Full Report
A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment. David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said.
Analysis Summary
# Incident Report: Disruption of CISA Pre-Ransomware Notification Initiative (PRNI) Leadership
## Executive Summary
The CISA Pre-Ransomware Notification Initiative (PRNI), a program designed to warn organizations of imminent ransomware attacks based on preparatory activities, has experienced a major operational setback due to the resignation of its lead staffer, David Stern, on December 19th. This occurred after the Department of Homeland Security (DHS) ordered Stern to either transfer to FEMA in Boston or resign, which he chose to do. The incident threatens the continuity of a program credited with preventing billions in damages and relies heavily on the departed staffer's established relationships with the threat intelligence community.
## Incident Details
- **Discovery Date:** Not explicitly stated; the departure was reported on or around publication date (Dec. 23, 2025).
- **Incident Date:** December 19, 2025 (Date of David Stern's resignation).
- **Affected Organization:** Cybersecurity and Infrastructure Security Agency (CISA), specifically the Pre-Ransomware Notification Initiative (PRNI).
- **Sector:** Government / Critical Infrastructure Protection.
- **Geography:** Primarily US-based operations (DHS/CISA headquarters actions).
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-dating December 19, 2025.
- **Vector:** Internal/Administrative action (Forced reassignment order from DHS).
- **Details:** The Department of Homeland Security (DHS) ordered CISA staffer David Stern to move to a role at the Federal Emergency Management Agency (FEMA) in Boston or resign from his position.
### Lateral Movement
- *Not Applicable. This is an internal personnel/programmatic incident, not a network compromise.*
### Data Exfiltration/Impact
- **What was stolen or damaged:** The immediate impact is the potential crippling of the PRNI program due to the loss of its central figure and his trusted community relationships. The program itself is currently facing uncertainty.
### Detection & Response
- **How it was discovered:** The departure was confirmed through sources familiar with the matter and subsequently reported by Cybersecurity Dive.
- **Response actions taken:** CISA publicly stated the program "continues to operate." Internally, the agency is reportedly preparing several staffers to take over the notification duties.
## Attack Methodology
This incident does not involve a traditional cyber attack by external threat actors. The methodology is administrative/personnel disruption:
- **Initial Access:** DHS executive mandate leading to a mandatory transfer or termination.
- **Persistence:** N/A (The departure *is* the event).
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Programmatic disruption and loss of institutional knowledge/trusted relationships necessary for intelligence gathering.
## Impact Assessment
- **Financial:** The PRNI program is estimated to have helped prevent an estimated **$9 billion in economic damages** since late 2022. The future potential loss is significant.
- **Data Breach:** No external data breach is indicated. The impact is on the agency's ability to *prevent* data breaches and operational shutdowns caused by ransomware.
- **Operational:** The operational capability of the PRNI is immediately hampered due to the loss of the sole staffer managing notifications and the critical relationships required to receive actionable tips.
- **Reputational:** The departure exacerbates pre-existing tensions between CISA and its external intelligence and security partners.
## Indicators of Compromise
*No traditional IOCs (IPs, hashes, domains) apply to this administrative event.*
- **Behavioral indicators:** Disruption of key national security warning programs; loss of vital stakeholder relationships.
## Response Actions
- **Containment measures:** None applicable to personnel action.
- **Eradication steps:** None applicable.
- **Recovery actions:** CISA is reportedly preparing several staffers to assume Stern's duties. Efforts are underway to maintain the flow of ransomware notifications.
## Lessons Learned
- **Key takeaways:** The success of highly critical, relationship-dependent government initiatives can be dangerously concentrated in a single individual. The PRNI program's reliance on David Stern's personal relationships with the threat intelligence community and stakeholders made it extremely vulnerable to single points of personnel failure.
- **What could have been done better:** Developing comprehensive succession plans and distributing core operational knowledge across multiple personnel streams to ensure program resilience against administrative changes.
## Recommendations
- **Prevention measures for similar incidents:** Immediately begin cross-training CISA personnel on relationship management with intelligence community partners currently feeding data to the PRNI. Formalize mechanisms for tip collection and notification distribution to reduce reliance on any single employee's personal rapport.