WASHINGTON — The CEO of Colonial Pipeline, during his first appearance before lawmakers, took full responsibility for the decision to pay a multimillion-dollar ransom to criminal hackers who penetrated the company’s networks in May.
“I made the decision to pay,” Joseph Blount told members of the Senate Homeland Security Committee during a hearing on Tuesday morning. “I put the interests of our country first.”
Blount, who became president and CEO of the major U.S. pipeline in 2017, explained to the committee why he chose to make a payment of $4.4 million for a decryption tool to try and bring the company’s networks back online as quickly as possible, knowing that the pipeline is a “critical asset” that millions of Americans “rely on daily,” he said.
On the morning of May 7, he said, the company quickly responded to the attack by calling the Atlanta field office of the FBI “within hours.” The FBI scheduled a call just before noon on the East Coast to bring in investigators in California from the bureau’s “center of excellence” on the DarkSide ransomware group — a ransomware-as-a-service business that sells access to its malicious tool in exchange for a cut of the profits from successful digital extortion campaigns.
At the time, however, Colonial did not know just how much information the attackers had stolen or how far into the networks they had penetrated, Blount said. The company preemptively shut down its IT systems to prevent further compromise.
The FBI on the morning of the attack was focused on gathering information about what happened, Blount said. The bureau’s official guidance is not to pay ransoms because they encourage future cybercrime. Blount said he was aware of that guidance but did not discuss it with the FBI that day, concluding after discussions with lawyers and outside experts that “it was our understanding that the decision was solely ours as a private company to make the decision about whether to pay or not.” The lawyers “fact-checked” whether DarkSide was a sanctioned entity to make sure a payment wouldn’t be in violation of federal law, he said.
While Blount also hired the private cybersecurity company Mandiant to help investigate the breach and restore access to the company’s backups, there was no guarantee it would be successful, and he wanted access to “every option” available to get the systems back up and running. He understood the importance of restoring the flow of more than 100 million gallons of fuel that the company distributes every day to 45 percent of the East Coast, from gas stations to first responders and airlines, he said.
Watching panic rise across the country as people filled plastic bags with gasoline and “fistfights” broke out at fueling stations, Blount said, he wanted to act as quickly as possible. “We already started to see pandemonium going on at the markets,” he said.
Blount ultimately tasked third-party negotiators with paying the criminal hackers on the morning of May 8, one day after he learned of the network attack, he disclosed. The encryption tool worked “to some degree,” he said, but it was not a “perfect tool,” making Mandiant’s restoration of the company’s backups even more important.
While Colonial began restoring the pipeline within six days of the attack, the FBI is still investigating what happened, and the company is still gradually bringing its systems online. This week it brought back seven financial systems “we haven’t had since the morning of May 7,” Blount said.
On Monday afternoon, the Department of Justice announced that the FBI was able to recover the majority — $2.3 million — of the ransomware payment by tracing the funds back to the criminals’ cryptocurrency wallet. While it’s unclear how the FBI got access to the wallet, court documents outlining the seizure note that the FBI had access to the owner’s private keys.
As ransomware becomes a bigger problem for companies from small businesses to critical infrastructure firms, both the private sector and the federal government will need to continue to find ways to defend against and respond to attacks, including tackling the problem of ransomware payments.
Blount told senators that his company, like many in the pipeline sector, has a broader emergency response plan, but that did not previously include a “discussion about ransom.” Going forward, it’s likely both private companies and the government will need to factor in the crime of ransomware while doing defensive planning and conducting tabletop exercises simulating potential attacks.
Increased regulation or reporting requirements for companies has been one suggested avenue, though Sen. James Lankford, R-Okla., noted during the hearing that he was not confident the U.S. government would be agile enough to develop those standards and continually maintain them.
Regardless, Blount said he hopes other companies learn from Colonial’s experience and that the government and private sector develop ways to improve defenses.
“The most important lesson learned is to respond immediately,” Blount said, adding that Colonial had learned the value of communication. “I think that what we learned was that being transparent ... was probably one of the most important things that we did.”
Read more from Yahoo News: