Review - CISA Announces Ransomware Vulnerability Warning System

Yesterday CISA announced the creation of the Ransomware Vulnerability Warning Pilot (RVWP). This pilot program was authorized under §105 (135 STAT 1035) of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in Division Y of PL 117-103. Under this pilot, CISA will identify critical infrastructure organizations that have known vulnerabilities that have been exploited by ransomware attackers and notify those organizations of the identified vulnerabilities. CISA has prepared a fact sheet about this pilot program.

Commentary

Even for covered critical infrastructure organizations that participate in CISA Cyber Hygiene Services, this will not stop all ransomware attacks. This program is focused on known vulnerabilities in software and hardware that allow elevation of privilege and lateral movement within an organization. Focused attacks on personnel with already elevated privilege will not be affected. And well-funded (successful) ransomware organizations and nation-state adversaries supporting such organizations have the wherewithal to conduct research to find or to buy newly discovered vulnerabilities for which CISA is unaware that they need to search under this program.

Oh, and let’s not forget that the vulnerable organization identified by CISA still has to have the resources (time, money, personnel and expertise) necessary to go back and correct the vulnerabilities identified by CISA. CISA is only identifying ‘known vulnerabilities’ that the organizations should have already been correcting anyway. There has to be some underlying reason that the organization has not already corrected the vulnerability that CISA has identified. This program will not correct those issues.

Do not get me wrong. This is a reasonably good program that with which I hope CISA has some success. But it will not solve the ransomware problem.

 

For more details about this new CISA program, including more detailed commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-ransomware-vulnerability - subscription required.