Advertisement

Lawmakers say Colonial Pipeline’s refusal to discuss ransom undermines US efforts

The shutdown of Colonial Pipeline has renewed a debate over whether organizations held hostage by hackers should pay them off.
House Homeland Security Committee Chairman Bennie Thompson (D-MS) questions witnesses during a hearing on 'worldwide threats to the homeland' in the Rayburn House Office Building on Capitol Hill September 17, 2020 in Washington, DC. (Photo by Chip Somodevilla/Getty Images)

U.S. lawmakers are demanding to know whether Colonial Pipeline paid a ransom to hackers who forced the company to shut down operations for days.

Following a Monday briefing with Colonial Pipeline, the heads of the House Homeland Security and Oversight and Reform committees said the company’s refusal to share information on any ransom payment hindered their ability to craft legislation to address the ransomware problem. Bloomberg News reported that Colonial Pipeline, which says it supplies 45% of the fuel consumed on the East Coast, paid cybercriminals nearly $5 million to recover their computer systems.

“We’re disappointed that the company refused to share any specific information regarding the reported payment of ransom during today’s briefing,” Democratic Reps. Bennie Thompson of Mississippi and Carolyn Maloney of New York said in a statement. “In order for Congress to legislate effectively on ransomware, we need this information.”

When contacted by CyberScoop on Tuesday, a Colonial Pipeline spokesperson did not address Thompson and Maloney’s criticism, or any questions about a ransom.

Advertisement

“We were pleased to have the opportunity to brief committee staff, who have an important duty to conduct oversight on matters of public concern,” the Colonial Pipeline spokesperson said. “We will continue to cooperate with Congress as the investigation of this cyber-attack on our company continues. At this point, our focus remains on safely delivering refined products as quickly as possible to markets we serve.”

On Monday, more than a week after disclosing the ransomware attack, Colonial Pipeline said it was once again transporting gasoline, diesel and jet fuel at normal levels.

The shutdown of Colonial Pipeline, which delivers more than 100 million gallons of fuel daily to customers from Texas to New York, has renewed a debate over whether organizations held hostage by hackers should pay them off.

Some observers argue that paying a ransom is a private decision based on the specific needs of an organization to restore networks. However, many cybersecurity experts worry that exorbitant ransom payments have helped fuel a ransomware outbreak that has left no sector untouched. In 2020, ransomware payments from victims increased by 311% to reach nearly $350 million in cryptocurrency, according to Chainalysis, a company that tracks cryptocurrency and cybercrime.

The FBI has blamed DarkSide, a strain of ransomware linked to Russian-speaking hackers, for the ransomware attack on Colonial Pipeline IT networks. Elliptic, a company that traces blockchain payments, said Friday it had identified a bitcoin wallet, or account for moving cryptocurrency, that the DarkSide syndicate has used. The Elliptic analysis found a May 8 payment of 75 bitcoin, or about $4.3 million at the time, from Colonial Pipeline to the DarkSide wallet.

Advertisement

All told, DarkSide has received $17 million in ransoms since March, according to Elliptic.

The FBI has long advised organizations not to a pay hackers a ransom, but the bureau has in recent years sought more data from insurers on ransom payments to try to understand the scale of the problem.

“The failure to report the payment of ransom limits the government’s ability to investigate this and other incidents, advance policies to combat it, and to uphold its public safety responsibilities,” said Megan Stifel, executive director for Americas at the nonprofit Global Cyber Alliance.

A public-private Ransomware Task Force of which Stifel was co-chair recommended updating breach notification laws to require companies to disclose ransom payments “to increase the understanding of the scope and scale of the crime.”

The task force also suggested that victim organizations report ransom demands to a non-regulatory federal organization before any payment. The goal is to “improve the breadth of U.S. government relevant data and improve the ability to counter these attacks, but also put a pause in the decision to pay,” said Philip Reiner, the task force’s executive director, and the CEO of the Institute for Security and Technology.

Advertisement

 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts