Colonial Pipeline President and CEO Joseph Blount was grilled by lawmakers Tuesday on his decision to pay hackers in a ransomware attack that forced a temporary shutdown of operations — and led to gas shortages in parts of the country.
During a sometimes-tense Senate Homeland Security and Governmental Affairs Committee hearing, Blount indicated that the company did not consult with the FBI and other agencies before it paid the equivalent of $4.4 million in bitcoin to regain control of its systems.
“It was our understanding that the decision was solely ours as a private company to make the decision about whether to pay or not to pay,” Blount said in response to a question from Sen. Gary Peters (D-Mich.), the panel’s chairman.
“Considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly could, I chose the option to make the ransom payment,” he said.
Blount apologized for the impact of the attack but stressed that he had no regrets.
“I believe with all my heart it was the right choice to make,” Blount testified.
Colonial provides 45 percent of the East Coast’s fuel. Shortages were seen in several states for more than a week following the shutdown.
Blount’s testimony came a day after Justice Department officials announced that they had recovered the majority of the ransom paid by Colonial to the DarkSide ransomware group.
Senators on both sides of the aisle criticized Blount, pointing out that the FBI and other agencies recommend against paying a ransom as it can encourage criminals to carry out future attacks and the funds could be used for criminal activities.
“I am glad your company was able to recover from this malicious attack and that the FBI was able to recover millions of dollars in ransom paid, but I am alarmed that this breach ever occurred in the first place, and that communities from Texas to New York suffered as a result,” Peters said.
Committee ranking member Rob Portman (R-Ohio) asked Blount whether the DarkSide hackers were on the Treasury Department’s sanctions list. Blount insisted that legal representatives had repeatedly checked the list before paying a ransom.
“This is about looking forward, how do we avoid the situation where sanctioned individuals or entities are getting a ransomware payment, which is a violation of federal law,” Portman warned.
This criticism was compounded by new details on Colonial’s security revealed Tuesday. Blount testified that multifactor authentication was not used to secure the account suspected to have been exploited by hackers to gain access to company systems and that there was no plan in place to respond specifically to a ransomware attack.
“My concern is how unprepared Colonial Pipeline was,” Sen. Maggie Hassan (D-N.H.) told reporters following the hearing. “I have small school districts in New Hampshire that are more prepared than Colonial Pipeline appeared to be, and that’s really concerning.”
“When critical infrastructure is run by a private entity there need to be some rules and some frameworks to make sure that the interests of the American people are served,” she added.
Blount stressed that Colonial had learned from the attack and was pouring resources into cybersecurity, including periodic system penetration tests and security audits.
“The safety and security of the system is highly critical. We have never had our board deny us any funds associated with safety and security, whether it’s with the IT or the physical side of the pipe,” he testified. “If my CIO wants funds, she gets it.”
Blount received a number of tough questions from Democrats, while his reception from Republicans was mixed. Some GOP senators emphasized that Colonial was a target, while others pressed him for information on cybersecurity.
“I want to start out by again emphasizing … that you were the victim of a crime. You’re not the bad guy here,” said Sen. Ron Johnson (R-Wis.).
Meanwhile, Sen. Josh Hawley (R-Mo.) sought to contrast the company’s dividends given to investors with its spending on cybersecurity.
In response to his question on how much the company was spending on cybersecurity, Blount said it had spent more than $200 million on its IT systems over the last five years, although it’s not clear how much of that spending was specifically for cybersecurity.
“What are you doing in terms of your investment for cybersecurity? I know you’re paying your investors well,” Hawley said.
During the line of questioning, Blount said that the company’s owners include Koch Industries and a division of Shell.
After the pipeline’s shutdown, a peak of more than 16,000 gas stations were without gas, according to tracking website GasBuddy, and there were points where more than half of gas stations were out of fuel in several Southern states.
Analysts largely linked the outages to panic-buying and hoarding that followed reports of the shutdown, rather than the shutdown itself.
The attack on Colonial came amid a growing number of cyberattacks that have hit hospitals, health care groups and schools.
Ransomware attacks have become a particular concern, and over the past month targets have included food processor JBS USA and a major ferry operator in Massachusetts.
The Biden administration has taken notice, with the Justice Department standing up a ransomware task force in April to address the incidents and the Department of Homeland Security making ransomware a priority issue.
President Biden is set to address the issue with Russian President Vladimir Putin later this month at an in-person summit, as both the attacks on Colonial and JBS were linked by the FBI to criminal groups based in Russia. The nation was also sanctioned by Biden for the government’s alleged involvement in carrying out the SolarWinds hack last year, which compromised nine federal agencies.
Capitol Hill is continuing to zero in on concerns with ransomware, with Blount set to testify again Wednesday on the Colonial ransomware attack before the House Homeland Security Committee.
Peters told reporters Tuesday that his committee is working on “comprehensive legislation” to address ransomware attacks and other cyber threats. He stressed at the hearing the need to get a handle on the threat and to prevent disruption to daily life.
“I think every member on this committee agrees that this committee will focus our collective attention and resources on dealing with this problem,” Peters testified. “Cyberattacks used to be merely an inconvenience. We now know they are becoming attacks on our very way of life.”