Last month’s cyberattack against Colonial Pipeline is a warning sign that “private industry alone can’t … solve the [cybersecurity] problem totally” by itself, company CEO Joseph Blount told lawmakers at a hearing of the U.S. Senate’s Homeland Security and Governmental Affairs Committee on Tuesday.
Blount was on the defensive for most of the hearing, as he parried members’ questions about the hack that led the company to shut down its entire network that carries almost half the supply of gasoline, diesel, and other fuel products to the U.S. East Coast. The FBI has linked the ransomware attack with DarkSide, a cybercrime group believed to be based in Eastern Europe that develops ransomware tools and provides them to affiliates to perform the actual hacking and deployment. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
Several members, including committee Chair Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), asked Blount about his decision to pay the 75 bitcoin (then about $4.4 million) ransom that the attackers demanded for the release of the data they had encrypted, which he confirmed in an interview with the Wall Street Journal last month. (See Colonial Hack Sparks Competing Recommendations at FERC.)
At least part of the ransom has since been recovered. The Justice Department confirmed Monday that the FBI had raided an online wallet belonging to DarkSide and seized more than 63 bitcoins with a current market value around $2.3 million.
Ransom Decision Tough but Necessary
In his written testimony Tuesday, Blount acknowledged the recovery of the funds and said that authorizing the payment was “one of the toughest decisions I have had to make in my life,” but said it was “the right thing to do for the country” in order to avert a prolonged shutdown.
Whether it was the right decision or not, paying off the attackers is contrary to the official recommendation of the FBI, as multiple lawmakers pointed out in their questioning. Portman noted that according to the timeline of the attack that Blount presented, Colonial had notified the FBI within hours of discovering the breach on May 7. Portman asked whether the FBI had made that recommendation clear to the company before it paid the ransom on May 8.
“I was not in that conversation; I can’t confirm or deny that,” Blount replied. “But I do agree that their position is they don’t encourage the payment of ransom. It is a company’s decision to make.” He confirmed that the company had verified with the Treasury Department’s Office of Foreign Assets Control that DarkSide was not on the list of sanctioned individuals or entities with which U.S. companies are forbidden from doing business.
Portman went on to ask about the effectiveness of the decryption tool that Colonial received in return for the ransom payment, observing that media reports claimed that the tool was so slow as to be unusable and that Colonial relied on its backups to restore the affected systems.
“So you paid the ransom, they gave you the decryption tool to be able to undo the harm that they did — that’s how it normally works — and yet the decryption tool was not effective. Is that correct?” Portman asked.
“The decryption tool is an option that’s made available to you. When you’re looking at bringing critical infrastructure back up as quickly as you possibly can, you want to make every option available to you that you can,” Blount said, adding that the tool “has worked.” However, when asked by Portman whether the reports were inaccurate, he qualified his statement by saying the tool worked “to some degree.” Later in the hearing he referred to the story obliquely with a mention of Colonial’s “really good backups.”
Colonial’s Federal Cooperation Questioned
The federal government’s response to the hack was another major topic of interest at Tuesday’s hearing, with Blount praising the Department of Energy for providing a “single point of contact” for the company so it would not have to juggle responses to multiple federal agencies during the crisis.
However, Blount returned to the defense when Peters asked about Colonial’s relationship with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Testifying before the committee last month, CISA’s acting director Brandon Wales said that the company had not contacted his agency directly to inform it of the attack; instead, it called the FBI, which brought in CISA separately.
Questioned by Peters on this apparent oversight, Blount said he sees CISA as a “good organization” and that Colonial regularly communicates with the agency and participates in its events and exercises. He stressed that the company had not meant to leave CISA in the dark, but felt it unnecessary to reach out directly because the FBI — which, he noted, they had contacted “almost immediately” after discovering the attack — had already indicated it planned to bring in the agency in a later call.
Portman observed that at the time of the attack, informing CISA was voluntary; since then, he noted, the Transportation Security Administration (TSA) — which regulates pipelines — has issued a new security directive mandating that pipeline operators and owners report any potential cybersecurity incidents to CISA. Blount responded that the company is now “fully compliant” with the new regulation.
Senator Josh Hawley (R-Mo.) pressed Blount further on Colonial’s cooperation with the federal government, asking why the company had failed to take up the TSA’s offer of a comprehensive cybersecurity review of the pipeline three times before the attack, as reported in the Washington Post. Blount said that the company had tried to schedule the review but it had to be delayed due to the COVID-19 pandemic and Colonial’s recent office move.
“We have a good working relationship with TSA,” Blount said, adding that he was “a little surprised” by the report and that neither Colonial’s chief information officer nor “their contacts on TSA’s side” knew why their scheduling difficulty had been described as a refusal. He also suggested that the specific review TSA planned probably wouldn’t have detected the vulnerability that the hackers used anyway.
