CISA's Pre-Ransomware Warning Program Loses Its Only Operator

CISA's Pre-Ransomware Notification Initiative—a program that warns organizations about imminent ransomware attacks before encryption begins—has lost the sole employee responsible for operating it. David Stern resigned on December 19 after the Department of Homeland Security ordered him to relocate to a FEMA position in Boston or quit.

TL;DR

• What happened: David Stern, the only CISA employee running the pre-ransomware warning program, resigned rather than accept forced reassignment
• Who's affected: Water systems, energy utilities, healthcare organizations, schools, and other critical infrastructure that relied on early warnings
• Severity: High—program that saved an estimated $9 billion in potential damages now lacks its operator
• Action required: Organizations should strengthen internal ransomware detection capabilities

What Is the Pre-Ransomware Notification Initiative?

The PRNI program identifies ransomware attacks in their early stages—after initial compromise but before encryption—and alerts victim organizations in time to evict attackers. CISA receives intelligence from various sources: FBI, private sector partners, international allies, and its own threat hunting operations.

When analysts spot signs of an imminent attack, Stern would contact the target organization directly to warn them. The window between initial access and data encryption can be days or even weeks. Early notification lets defenders kick out intruders before damage occurs.

CISA sent more than 1,200 warnings in 2023 and exceeded 2,100 in 2024. Recipients included water treatment facilities, power utilities, hospitals, school districts, and other critical infrastructure operators—organizations often lacking sophisticated security operations of their own.

Impact of Stern's Departure

Stern had been with CISA for over a decade, spending recent years focused on ransomware early warning. As the sole operator of the notification program, his departure creates an immediate gap.

The agency estimates PRNI has prevented more than $9 billion in potential economic damage. That figure accounts for operational disruptions, incident response costs, recovery expenses, and litigation avoided by organizations that received timely warnings.

No announcement has been made about a replacement or how the program will continue. CISA is already operating under budget constraints and workforce reductions that have affected other agency functions.

Why This Happened

According to reports, DHS ordered Stern to accept reassignment to FEMA in Boston or resign. Such forced relocations have become a method for pushing out federal employees without formal termination proceedings.

Stern chose resignation over relocation.

The decision removes institutional knowledge built over years of operating the program. Understanding attacker patterns, maintaining relationships with sector-specific organizations, and navigating notification processes all take time to develop.

Broader Context

CISA has faced a difficult 2024 and 2025. Budget disputes, workforce cuts, leadership changes, and political pressure have strained the agency's ability to deliver on its mission. The PRNI program represented one of CISA's most tangible success stories—a direct, measurable impact on ransomware's toll on American organizations.

Other countries have established similar programs. The UK's National Cyber Security Centre operates early warning services, as do counterparts in Australia and several European nations. These programs recognize that government visibility into threat intelligence, combined with rapid notification, can prevent attacks that individual organizations couldn't anticipate.

What Organizations Should Do Now

With PRNI's future uncertain, organizations—particularly those in critical infrastructure sectors—should assume they won't receive external warning of incoming ransomware attacks.

1. Improve internal detection for common ransomware precursors: Cobalt Strike beacons, unusual RDP activity, bulk file access, and Active Directory reconnaissance.
2. Maintain offline backups tested regularly for actual restoration.
3. Segment networks to limit lateral movement when initial compromise occurs.
4. Exercise incident response plans so teams can respond quickly without external prompting.
5. Engage threat intelligence services if budget allows—commercial alternatives exist for organizations that can afford them.

Frequently Asked Questions

Will the PRNI program continue?

Unknown. CISA hasn't announced plans for continuation or replacement of Stern's role. The program may continue at reduced capacity, be absorbed into other functions, or pause until new staff are trained.

Who should I contact if I receive ransomware indicators?

Report incidents to CISA's 24/7 hotline (1-844-Say-CISA) or through cisa.gov/report. The FBI's IC3 (ic3.gov) also accepts cybercrime reports. These reporting channels remain active regardless of PRNI's status.

Did PRNI ever notify my organization?

If you received a PRNI warning, you would know—the program involves direct outreach via phone or email to designated security contacts. Organizations that haven't been contacted weren't identified as imminent targets in CISA's intelligence.