Cybersecurity

Colonial Pipeline may use recovered ransomware attack funds to boost cybersecurity

Colonial Pipeline may use the recovered funds paid out to cyber criminals as part of a ransomware attack last month to increase cybersecurity, Joseph Blount, the company’s president and CEO, said Wednesday.

“We are always in the process of hardening our systems and making investments in IT and cybersecurity at Colonial, so your request today, and putting an additional $2.2 million into hardening our systems further, is not a difficult one to address and agree to,” Blount testified in response to a question from House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) on whether the ransom funds would be used to shore up security.

“We are making a substantial investment, and part of that reason is we have been compromised. We’ve had criminals in our system, and we need to change a lot of the things we already had because they would be familiar with them from having been in the system over the course of those days,” Blount noted.

His testimony came days after the Justice Department announced that it had recovered around $2.3 million in bitcoin from the cyber criminals who launched a crippling ransomware attack last month against Colonial. The funds made up the majority of the $4.4 million in bitcoin that Colonial chose to pay hackers in order to decrypt its networks. 

The attack forced the company, which provides 45 percent of the East Coast’s fuel supply, to shut down the full pipeline for days, leading to gasoline shortages in several states. 

“I hope the FBI’s success serves as an incentive for future ransomware victims to engage with law enforcement early,” Thompson said at the hearing. “I hope Colonial will use the recouped money to make necessary improvements to its cybersecurity.”

Blount personally made the decision to pay the cyber criminals behind the attack, linked by the FBI to a Russian-based group, and reiterated Wednesday that the decision was “the right choice to make” in order to get the pipeline up and running again quickly. 

But under questioning from Rep. Jim Langevin (D-R.I.), Blount confirmed that the company had cyber insurance and that the original $4.4 million in bitcoin paid out to the hackers would likely be covered. 

“We’ve had cyber insurance for quite some time. We have submitted a claim for that ransom payment, and I haven’t had that confirmed to me yet, but I suspect that it will be covered,” Blount said, insisting that during the response to the attack “the insurance wasn’t even in the forefront of my mind.”

Blount’s comments came during the second of two hearings on Capitol Hill this week centered on the ransomware attack on Colonial, with lawmakers hammering him on the company’s decision to pay the ransom and its communication with various federal agencies. 

Blount testified at both the House hearing and a previous hearing before the Senate Homeland Security and Governmental Affairs Committee that his company was taking steps to increase cybersecurity, including through ensuring more cybersecurity funds were available if needed.

But in the wake of a year of increasingly dire cyber incidents — such as the separate SolarWinds hack that compromised nine federal agencies and ransomware attacks on hospitals — some lawmakers criticized Colonial Pipeline for not doing more earlier. 

“I appreciate Colonial Pipeline’s identification of places where they are now hardening systems in response to the devastating ransomware attack in May, but this begs an obvious question,” House Homeland Security Committee ranking member John Katko (R-N.Y.) testified Wednesday. “If your pipeline provides fuel to 45 percent of the East Coast, why are you only hardening systems after an attack?”

“I’m not interested in blaming the victim here, but we all must learn from these incidents to prevent future destruction,” he said. 

Langevin blasted Blount following the hearing for refusing an offer from the Cybersecurity and Infrastructure Security Agency (CISA) to examine Colonial’s system following the attack, with Blount testifying that “world-class experts” hired by Colonial, such as those from FireEye, were examining the system.

“In light of the damage caused to Colonial Pipeline, Mr. Blount’s sustained rejection of CISA assistance is the height of irresponsibility,” Langevin said in a statement. “Mr. Blount’s testimony raises significant questions about whether private companies that operate systemically important critical infrastructure like pipelines should be permitted to freeze out federal agencies like CISA.”

The concerns in the House came the day after Blount was grilled in the Senate about his company’s response to the attack.

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) told reporters following the hearing that his committee was drafting legislation to tackle ransomware and increasing cyberattacks. 

“Cyberattacks used to be merely an inconvenience,” Peters said. “We now know they are becoming attacks on our very way of life.”