Colonial Pipeline didn’t tell CISA about ransomware incident, highlighting questions about information sharing
Colonial Pipeline didn’t notify the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency of its ransomware incident, and CISA still didn’t have technical details about the attack as of Tuesday morning, the agency’s top official told senators.
Acting director Brandon Wales also said he didn’t think Colonial would have reached out to CISA if the FBI hadn’t alerted his agency, he said in testimony before the Homeland Security and Governmental Affairs Committee.
That exchange — and others over the course of a hearing that touched on several major recent security incidents — served as yet another reminder that despite the constant drumbeat for improved cybersecurity information sharing between industry and government, it still doesn’t happen fully in even some of the most dire circumstances.
“This is potentially the most substantial and damaging attack on U.S. critical infrastructure ever,” said Ohio Sen. Rob Portman, the top Republican on the panel, in questioning Wales about the Colonial Pipeline ransomware disruption. Colonial normally distributes 100 million gallons of gas and other products daily, but temporarily shut down operations, prompting the Biden administration to declare an emergency and triggering the Environmental Protection Agency to issue its own emergency waiver.
The relationship between the FBI and CISA, at least, ensured that the DHS cyber agency was looped in at all.
“We received information fairly quickly in concert with the FBI,” Wales testified. “Right now we are waiting for additional technical information for what happened at Colonial.”
Wales told Portman he wasn’t particularly alarmed by the lack of technical details from the operator of the U.S.’s largest pipeline system.
“That is not surprising given that they’ve only been working on incident response since over the weekend and it’s fairly early,” he said. And, “We have had historically good relationships with Colonial as well as the cybersecurity firms that are working on their behalf.”
While Wales didn’t directly answer a question about whether he was concerned that Colonial wouldn’t have reached out to CISA on its own, he did say, “there is benefit when CISA is brought in quickly because the information we glean, we work to share it in a broader fashion to protect other critical infrastructure.”
A deficit of information sharing in the pipeline attack wasn’t the only such incident that was on senators’ minds. The hearing’s ostensible purpose was to examine the SolarWinds supply chain hack that affected nine federal agencies, among others.
Panel Chairman Gary Peters, D-Mich., challenged witnesses from the departments of Commerce and Health and Human Services over what he considered inadequate notifications that they were affected by the SolarWinds breach. Lawmakers received little information from those two agencies about how they were affected, Peters said, hampering their ability to do their jobs.
“While I understand that early on you may not have known all the details of the intrusion, a notification that says quote, something happened, end of quote, without any additional details or context quiet frankly prevents Congress from conducting effective oversight,” he said.
Janet Vogel, chief information security officer at HHS, said her department was able to quickly assess how much damage the breach had done, and measure it against reporting requirements.
“As we looked at the impact against the criteria, we felt we had not lost any data,” she said. “We had also firewalled everything appropriately that there wouldn’t be follow-up activity, so we also determined right away we did not believe this was a major incident.”
Ryan Higgins, CISO for the Commerce Department, said his agency saw enough to trigger a notification requirement. “Given the moment, you’re not going to have all the information you need, but enough information to share that with CISA and others,” he said.