A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment.
David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said.
Stern’s departure from CISA, first reported by Cybersecurity Dive, could significantly hamper one of the most impactful programs at an agency already strained by a massive workforce purge, cuts to key services and embarrassing leadership struggles.
Since late 2022, CISA has used tips from the intelligence community, cybersecurity firms and internet infrastructure operators to identify ransomware actors’ preparatory activities on U.S. computer networks and warn their owners that the threat actors are preparing to strike. The agency sent more than 1,200 warnings in 2023 and more than 2,100 warnings in 2024, helping to prevent ransomware attacks on water systems, energy utilities, healthcare organizations, schools and other critical infrastructure operators.
As the lone CISA employee sending those notifications, Stern “was absolutely critical to national security,” said one person familiar with the matter, who, like the others, requested anonymity to speak candidly. “Sharing this urgent information to [CISA’s] CI stakeholders truly solidified our relationships and showed that we cared about them.”
Stern’s work “has saved enterprises many billions in prevented damages,” said a second person.
Ransomware warning program faces uncertainty
The fate of the warning initiative is now unclear. In a statement, CISA Director of Public Affairs Marci McCarthy said the program “has not stopped and continues to operate as a key element in CISA’s efforts to defeat ransomware attacks.” One person familiar with the matter said the agency is preparing several staffers to take over for Stern. But others said the program relied heavily on Stern’s trusted relationships with the organizations that alert CISA to pending ransomware attacks.
“Dave has relationships that won’t be portable to someone new,” said the second person familiar with the matter.
A third person said the ransomware program “depends entirely on tips from the cybersecurity researcher community,” with which Stern “had a fantastic relationship.”
Stern’s ouster has exacerbated growing tensions between CISA and its partners, according to a fourth person familiar with the matter.
“This program mostly relied on information from trust groups run by private-sector entities,” this person said, “and they are reassessing how they want to engage with CISA.”
CISA declined to comment specifically on Stern’s departure. McCarthy said the agency was “focused squarely on executing its statutory mission” and was “delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”
Other CISA employees are responsible for contacting companies that have been hacked, but the PRNI is the agency’s only operation focused on preventing the encryption and extortion attacks that have crippled small businesses and disrupted lifeline services across the U.S.
“The PRNI work is some of the most impactful work CISA does and has saved U.S. companies billions of dollars by tipping them to ransomware attacks before they happen,” said the second person familiar with the matter. “No other federal agency is doing this work.”
Ousted after key contributions
Stern received his reassignment to FEMA shortly before the government shutdown that began on Oct. 1 and spent months fighting it, according to the second person familiar with the matter. “There was a ton of back and forth and attempts to get it rescinded,” this person said, “but in the end they told him to move to [Massachusetts] or resign and he resigned on Friday.”
Cybersecurity Dive was unable to reach Stern for comment.
In an interview with the SANS Institute in August, Stern said the total number of ransomware notifications had reached 4,300, including warnings to at least 60 foreign governments about looming attacks on their organizations.
CISA estimates that its notifications have saved victims more than $9 billion in potential economic damage, Stern said, a figure that includes operational disruptions, incident-response costs and litigation.
“We hope to continue to make the ransomware business model as unsustainable as possible, working with our partners,” Stern said in August. “We hope that we’re making a dent and we’re making an impact.”