New CISA cybersecurity measures to fight ransomware raise privacy concerns

Ransomware attacks are causing significant damage to organizations of all sizes, exploiting unknown vulnerabilities. To combat this, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, has initiated the Ransomware Vulnerability Warning Pilot . This program notifies organizations about potential ransomware threats, potentially preventing millions in damages.

For example, UnitedHealth Group , suffered a ransomware attack earlier this year, resulting in nationwide health care service outages and costing the company $872 million. The attackers allegedly stole 6 terabytes of patient data and demanded a $22 million ransom.

"We've normalized the fact that we have shifted the burden of cybersecurity onto individuals and small businesses, which are least prepared to bear that burden," CISA Director Jen Easterly said. "We've normalized this crazy misalignment of incentives where technology companies have prioritized speed to market and driving down cost and cool features over security.”

By addressing these vulnerabilities , organizations can significantly reduce their risk of becoming victims of cyber extortion and avoid the severe financial consequences that follow.

The pilot program, which currently includes 7,000 organizations, is expected to be fully operational by the end of 2024. It works by CISA identifying vulnerabilities and alerting organizations, providing them with necessary information to patch their systems and prevent attacks.

However, privacy advocates are concerned about one of the tools used in the program — the administrative subpoena . A 2022 review of CISA’s procedures showed that the agency can issue subpoenas to organizations or individuals to gather information on internet-based systems without a court order, as these subpoenas do not require judicial review, and opting out is not possible.

These subpoenas can be issued secretly, without the knowledge or consent of those targeted. CISA can retain personally identifiable information for six months if it relates to a suspected cybersecurity incident.

CISA ensures that personally identifiable information is promptly deleted in accordance with established procedures. Despite this, the lack of judicial oversight and the secretive nature of these subpoenas have raised concerns about potential privacy violations and abuses of power.

CISA also offers its own cybersecurity tools and has started a process for organizations to submit their own free tools and services for both the public and private sectors.

The post New CISA cybersecurity measures to fight ransomware raise privacy concerns appeared first on Straight Arrow News .