Colonial Pipeline CEO Joseph Blount defended his decision to shut down his company’s operations and to pay a ransom last month to criminals who locked up its IT systems, telling lawmakers Tuesday his priority was to restore service as quickly as possible.
The company did not have a dedicated ransomware response plan despite spending an average of $40 million annually on cybersecurity, Blount acknowledged, and Colonial paid the ransom without a complete understanding of how deeply the hackers had compromised the company’s systems.
Even with its data backups, it would have taken days to determine the extent of the damage, Blount told lawmakers. That timeframe, in the face of worsening disruption to the US fuel supply, contributed to Colonial’s decision to pay the ransom, Blount said.
“And when you have a critical asset like this,” he said, “you’ve got to focus on what is the best opportunity of options you have in front of you to take avail of, and in that case, it was to get the encryption tool, and to get our information back.”
Blount faced Senate lawmakers for the first time since a six-day shutdown of the pipeline in May led to panic buying and widespread gas station outages in the Southeast. He testifies before a House committee on Wednesday.
The Colonial incident, followed several weeks later by a cyberattack on a major US meat producer, highlighted the crippling impact that ransomware can have for businesses and vital services throughout the US, as criminals have increasingly had success targeting large enterprises.
“Shutting down the pipeline was absolutely the right decision, and I stand by our employees’ decision to do what they were trained to do,” Blount wrote in his prepared remarks.
Blount’s public testimony comes a day after the Justice Department announced that US investigators recovered millions of dollars in cryptocurrency allegedly paid in ransom to hackers in the criminal group known as DarkSide.
Ransomware attacks have grown in both scope and sophistication in the last year, Deputy Attorney General Lisa Monaco said Monday, calling it an “epidemic.”
Blount admitted last month that he authorized a ransom payment of $4.4 million, calling it a “highly controversial decision,” in an interview at the time.
“I believe with all my heart it was the right choice to make, but I want to respect those who see this issue differently,” he said during testimony Tuesday.
DarkSide demanded a financial payment in exchange for a key to unlock the impacted systems, Blount said Tuesday.
According to Blount, the decryption key worked “to some degree,” but wasn’t a perfect tool.
The FBI and Department of Homeland Security recommend against paying ransom because of the potential to encourage additional attacks. Payment also does not guarantee that a victim’s files will be recovered.
In a bid to limit the financial rewards associated with ransomware, the Treasury Department has warned businesses that making a ransom payment to an entity subject to US sanctions may be considered a federal violation.
But those rules do not apply to paying non-sanctioned recipients, and Blount said Colonial went to great lengths to ensure that paying off DarkSide would not be illegal.
“I do know that repeatedly throughout the process, the fact of whether DarkSide was on the sanctions list or not was fact-checked repeatedly,” Blount told lawmakers.
That Colonial took great pains to ensure it could pay its attackers without violating US sanctions highlights the difficulty facing US authorities in changing the calculus of victims and reducing the financial pressure they feel to give in to hackers’ demands.
In the case of Colonial, it appears the company’s notification to the FBI helped investigators track down and seize approximately $2.3 million in Bitcoin that had been paid to the criminal group – a rare outcome for a company that has fallen victim to ransomware.
Blount said Tuesday that he did not personally consult with the FBI about the decision to pay the ransom, but that he understood their official position was to discourage payment.
“I do agree that their position is they don’t encourage the payment of ransom,” Blount said in the hearing. “It is a company decision to make.”
US authorities previously attributed the pipeline attack to DarkSide, a hacking group linked to Russia that emerged last summer offering ransomware as a service to so-called affiliates.
Blount is scheduled to address lawmakers twice this week
He testified first before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, and is set to appear before the House Homeland Security Committee Wednesday.
Over the weekend, Energy Secretary Jennifer Granholm said she would be open to a law that bans the payment of ransom, but she said it’s unclear if Congress or President Joe Biden agree.
“I think that we need to send this strong message that paying a ransomware only exacerbates and accelerates this problem,” she told NBC’s “Meet the Press.”
The hearing also follows Colonial’s revelation that ransomware attackers gained access to the company’s computer networks in April using a compromised password.
The password had been linked to a disused virtual private networking account used for remote access, and the account was not guarded by an extra layer of security known as multi-factor authentication, Mandiant, the cybersecurity firm hired by Colonial confirmed to CNN.
On Tuesday, Blount acknowledged the password had been associated with a “legacy” VPN platform and that the company’s current setup does require multi-factor authentication using RSA tokens. The compromised password that enabled the hackers’ initial access, he added, was not a weak password.
“It was a complicated password,” he said, “so I want to be clear on that. It was not a ‘Colonial123’-type password.”
CNN previously reported that passwords were a particular vulnerability, a source familiar with the company’s cyber defenses said.
It is still unclear how the attackers obtained the compromised credential.
US authorities later said that while the attack compromised Colonial’s IT systems, there was no evidence that its operational systems had been affected.
As part of the Biden administration’s effort to grapple with the threat from ransomware, the Transportation Security Administration issued a security directive last month mandating that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours and designating a “24/7, always available” cybersecurity coordinator.
The cyberattack on Colonial exposed how ransomware, which is primarily a criminal, profit-driven enterprise, “can rise to the level of posing a national security risk and disrupt national critical functions,” a DHS official said when the directive was announced.
The top lawmakers on the Senate Homeland Committee, Sens. Gary Peters, a Michigan Democrat, and Rob Portman, an Ohio Republican, introduced legislation in April that would establish a cyber response and recovery fund to help companies recover from significant cyber attacks.
“Our nation is increasingly vulnerable to cyberattacks every day, as the Colonial Pipeline ransomware attack showed. Cyberattacks are getting worse and more frequent while the government and critical infrastructure are more dependent on information technology,” Portman said in a statement last month.
The most important lesson Colonial took from its experience was the value of acting swiftly to identify and contain the malicious software, Blount said. That meant proactively informing law enforcement and communicating openly with authorities about what had happened.
“What we learned was, being transparent and responding quickly and not being afraid to come forward is probably one of the most important things that we did in this particular case,” Blount said.
This story and headline have been updated with additional developments Tuesday.
CNN’s Michael Conte, Christian Sierra, Briana Andrews, Evan Perez, Zachary Cohen and Alex Marquardt contributed to this story.