Colonial Pipeline CEO testifies after ransomware attack

Colonial Pipeline's CEO Joseph Blount just wrapped up testimony before the Senate regarding a recent ransomware attack that prompted the shutdown of the key East Coast pipeline.

In case you missed it, here were the key moments from the hearing:

In recent weeks, cybercriminals have increasingly targeted organizations that play critical roles across broad swaths of the US economy. The fallout from those attacks show how hackers are now causing chaos for everyday Americans at an unprecedented pace and scale.

Energy Secretary Jennifer Granholm on Sunday warned that "very malign actors" had the US in their sights after attacks on a pipeline, government agencies, a Florida water system, schools, health care institutions and, even last week, the meat industry and a ferry service to millionaire's playground Martha's Vineyard.

The Justice Department signaled last week that it plans to coordinate its anti-ransomware efforts with the same protocols as it does for terrorism, following a slew of cyberattacks that have disrupted key infrastructure sectors ranging from gasoline distribution to meatpacking.

Deputy Attorney General Lisa Monaco issued an internal memo directing US prosecutors to report all ransomware investigations they may be working on, in a move designed to better coordinate the US government's tracking of online criminals.

The memo cites ransomware — malicious software that seizes control of a computer until the victim pays a fee — as an urgent threat to the nation's interests.

"We must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist," Monaco wrote.

The tracking effort is expansive, covering not only the DOJ's pursuit of ransomware criminals themselves but also the cryptocurrency tools they use to receive payments, automated computer networks that spread ransomware and online marketplaces used to advertise or sell malicious software. The DOJ directive requires US attorneys' offices to file internal reports on every new ransomware incident they hear about.

Some more actions: As part of the Biden administration's effort to grapple with the threat from ransomware, the Transportation Security Administration also issued a security directive last month mandating that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours and designating a "24/7, always available" cybersecurity coordinator.

The cyberattack on the Colonial Pipeline exposed how ransomware, which is primarily a criminal, profit-driven enterprise, "can rise to the level of posing a national security risk and disrupt national critical functions," a DHS official said when the directive was announced.

The top lawmakers on the Senate Homeland Committee, Sens. Gary Peters, a Michigan Democrat, and Rob Portman, an Ohio Republican, introduced legislation in April that would establish a cyber response and recovery fund to help companies recover from significant cyber attacks.

CNN's Geneva Sands contributed reporting to this post.

Missouri GOP Sen. Josh Hawley pressed Colonial Pipeline CEO Joseph Blount on the amount of money that the company has spent in recent years on its cybersecurity versus what it has paid out to its investors

When asked what the company has invested in cybersecurity, Blount said "we invest over $200 million dollars over the last five years in our IT systems." He said he didn't have the annual numbers in front of him but told Hawley to "take the average" of that number to approximate what they spent each year.

Hawley noted that, in contrast, according to recent reports the company paid as much as $670 million in dividends to its investors in 2018.

Colonial Pipeline CEO Joseph Blount defended his decision to authorize ransom payment to hackers last month, saying that the purchased decryption key worked "to some degree."

He told lawmakers that it wasn't a "perfect tool," but he wanted every option available to bring the pipeline back online. 

The FBI and Department of Homeland Security recommend against paying ransom because of the potential to encourage additional attacks. Payment also does not guarantee that a victim's files will be recovered.

Earlier in the hearing Blount said, "I believe with all my heart it was the right choice to make" to pay the ransom, but "I want to respect those who see this issue differently."

Colonial Pipeline CEO Joseph Blount pushed back on criticisms about his contacts with DHS's Cybersecurity and Infrastructure Security Agency (CISA) in the early hours after the company became aware of the ransomware attack.

Last month, DHS Cybersecurity and Infrastructure Security Agency acting director Brandon Wales testified that his agency was brought in by the FBI, not Colonial. Wales told Republican Sen. Rob Portman of Ohio at the previous hearing he did not think that Colonial would have contacted CISA directly, if not for the FBI reaching out. 

When pressed, Wales said that there’s a "benefit when CISA is brought in quickly" because the agency can share it in a broader fashion to protect other critical infrastructure. 

Asked about these comments from the CISA acting director today by Sen. Jacky Rosen, Blount said that after the company contacted the FBI they told Colonial "we will call CISA and bring them into the conversation." 

"We knew that CISA would be notified," Blount said, adding, "We had a conversation with CISA the first day."

He said that if the FBI had not indicated that they were contacting them, "We would have called" CISA.

"We wanted all the help we could get," he said.

Colonial Pipeline CEO Joseph Blount said that at the time he decided to pay the hackers millions of dollars in ransom the company did not know how much of its network had been affected by the hack.

In response to a question by Sen. Maggie Hassan, a Democrat from New Hampshire, about how what the company knew about the extent of the hack initially, Blount said that it "takes days to know how much" of the company's systems "has been infiltrated."

On the decision to pay the hackers without having the full view of the damage, Blount said the decision was made that it was a priority "to get the encryption tool" from the hackers "and get our information back."

In a follow-up question, Hassan asked Blount if Colonial in their cybersecurity response planning had a plan related to ransom.

"Specifically no, no discussion on ransom," Blount said.

Colonial Pipeline CEO Joseph Blount told lawmakers Tuesday he was "disappointed" to hear the Department of Homeland Security cybersecurity agency raised concerns about communications between the company and the federal agency. 

Last month, DHS Cybersecurity and Infrastructure Security Agency acting director Brandon Wales testified that his agency was brought in by the FBI, not Colonial. Wales told Republican Sen. Rob Portman of Ohio at the previous hearing he did not think that Colonial would have contacted CISA directly, if not for the FBI reaching out. 

When pressed, Wales said that there’s a "benefit when CISA is brought in quickly" because the agency can share it in a broader fashion to protect other critical infrastructure. 

On Tuesday, Blount said his company has historically maintained communication with CISA.

"I was somewhat disappointed when I heard that they felt like if we hadn't gone in and contacted them the first day with the FBI that we would not have contacted them separately," Blount said. 

Colonial Pipeline CEO Joseph Blount said that his company reached out to the FBI "within hours" of the ransomware attack.

Asked during questioning by Sen. Tom Carper, a Democrat from Delaware, about his contact with the FBI in the early hours of the May 7 attack, Blount said that Colonial first contacted the Atlanta office of the FBI. "They felt it was DarkSide," Blount said, referring to the criminal hacking group that official said carried out the attack.

From there, Blount said that Colonial was put in touch with the FBI's "DarkSide experts" who are California-based.

Some more context: Ahead of today's Senate hearing with Colonial Pipeline's CEO, US investigators announced they recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department said Monday.

The announcement confirmed CNN's earlier reporting about the FBI-led operation, which was carried out with cooperation from Colonial Pipeline, the company that fell victim to the ransomware attack in question.

Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year.

CNN's Evan Perez, Zachary Cohen and Alex Marquardt contributed reporting to this post. 

Colonial Pipeline CEO Joseph Blount said during his opening remarks "I made the decision to pay" the ransomware hackers that shut down the pipeline last month.

He said it was "the hardest decision" he's ever made in his career, adding, "I believe with all my heart it was the right choice to make."

Blount said that his company worked with law enforcement "from the start" including the Department of Justice and FBI, which "may have lead to the recovery this week" of millions paid to the hackers.

Blount's public testimony comes a day after the DOJ announced that US investigators recovered millions of dollars in cryptocurrency paid in ransom to hackers.

The company discovered the cyberattack on May 7 just before 5:00 a.m. when an employee found a ransom note on its IT network. The employee notified a supervisor who ordered the shutdown of the pipeline.

"Shutting down the pipeline was absolutely the right decision, and I stand by our employees’ decision to do what they were trained to do," Blount said in prepared remarks.  

He said the decision was driven by the "imperative to isolate and contain the attack" to help ensure the malware on the IT network did not spread to the operational network, which controls the pipelines. 

More on the ransomware attack: The process to shutdown 5,500 miles of pipelines took about 15 minutes and was complete by 6:10 am, according to Blount. In prepared remarks, he recognized the "gravity of the disruption that followed the shutdown, including panic-buying and shortages on the East Coast," and apologized to everyone impacted by this attack. 

Colonial, which has around 950 employees, began returning all pipelines to service on Wednesday evening, May 12. As part of the restart process, the company increased air surveillance and drove over 29,000 miles for inspections of the pipeline to ensure physical security. 

Last month after intense speculation, Blount publicly admitted he made the decision to pay the ransom to the hackers as the company tried to get its services up and running again. 

CNN's Geneva Sands contributed reporting to this post.