 according to four people familiar with the matter The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit and Stern chose the latter three of the people saidppSterns departure from CISA first reported by Cybersecurity Dive could significantly hamper one of the most impactful programs at an agency already strained by a massive workforce purge cuts to key services and embarrassing leadership strugglesppSince late 2022 CISA has used tips from the intelligence community cybersecurity firms and internet infrastructure operators to identify ransomware actors preparatory activities on US computer networks and warn their owners that the threat actors are preparing to strike The agency sent more than 1200 warnings in 2023 and more than 2100 warnings in 2024 helping to prevent ransomware attacks on water systems energy utilities healthcare organizations schools and other critical infrastructure operatorsppAs the lone CISA employee sending those notifications Stern was absolutely critical to national security said one person familiar with the matter who like the others requested anonymity to speak candidly Sharing this urgent information to CISAs CI stakeholders truly solidified our relationships and showed that we cared about themppSterns work has saved enterprises many billions in prevented damages said a second personppThe fate of the warning initiative is now unclear In a statement CISA Director of Public Affairs Marci McCarthy said the program has not stopped and continues to operate as a key element in CISAs efforts to defeat ransomware attacks One person familiar with the matter said the agency is preparing several staffers to take over for Stern But others said the program relied heavily on Sterns trusted relationships with the organizations that alert CISA to pending ransomware attacksppDave has relationships that wont be portable to someone new said the second person familiar with the matterppA third person said the ransomware program depends entirely on tips from the cybersecurity researcher community with which Stern had a fantastic relationshipppSterns ouster has exacerbated growing tensions between CISA and its partners according to a fourth person familiar with the matterppThis program mostly relied on information from trust groups run by privatesector entities this person said and they are reassessing how they want to engage with CISAppCISA declined to comment specifically on Sterns departure McCarthy said the agency was focused squarely on executing its statutory mission and was delivering timely actionable cyber threat intelligence supporting federal state and local partners and defending against both nationstate and criminal cyber threatsppOther CISA employees are responsible for contacting companies that have been hacked but the PRNI is the agencys only operation focused on preventing the encryption and extortion attacks that have crippled small businesses and disrupted lifeline services across the USppThe PRNI work is some of the most impactful work CISA does and has saved US companies billions of dollars by tipping them to ransomware attacks before they happen said the second person familiar with the matter No other federal agency is doing this workppStern received his reassignment to FEMA shortly before the government shutdown that began on Oct 1 and spent months fighting it according to the second person familiar with the matter There was a ton of back and forth and attempts to get it rescinded this person said but in the end they told him to move to Massachusetts or resign and he resigned on FridayppCybersecurity Dive was unable to reach Stern for commentppIn an interview with the SANS Institute in August Stern said the total number of ransomware notifications had reached 4300 including warnings to at least 60 foreign governments about looming attacks on their organizationsppCISA estimates that its notifications have saved victims more than 9 billion in potential economic damage Stern said a figure that includes operational disruptions incidentresponse costs and litigationppWe hope to continue to make the ransomware business model as unsustainable as possible working with our partners Stern said in August We hope that were making a dent and were making an impactppGet the free daily newsletter read by industry expertsppThe agency is cracking down on the use of prohibited technologies following a series of hacks into US telecommunications firmsppThe information security industry feared a lapse would lead to industrywide exposures of software vulnerabilitiesppKeep up with the story Subscribe to the Cybersecurity Dive free daily newsletterppSubscribe to Cybersecurity Dive for top news trends analysisppGet the free daily newsletter read by industry expertsppWant to share a company announcement with your peerspp
Get started
ppThe agency is cracking down on the use of prohibited technologies following a series of hacks into US telecommunications firmsppThe information security industry feared a lapse would lead to industrywide exposures of software vulnerabilitiesppThe free newsletter covering the top industry headlinesp
