Colonial Pipeline CEO grilled on Capitol Hill after crippling ransomware attack

WASHINGTON, DC — Colonial Pipeline CEO Joseph Blount told lawmakers on Capitol Hill Tuesday it was the “right decision” to halt operations at one of the largest fuel pipelines in the United States after the ransomware attack last month.

Blount faced lawmakers for the first time since a six-day shutdown of the pipeline in May led to panic buying and widespread gas station outages in the Southeast.

The Colonial incident, followed several weeks later by a cyberattack on a major U.S. meat producer, highlighted the grave risk that ransomware can have for businesses and vital services throughout the US, as criminals have increasingly had success targeting large enterprises.

“Shutting down the pipeline was absolutely the right decision, and I stand by our employees’ decision to do what they were trained to do,” Blount said in remarks.

Blount’s public testimony comes a day after the Justice Department announced that U.S. investigators recovered millions of dollars in cryptocurrency paid in ransom to hackers.

Ransomware attacks have grown in both scope and sophistication in the last year, Deputy Attorney General Lisa Monaco said Monday, calling it an “epidemic.”

Blount admitted last month that he authorized a ransom payment of $4.4 million, calling it a “highly controversial decision,” in an interview at the time.

“I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” he told The Wall Street Journal.

On Tuesday, Blount defended his decision to authorize the ransom payment, saying that the purchased decryption key worked “to some degree.” He told lawmakers that it wasn’t a “perfect tool,” but he wanted every option available to bring the pipeline back online.

“I would say that we know subsequently that the encryption tool actually does work to some degree as I, as I’ve stated earlier, it’s not a perfect tool,” he said.

The FBI and Department of Homeland Security recommend against paying ransom because of the potential to encourage additional attacks. Payment also does not guarantee that a victim’s files will be recovered.

In the case of Colonial, it appears the company’s notification to the FBI helped investigators track down and seize approximately $2.3 million in Bitcoins that had been paid to the criminal group — a rare outcome for a company that has fallen victim to ransomware.

Blount said Tuesday that he did not personally consult with the FBI about the decision to pay the ransom, but that he understood their official position was to discourage payment.

“I do agree that their position is they don’t encourage the payment of ransom,” Blount said in the hearing. “It is a company decision to make.”

U.S. authorities previously attributed the pipeline attack to DarkSide, a hacking group linked to Russia that emerged last summer offering ransomware as a service to so-called affiliates.

Blount is scheduled to address lawmakers twice this week, where he will likely be questioned about the payment decision, as well as the cyber security standards the pipeline had in place prior to the attack.

He testifies first before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, and again before the House Homeland Security Committee Wednesday.

Over the weekend, Energy Secretary Jennifer Granholm said she would be open to a law that bans the payment of ransom, but she said it’s unclear if Congress or President Joe Biden agree.

“I think that we need to send this strong message that paying a ransomware only exacerbates and accelerates this problem,” she told NBC’s “Meet the Press.”

The hearing also follows Colonial’s revelation that ransomware attackers gained access to the company’s computer networks in April using a compromised password.

The password had been linked to a disused virtual private networking account used for remote access, and the account was not guarded by an extra layer of security known as multi-factor authentication, the cybersecurity firm hired by Colonial confirmed to CNN.

Bloomberg first reported the password vulnerability following interviews with Blount and Charles Carmakal, senior vice president at Mandiant — the forensic division of the cybersecurity firm FireEye.

It is still unclear how the attackers obtained the compromised credential.

US authorities later said that while the attack compromised Colonial’s IT systems, there was no evidence that its operational systems had been affected.

As part of the Biden administration’s effort to grapple with the threat from ransomware, the Transportation Security Administration issued a security directive last month mandating that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours and designating a “24/7, always available” cybersecurity coordinator.

The cyberattack on Colonial exposed how ransomware, which is primarily a criminal, profit-driven enterprise, “can rise to the level of posing a national security risk and disrupt national critical functions,” a DHS official said when the directive was announced.

The top lawmakers on the Senate Homeland Committee, Sens. Gary Peters, a Michigan Democrat, and Rob Portman, an Ohio Republican, introduced legislation in April that would establish a cyber response and recovery fund to help companies recover from significant cyber attacks.

“Our nation is increasingly vulnerable to cyberattacks every day, as the Colonial Pipeline ransomware attack showed. Cyberattacks are getting worse and more frequent while the government and critical infrastructure are more dependent on information technology,” Portman said in a statement last month.