At a House Homeland Security Committee hearing Wednesday afternoon, Colonial Pipeline CEO Joseph Blount touted a sweeping vision of corporate transparency in the face of cybercrime, as representatives questioned how transparent he was with the FBI and Department of Homeland Security before and after Colonial fell victim to a devastating ransomware attack.
The hearing touched on the internal and external debates that face most executives during a crippling cyberattack: How fast should a company act, and what decisions should be made internally versus in consultation with external advisers or the federal government.
“I encourage all CEOs who have been hacked and subject to a cyber attack to be very transparent about it,” he said, noting that Colonial had taken less than twenty-four hours to begin incident response, contain malware by shutting down the pipeline and escalate the issue through the FBI to the White House. “It’s the only way we’re going to learn that these attacks continue to change, [that] there’s variants of these attacks. Any information we can get on a timely basis is helpful to everybody in this country.”
Meanwhile, representatives pressed him on a perceived failure to arrange a voluntary cybersecurity audit from the Transportation Security Administration before Colonial was attacked, why the company didn’t coordinate paying ransom with the FBI and why the company made other strategic decisions as the pipeline, the major provider of gasoline to the East Coast, was forced to shut down in early May.
It also gave Blount and a representative from Mandiant, the primary firm running the response and recovery to the attack, a chance to clarify key points about how the DarkSide ransomware event played out. For example, it had been reported that the decryption program that cost Colonial a $4.4 million ransom didn’t work. That turned out to be false. Mandiant Chief Technology Officer Charles Carmakal testified that the program may have had bugs, but was perfectly functional. While Mandiant opted to forgo using the program, it was only because working from backups was quicker.
Rep. Bonnie Watson Coleman, D-N.J., needled the company for paying a ransom if it was working from backups.
“That begs the question, if they already had the capacity to get back online, why they ever paid the ransom?” she asked, rhetorically, as her time expired.
Colonial’s experience is actually not exceptional. The law firm BakerHostetler calculated in a recent report that 20% of its clients who restored systems from backups after a ransomware attack in 2020 also paid a ransom.
Blount answered Watson Coleman elsewhere in his testimony.
“When you are there in the early hours of having your servers and computers encrypted, you don’t know what you have in front of you, how good your backup systems are. And what I’ve learned over the course of last month is a lot of companies have backup systems that don’t help them at the end of the day,” he said. “So again, not knowing what the answer to that was for days, whether we could use our backup systems to restore the Colonial Pipeline system back to service or not, we had to avail ourselves of any in every option we had, one of which was the DM friction tool.”
He noted that even with Mandiant’s assistance, it took days to figure out exactly the extent of the breach.
Also not extraordinary is for companies to, like Colonial, use a negotiator to receive a working decryption program. In fact, BakerHostetler says 99% of its clients used a negotiator, and 98% of its clients received a working decryption tool.
Blount was pressed by several members of Congress about reports Colonial had refused a voluntary cybersecurity audit from the TSA several times over the past year. He said that the company did not refuse the offer. Instead, he said, they needed to schedule around COVID-19 concerns and the company moving to a new location. Colonial has scheduled an audit for July, though it is unclear whether or not that scheduling happened before or after the ransom.
Earlier this week, at a press conference to announce that law enforcement was able to recover the majority of the ransom, the FBI and Department of Justice praised Colonial for quickly notifying them of the attack and cooperating with the investigation. Law enforcement was able to recover 63.7 bitcoin out of the 75 bitcoin Colonial paid. In the past month, however, the value of bitcoin plummeted. The recovered funds are now only worth about half of the dollars of ransom paid despite being nearly 90% of the bitcoin.
Blount emphasized that working with government and informing the public was good business and good corporate citizenship.
“I’m sure there’s any number of reasons why people are hesitant” to be transparent about being breached, he said. “Perhaps they’re embarrassed. Perhaps they have a brand name they’re trying to protect. But I think in the long run, transparency and honesty with regard to this particular topic is extremely important to all American citizens in our effort to try to stop what we’re seeing become more and more a daily event.”
Blount said that the company had disclosed the ransomware wallet address to the FBI two days into the attack, but did not discuss whether or not to pay ransom with the FBI. He said the company was aware that the FBI was against payment in all cases, but believed as critical infrastructure, the pipeline needed to weigh all options.
“I did not like handing that money over to criminals, but it was a decision that I made in order to support the country,” he said.
He later said the company had not tracked how much money it lost through the ransomware attack.
“We have not been focused on the cost of the incident,” he said. “We’ve been focused on the remediation of what took place. We were very focused on bringing the pipeline back as quickly as we could to support the economy in the United States.”
Carmakal cleared up some nuances in the cause of the breach, previously reported as an employee’s VPN account with a password used across multiple sites. It was a vestigial account thought to have been closed before the attack, he said. The account has since been closed. He said that while the password has been seen in password lists circulating hacker communities, it was not clear what breach specifically led to the password leaking.
In his opening remarks, Chair Bennie Thompson, D-Miss., said he hoped that Colonial would use some of the recovered ransom to strengthen cybersecurity.
“Your request today, putting an additional $2.2 million into hardening our systems further is not a difficult one to address and agree to,” he said.