Colonial Pipeline CEO to Testify at Congressional HearingHouse Committee to Probe Ransomware Attack That Led to Pipeline Shutdown
After revealing Colonial Pipeline Co. paid attackers $4.4 million after a ransomware attack, CEO Joseph Blount has been scheduled to testify at a House Homeland Security Committee hearing June 9.
Meanwhile, the House Science, Space, and Technology Committee has requested a full briefing about the attack from the U.S. Department of Energy.
Blount told The Wall Street Journal on Wednesday that he had authorized the ransom payment to obtain a decryptor key from the DarkSide criminal operation in hopes of speeding up the company's recovery efforts following the May 7 attack, which led to the shutdown of the firm's 5,500-mile pipeline that delivers gasoline and other petroleum products throughout the eastern U.S. (see: Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
"It was the right thing to do for the country," Blount told the newspaper.
The CEO said the decryptor did not work as well as the company had hoped, so it still had to rely on backups to manually restart its operations.
In announcing the hearing, Rep. Bennie Thompson, D-Miss., the House Homeland Security Committee's chairman, and John Katko, R-N.Y., it's ranking member, said Congress needs to learn more about the ransomware attack at Colonial Pipeline, why the company paid a ransom and how this could affect the security of U.S. critical infrastructure.
"As we do our work to investigate what happened at Colonial Pipeline, we must not make the mistake of taking a siloed approach to addressing cybersecurity vulnerabilities in critical infrastructure," Thompson says. "The reality is cyberattacks against critical infrastructure will have cross-sector impacts. Federal policy should be rooted in that reality, as it has been since September 11, 2001."
A spokesperson for the committee's Republican minority notes: "We hope to gain a clear understanding of vulnerabilities within Colonial’s systems as well as its decision-making process leading up to and following the attack. To mitigate attacks like this in the future, the government and industry must collaborate with clearly identified roles and responsibilities, and Ranking Member Katko will continue to work in a bipartisan manner to advance policy solutions and improve our cyber resilience."
The attack on Colonial Pipeline has spurred Republican and Democratic lawmakers to introduce several bills to address cybersecurity issues not only within the oil and gas industry but also for other parts of the nation's critical infrastructure, such as the U.S. electrical grid (see: 2 Bills Introduced in Wake of Colonial Pipeline Attack).
Colonial Pipeline's decision to pay a ransom has raised fresh questions about when it's appropriate to pay cybercriminals to recover access to encrypted data or avoid the leaking of stolen information.
For years, the FBI has advised ransomware victims not to pay ransoms because that might encourage copycat behavior. Plus, the decryptor keys that the gangs provide do not always work - as Colonial Pipeline discovered (see: Ransomware Gangs 'Playing Games' With Victims and Public).
Payment of ransoms can also violate the U.S. Treasury Department's Office of Foreign Assets Control regulations.
At the June 9 hearing, members of Congress will quiz the Colonial Pipeline CEO about why the company decided to the pay the ransom shortly after it discovered the attack.
"The company's CEO said his decision to pay the ransom 'was the right thing to do for the country.' But rather than make this problem go away, Colonial's hasty decision sets a dangerous precedent and puts an even bigger target on the back of critical infrastructure by showing that criminals can extort companies into paying millions of dollars in the desperate hopes of quickly restoring services," says Rep. Carolyn Maloney, D-N.Y., the chairwoman of the House Oversight and Reform Committee.
Katko has also come out against paying ransom. Commenting on the Colonial Pipeline incident, he said: "I think this is a major shot across the bow to tell us as a country to wake up to the fact that cybersecurity is a preeminent threat to our national security right now."
Rep. Jim Langevin, D-R.I., who serves on the Homeland Security Committee, wrote on Twitter that Congress needs more information about the Colonial Pipeline attack and company's response.
Paying cyber criminals $4.4 million, while freezing out the @FBI and @CISAgov, is not “good for the country.”— Jim Langevin (@JimLangevin) May 19, 2021
I’ll have some questions about Blount’s judgement when he appears before @HomelandDems in a couple weeks.https://t.co/9P3VjFaakr
Making a Choice
Following the attack on Colonial Pipeline, however, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, noted that the decision to pay a ransom rests with the victimized organization (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security, notes that it's difficult to criticize businesses for paying ransoms because they have to consider many factors, including the survival of the firm and the safety of employees.
Lawmakers should devise clear-cut rules about whether companies can pay ransoms to attackers and under what circumstances, Reitinger says.
"There are reasonable public policy reasons to consider banning payment of ransom," says Reitinger, who is now president and CEO of the Global Cyber Alliance. "However, if the government wants to do that, it needs to make the rule explicit and own the consequences."
He adds: "Government also needs to consider whether a single nation banning ransom payments is likely to be effective on the global internet. My view at present is that any steps in this regard should be based on reporting payments rather than banning them. Government may be slowly coming to this conclusion, based on the recent comments from the National Security Council."
Chris Pierson, CEO and founder of the security company BlackCloak, notes that paying a ransom is much more than just a cybersecurity decision.
"Colonial and others in their unenviable situation are between a rock and a hard place," he says. "The decision to pay or not pay is not a cybersecurity matter, but rather a business decision with input from legal, business lines, cybersecurity and IT, and the board. The factors that need to be weighed include duties to their customers, shareholders, employees - because they could go out of business - and also the legal authorities in the countries they operate in."
Security vendors, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency are continuing to investigate the Colonial Pipeline attack.
The Russian-speaking DarkSide ransomware gang, which authorities have blamed for the attack, said on May 13 that it had shut down its ransomware-as-a service operation (see: DarkSide Ransomware Gang Says It Has Shut Down).