The Cybersecurity and Infrastructure Security Agency (CISA) recently announced its vulnerability warning program has issued over 2,000 alerts since its inception. The agency’s director, Jen Easterly, delivered remarks recently at the Institute for Security and Technology, sharing that these alerts have gone to organizations running software with vulnerabilities actively being exploited by ransomware gangs.
The program is currently in the pilot phase. It is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). It aims to reduce the number of ransomware attacks by getting the owners and operators of vulnerable systems to patch them before they can be infiltrated.
“The warning pilot is focused on reducing the prevalence of ransomware by using our vulnerability scanning tools to let businesses know if they have vulnerabilities that need to be patched,” Easterly stated during the IST event.
For managed service providers (MSPs), the pilot ransomware program offers another tool they can use to protect clients from harm. However, many experts say the program hasn’t received the publicity and visibility it deserves. With this being the case, SmarterMSP.com is providing more information about it this week.
Key provisions of the pilot
CIRCIA’s pilot ransomware warning program is the Ransomware Vulnerability Warning Pilot (RVWP), and it includes several key provisions:
- Proactive approach: RVWP focuses on preventing ransomware attacks before they happen. “It is always better and cheaper and less destructive to prevent a problem rather than clean up one,” explains Adam Colup, an independent cybersecurity specialist in Detroit.
- Identify vulnerabilities: CISA uses existing data sources and tools to find critical infrastructure entities. They do this with internet-accessible vulnerabilities commonly exploited by ransomware attackers. “For MSPs and other staff-strapped enterprises, having vulnerability reporting is a priceless asset,” Colup says.
- Targeted warnings: Organizations enrolled in the program are notified about these vulnerabilities. This allows them to patch or address the weaknesses before they can use them in a ransomware attack. Colup states “A company also can no longer claim to be unaware of an existing vulnerability, and MSPs that manage a company’s security need to have a protocol in place for alerting all stakeholders of the warnings.”
- Free participation: Enrollment in the RVWP is free and voluntary, but it’s highly beneficial for critical infrastructure organizations.
Colup shares other reasons to enroll clients in the RVWP established in response to CIRCIA’s provisions. Colup says CISA leverages its existing Cyber Hygiene Vulnerability Scanning service for some aspects of the program. “The program is still in its pilot phase, but it has already shown success in helping organizations avoid ransomware incidents.”
Key components of CIRCIA: Beyond the RVWP pilot program
The RVWP is just one part of a broader package of the CIRCIA adoption in 2022. It is just starting implementation now. MSPs have so many different regulations and mandates to follow, and so many of them take time to implement. It is easy to lose track. Here are some other parts of CIRCIA that MSPs should be monitoring:
Mandatory reporting: CIRCIA requires critical infrastructure owners and operators to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of suspecting a breach. Colup vocalizes that “This is a critical part of the package because if the incident is reported, then there is a chance for a larger program to be contained before others are victimized.”
Focus on “substantial” incidents: The law defines what constitutes a “covered cyber incident.” It focuses on those with significant potential harm. CISA provides examples to help with identification
Ransomware payments included: The reporting requirement extends to ransom payments in response to cyberattacks. “Some companies to think twice before opening their checkbook if they think they might receive bad publicity or even penalties for paying up,” Colup shares.
Improved threat analysis: Collecting data on cyber incidents is key. CISA aims to identify trends, develop better defenses, and warn other organizations about potential threats.
Voluntary reporting option: Mandatory reporting applies to critical infrastructure. CIRCIA allows other entities to share information about cyber incidents with CISA voluntarily. “Even a voluntary reporting mechanism is better than none; the more information that gets shared and centralized, the more awareness is raised, and sometimes awareness is the best and cheapest cybersecurity,” Colup explains.
The RVWP pilot program demonstrates promising results in mitigating ransomware incidents. However, it is just one aspect of the comprehensive CIRCIA framework. With various mandates, such as mandatory reporting, focus on substantial incidents. This includes ransomware payments, improved threat analysis, and voluntary reporting options, MSPs must remain vigilant to comply with the evolving cybersecurity landscape.
Photo: Dilok Klaisataporn / Shutterstock