WASHINGTON — The CEO of Colonial Pipeline, which underwent a ransomware attack in early May that led to massive shutdowns of gas stations across the Southeast, said during a U.S. Senate hearing on Tuesday that it was his decision to pay a ransom to restore the company’s operations.
“It was one of the toughest decisions I have had to make in my life,” Joseph A. Blount Jr. said in his opening statement. “But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country.”
Georgia-based Colonial Pipeline paid the $4.4 million ransom to hackers, part of a cyber criminal group called DarkSide, so that Colonial could obtain a key to unlock its pipelines.
Senate Homeland Security & Governmental Affairs Committee Chairman Gary Peters said in his opening statement that the “federal government must develop a comprehensive, all-of-government approach to not only defend against cyberattacks, but punish foreign adversaries who continue to perpetuate them or harbor criminal organizations that target American systems.”
Peters, a Michigan Democrat, then asked Blount how the federal government could help companies defend themselves from cyberattacks.
Blount said that the federal government should designate a person of contact to help private companies that are experiencing cyberattacks.
Blount testified before the committee about his company’s coordination with the Cybersecurity and Infrastructure Security Agency, also known as CISA, and what role the federal government should play in helping protect private companies from cyberattacks.
Blount said that Colonial Pipeline did not reach out to CISA, but first asked for assistance from the FBI on May 7, the day of the attack, and that the FBI coordinated a meeting that included CISA.
CISA is a standalone federal agency that operates under Department of Homeland Security oversight. It works with various agencies and private partners to evaluate cybersecurity threats and vulnerabilities and provides assessments to help safeguard those networks.
“Private industry alone can’t do everything on their own,” Blount, who was the only witness, said during his testimony.
The attack against Colonial Pipeline sparked new calls to beef up protection of the nation’s energy infrastructure.
The six-day shutdown caused widespread gas shortages in the Southeast and led to panic buying of gas.
The top Republican on the committee, Sen. Rob Portman of Ohio, questioned Blount’s decision to pay the ransom and asked if he consulted with the FBI before he did.
“I know their position is that they don’t encourage you to pay ransoms,” Blount said, adding that even after the ransom was paid it will still take the company months to get back to fully functional operations before the attack.
The Department of Justice announced on Tuesday that it had seized $2.3 million in cryptocurrency, representing a significant portion of the ransom payment. Colonial had paid about 75 bitcoins, DOJ said.
Portman also pressed Blount as to how the company was hacked, and asked if Colonial Pipeline had a system for multi-password authentication, rather than a single password.
“There’s also news reports as to how this all happened,” Portman said. “There was a compromising password of a virtual private network, or VPN, account and this account apparently did not use multifactor authentication, which is kinda just a basic cyber security hygiene item that, you know, companies should have in place.”
Blount said that the VPN had only single factor authentication, but that “it was a complicated password, so I want to be clear on that.”
He added that the company’s investigation on how the password was compromised is still ongoing.
Sen. Ron Johnson, a Wisconsin Republican, asked how much worse would it have been for the company if it had not paid the ransom.
“That’s an unknown that we don’t want to know,” Blount said. “It took us from Friday to Wednesday the following (week) and we already saw pandemonium.”
Sen. Maggie Hassan, a New Hampshire Democrat, asked how often Colonial Pipelines prepares for possible cyberattacks and if the company has a guidance plan for a ransomware attack.
Blount said that while Colonial Pipelines has participated in drills ahead of a possible attack, the company does not have guidance on what to do in case of a ransomware attack.
“This is an issue that I think we’re seeing across the board on cyber, we need to start imagining what can happen and respond accordingly as opposed to always looking at what the last problem was,” Hassan said.
Blount will also testify Wednesday before the House Homeland Security Committee about the ransomware attack on Colonial Pipeline.