CISA Prepares to Use New Subpoena PowerActing Director Describes Latest Steps in Battle Against Ransomware
The Cybersecurity and Infrastructure Security Agency will soon use its new subpoena powers authorized under the 2021 National Defense Authorization Act to help in the battle against ransomware attacks and other cyberthreats, says Brandon Wales, the acting agency director.
Speaking at a Monday event, Wales said the agency is preparing to begin using its new authority to issue administrative subpoenas to internet service providers that would compel them to turn over certain subscriber information that would help better identify potential attacks as well as targeted organizations.
Issuing administrative subpoenas to ISPs will enable CISA to share more information with organizations that might be targeted by attackers or to identify networks that are currently under attack, Wales said.
"In the past, we could not see further than their ISP in terms of who the actual owner of that control system was," Wales said during the event at Auburn University's McCrary Institute. "With new admin subpoena authority, we will be able to identify vulnerable control systems that are internet-facing. And if we can't reach that owner any other way, we will have the ability to serve that administrative subpoena on the ISP and be able to make contact with the company."
CISA is conducting a 60-day review of its new authorities under the defense legislation - including the ISP subpoena power - before they go into effect, Wales said.
CISA and its parent organization, the Department of Homeland Security, are looking to address the issue of ransomware attacks that have targeted government agencies as well as schools, healthcare organizations and others over the last year.
In 2020, the FBI's Internet Crime Complaint Center reported that agents had received more than 2,400 ransomware complaints, with total reported losses exceeding $29 million (see: Internet-Enabled Crime: 2020 US Losses Exceed $4.2 Billion).
"Over the long term, we want to see what we can do to evolve our national-level capabilities to block emerging types of ransomware, and we're looking at ways in which we can foster the market for more scalable protective innovations," Wales said. "Because frankly, we have not cracked the code, and the ransomware problem continues to grow and we need new, innovative thinking on this. If the business model remains viable, and if criminal actors can continue to profit from ransomware, we are unlikely to see a significant reduction in the activity from these ransomware operators."
Wales noted that DHS is attempting to address ransomware attacks that target state and local government by providing an additional $25 million in grants for these organizations to improve their cybersecurity preparedness programs (see: DHS to Provide $25 Million More for Cybersecurity Grants).
CISA is also investigating how operational technology networks - especially those connected to the public-facing internet - might also be susceptible to ransomware and other attacks. The recently thwarted attack against a Florida water treatment facility has raised additional concerns, he pointed out.
"We're seeing more vulnerable operational technology deployed on the open internet. And the other issue is cybercriminals are becoming more savvy, and they know who to target and who has money," Wales said. "They're going after those systems that these types of industries are using."
Wales also addressed how CISA and other federal agencies are responding to the recent attacks that have targeted four unpatched vulnerabilities in on-premises Microsoft Exchange servers (see: Microsoft Exchange Flaw: Attacks Surge After Code Published).
On Monday, Microsoft's Security Response team reported that 92% of all Exchange IP addresses have now been patched or mitigated against these vulnerabilities.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:— Security Response (@msftsecresponse) March 22, 2021
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week. pic.twitter.com/YhgpnMdlOX
Wales noted that organizations running vulnerable versions of Exchange need to go beyond basic security maintenance to ensure that attackers have not gained a foothold in their networks.
"We are still concerned that there are still too many unpatched servers and there are too many servers that are patched with underlying compromises," Wales said. "And those system owners need to take aggressive action to remediate - and if they're not capable of doing so … try to bring in someone capable of helping remediate."