CISA Will Use New Authority Over Internet Service Providers to Fight Ransomware, Official Says

In just about two more months the Cybersecurity and Infrastructure Security Agency plans to activate its newly minted power to force internet service providers to supply the identity of their customers, so officials can warn them about vulnerabilities in their systems. 

“It's an important new authority, one that the agency has been pushing for for a couple of years, and we're actually getting ready to bring it live, as we've finished up some of our procedures and training, in the next 60 days or so,” said Brandon Wales, CISA’s acting director.

Wales spoke with Auburn University’s Frank Cillufo during an event on the ransomware threat Monday. Cillufo, who is a member of the congressionally mandated Cyberspace Solarium Commission as well as the Homeland Security Department’s Advisory Council, asked how the operational technology of industrial control systems, in particular, is faring under rolling waves of ransomware attacks targeting state and local critical infrastructure. 

The risk ransomware presents to the industrial control systems is increasing, Wales said, noting that another water facility was recently targeted. In this case, the facility was used for monitoring not treatment, so the impacts were minimal, he said, but he used the example to describe the vulnerability of the sector.

“We've now seen ransomware targeting OT systems, targeting control networks, which, a few years ago we had never seen that, really, you know before,” he said. “Now it is, it is more common. We had an incident in the past week, where we had a water facility that had its OT network compromised.”

In the last National Defense Authorization Act, Congress gave CISA the authority to subpoena ISPs to hand over the contact information of entities where the agency observes an opening for exploitation.

“We're not gonna be regulating that company,” Wales said. “But we want to be able to talk directly to the owner and say you know you've got a vulnerable system, it's out on the internet, and we found it today but tomorrow, a malicious actor could have found that, exploited it, and your system could have been down, or worse.”   

The new ability fits with plans Anne Neuberger, deputy national security adviser for cyber and emerging technology, recently announced that center on the need for greater visibility across public and private networks to protect industrial control systems.  

Asked about how the lack of a national cyber director—another component of the NDAA—has affected his work, Wales praised Neuberger’s coordination of federal efforts.

"I think we've been, we've been very lucky to have a supporter of this agency and an extremely capable, knowledgeable, cyber professional with Anne Neuberger at the White House,” he said.