Yesterday CISA announced
the creation of the Ransomware Vulnerability Warning Pilot (RVWP). This pilot program
was authorized under §105 (135 STAT 1035) of the Cyber Incident Reporting for
Critical Infrastructure Act of 2022 (CIRCIA) in Division Y of PL
117-103. Under this pilot, CISA will identify critical infrastructure organizations
that have known vulnerabilities that have been exploited by ransomware
attackers and notify those organizations of the identified vulnerabilities.
CISA has prepared a fact
sheet about this pilot program.
Commentary
Even for covered critical infrastructure organizations that
participate in CISA Cyber Hygiene Services, this will not stop all ransomware
attacks. This program is focused on known vulnerabilities in software and
hardware that allow elevation of privilege and lateral movement within an
organization. Focused attacks on personnel with already elevated privilege will
not be affected. And well-funded (successful) ransomware organizations and nation-state
adversaries supporting such organizations have the wherewithal to conduct research
to find or to buy newly discovered vulnerabilities for which CISA is unaware that
they need to search under this program.
Oh, and let’s not forget that the vulnerable organization
identified by CISA still has to have the resources (time, money, personnel and
expertise) necessary to go back and correct the vulnerabilities identified by
CISA. CISA is only identifying ‘known vulnerabilities’ that the organizations
should have already been correcting anyway. There has to be some underlying
reason that the organization has not already corrected the vulnerability that
CISA has identified. This program will not correct those issues.
Do not get me wrong. This is a reasonably good program that with
which I hope CISA has some success. But it will not solve the ransomware
problem.
For more details about this new CISA program, including more
detailed commentary, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/cisa-announces-ransomware-vulnerability
– subscription required.