Cybersecurity

New CISA cybersecurity measures to fight ransomware raise privacy concerns


[LAUREN TAYLOR]

RANSOMWARE ATTACKS WREAK HAVOC ON ORGANIZATIONS OF ALL SIZES, LEAVING A TRAIL OF DEVASTATION IN THEIR WAKE. THE CULPRIT? MALICIOUS CYBER ATTACKERS EXPLOITING VULNERABILITIES, BUSINESSES AND ORGANIZATIONS ARE UNAWARE OF.

TO COUNTER THIS, THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY, PART OF THE DEPARTMENT OF HOMELAND SECURITY, HAS LAUNCHED THE RANSOMWARE VULNERABILITY WARNING PILOT. THIS PROGRAM ALERTS ORGANIZATIONS TO POTENTIAL RANSOMWARE THREATS, POTENTIALLY SAVING MILLIONS IN DAMAGES.

TAKE UNITEDHEALTH GROUP, FOR EXAMPLE, WHICH WAS HIT BY A RANSOMWARE ATTACK EARLIER THIS YEAR, CAUSING NATIONWIDE OUTAGES FOR HEALTHCARE SERVICES. THE ATTACK COST THE COMPANY $872 MILLION IN DAMAGES. HACKERS ALLEGEDLY STOLE 6 TERABYTES OF PATIENT DATA, AND THE RANSOMWARE GROUP CLAIMED A $22 MILLION RANSOM FROM UNITEDHEALTH.

JEN EASTERLY
DIRECTOR | CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY

“We’ve normalized the fact that we have shifted the burden of cyber security onto individuals and small businesses, which are least prepared to bear that burden. We’ve normalized this crazy mal alignment of incentives where technology companies have prioritized speed to market and driving down cost and cool features over security.”

[LAUREN TAYLOR]

BY PATCHING THESE WEAKNESSES, ORGANIZATIONS CAN DRASTICALLY REDUCE THEIR RISK OF FALLING PREY TO THESE CYBER EXTORTIONISTS AND AVOID THE COSTLY CONSEQUENCES THAT FOLLOW.

THE RANSOMWARE VULNERABILITY WARNING PILOT PROGRAM, CURRENTLY IN ITS PILOT PHASE WITH 7,000 ORGANIZATIONS PARTICIPATING, AIMS TO BE FULLY OPERATIONAL BY THE END OF 2024.

HERE’S HOW IT WORKS: CISA IDENTIFIES VULNERABILITIES AND ALERTS PARTICIPATING ORGANIZATIONS, PROVIDING THEM WITH THE NECESSARY INFORMATION TO PATCH THEIR SYSTEMS AND PREVENT ATTACKS.

HOWEVER, PRIVACY ADVOCATES HAVE RAISED CONCERNS ABOUT CISA’S IMPLEMENTATION OF ONE OF THEIR PROGRAM’S TOOLS – THE ADMINISTRATIVE SUBPOENA.

A 2022 REVIEW OF CISA’S PROCEDURES SHOWED THAT THE AGENCY CAN SUBPOENA ORGANIZATIONS OR INDIVIDUALS TO PROVIDE INFORMATION ON INTERNET-BASED SYSTEMS WITHOUT A COURT ORDER — THESE SUBPOENAS DO NOT REQUIRE JUDICIAL REVIEW. AND OPTING OUT OR DECLINING IS NOT POSSIBLE.

ADDITIONALLY, THE SUBPOENAS CAN BE ISSUED IN SECRET, WITHOUT THE KNOWLEDGE OR CONSENT OF THE INDIVIDUAL OR ORGANIZATION BEING TARGETED. CISA CAN HOLD ONTO PERSONALLY IDENTIFIABLE INFORMATION THEY FIND FOR SIX MONTHS IF THEY FIND ANY SUSPECTED CYBER SECURITY INCIDENT.

CISA ENSURES THAT EMPLOYEES PROMPTLY DELETE PERSONALLY IDENTIFIABLE INFORMATION IN LINE WITH ESTABLISHED PROCEDURES. HOWEVER, THE ABSENCE OF JUDICIAL OVERSIGHT AND THE SECRETIVE NATURE OF THESE SUBPOENAS HAVE SPARKED WORRIES ABOUT POTENTIAL PRIVACY VIOLATIONS AND ABUSE OF POWER.

CISA OFFERS THEIR OWN CYBER SECURITY TOOLS AND STARTED A PROCESS FOR ORGANIZATIONS TO SUBMIT THEIR OWN FREE TOOLS AND SERVICES FOR THE PUBLIC AND PRIVATE SECTOR.



Source

Related Articles

Back to top button