Colonial Pipeline CEO Joseph Blount’s admission Tuesday that he paid a $4.4 million ransom against the FBI’s wishes illustrates one of the most insurmountable cybersecurity problems in protecting the nation’s critical infrastructure from future attacks, experts say.
“Here’s the point: We cannot stop U.S. companies from paying ransom,” lamented one Justice Department lawyer involved in cybercrime and security issues.
Blount, in his much-anticipated testimony before the Senate Homeland Security and Governmental Affairs Committee, said that Colonial Pipeline knew the FBI officially advises companies not to pay ransom money in cases like the one that shut down the nation’s largest fuel pipeline artery for five days last month. He also said that he knew the full well that the FBI can’t tell him or any other private sector CEO what to do when it comes to negotiating with digital extortionists.
And while he called the ransom paid to the DarkSide criminal hacking organization “the hardest decision I’ve made in my 39 years in the energy industry,” Blount suggested to senators that he would do it again.
Blount wasn’t asked too many probing questions about the ransom payment or about some reported cybersecurity lapses by Colonial Pipeline in the run-up to the attack. And he avoided, for the most part, the kind of grilling that some other CEOs have received on Capitol Hill after serious security breaches and other lapses affecting the so-called critical infrastructure that keeps America and its economy running.
And while Colonial Pipeline is just one of many companies that have paid ransoms to hackers who have taken control of their systems, it has become a focal point for the issue given the gas shortages, chaos and widespread panic the incident caused.
The FBI’s “official position is you shouldn’t pay ransom,” Sen. Rob Portman, the committee’s ranking Republican, told Blount as the CEO was describing how Colonial Pipeline began working with specialized FBI cybersecurity agents within hours of the May 7 attack. “And yet they didn’t communicate that to you, as far as you know?”
Blount responded that he wasn’t involved in those discussions, so “I can’t confirm or deny that. But I do agree that their position is they don’t encourage the payment of ransom. It is a company decision to make.”
“And so you knew what the advice was going to be that the agents provided that day,” Portman said.
Replied Blount: “Yes, sir, we did.”
Earlier, Blount said he kept the information closely held because of concerns about operational safety and security. “And we wanted to stay focused on getting the pipeline back up and running,” he said. “I believe with all my heart it was the right choice to make. But I want to respect those who see this issue differently.”
Robert Anderson, the former Executive Assistant FBI director overseeing all cybersecurity issues, said Blount’s testimony underscores the dilemma facing the U.S. government and the private sector when it comes to dealing with the current epidemic of ransomware attacks. That’s especially the case when it comes to the 16 U.S. critical infrastructure sectors – like Colonial Pipeline – whose assets, systems, and networks are considered vital to U.S. national security.
“In the government, it’s like, let’s catch the bad guys, which is all good. But being out here for the last six years and running cyber companies, I totally get how he feels,” said Anderson, who now heads Texas-based Cyber Defense Labs. “When you’re a CEO, you’re worried about, you know, is my company going to go bankrupt? Can I pay these 10,000 people that are working for me? Is my stock price is going to drop?”
Even though the FBI has recovered much of the ransom by accessing Bitcoin wallets, Anderson and other former government cybersecurity officials said the case shows how little either side can accomplish without working together.
“Nowadays, I think we need to really start having meaningful communications and a plan between the government and private sectors on how we’re going to tackle this,” Anderson said. “There’s just no way that private corporate America, or the government, or the United States law enforcement and intelligence organizations can do this on their own.”
On Tuesday, Portman and some other senators said they are working on a series of legislative proposals aimed at addressing the rampant spread of ransomware attacks in the United States. One possible solution is possibly forcing private companies to enact more stringent cybersecurity safeguards such as multifactor authentication so employees’ email accounts can’t be hacked so easily.
But the subject of whether or not Washington should consider banning companies from paying ransoms never came up – most likely because government lawyers acknowledge it would interfere with the independence of the private sector.
Currently, it is illegal for companies to pay ransoms to a select few hacker entities and individuals that have been sanctioned by the Department of Treasury. Blount said Colonial lawyers checked to make sure DarkSide wasn’t on that list before they began negotiations.
Retired Col. Gary Corn, the former staff judge advocate, or general counsel, to U.S. Cyber Command, said the issue is “very similar to what was going on with the problem of piracy. Companies were paying ransoms in those situations. And the more you paid ransom, the more you’re making it a lucrative market for the criminals.”
“It’s just a Gordian Knot of a problem – for the companies and for the FBI,” said Corn, who directs the Technology, Law, & Security Program at the American University Washington College of Law. “I don’t dispute with the FBI is trying to get him to do or not to. But if (companies) don’t pay the ransom, and the business goes under, is the FBI or the government going to underwrite that risk?”