Lawmakers repeatedly challenged Colonial Pipeline CEO Joseph Blount on Wednesday about the steps it took to work with the government after a May ransomware attack, often suggesting the company fell short.
A long string of House Homeland Security Committee members questioned Blount about his assertion that Colonial had not, as reported, refused voluntary Transportation Security Administration cybersecurity reviews. Instead, the company delayed them due to COVID-19 restrictions and a physical move to a new building, he said.
“Delaying these assessments for so long amounts to declining them, sir,” said Rep. Bonnie Watson Coleman, D-N.J., citing communications that began in March of 2020. “It raises serious questions,” she said, while noting that her information says that Colonial turned down even a virtual assessment offer before the ransomware attack that led to fuel delivery slowdowns last month.
Colonial has now scheduled a TSA review for late July, Blount said.
Blount’s answers about government coordination failed to appease many lawmakers, though. Even the normally mild-mannered Rep. Jim Langevin, D-R.I., said after the hearing that Blount had made a “dangerous decision” to refuse aid from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Blount said CISA’s services were better suited for smaller companies, and Colonial already has “three sets of eyes” on its systems between companies Mandiant, Dragos and Black Hills Information Security — setting off Langevin.
“I am outraged that Mr. Blount today doubled down on his refusal to allow CISA to provide direct assistance in restoring his company’s systems,” Langevin’s statement reads. “Mr. Blount’s intransigence is all the more ridiculous because he has admitted that some of Colonial’s systems still remain damaged and offline.”
The tensions on display in the second day of congressional hearings into the Colonial Pipeline ransomware attack weren’t limited to the company’s communication with federal agencies. For some lawmakers, it served up deeper doubts about whether the government should remain “hands-off” in general toward private sector-owned critical infrastructure if companies will not protect it better themselves.
Colonial’s response “raised serious questions about the cybersecurity practices of critical infrastructure owners and operators and whether voluntary cybersecurity standards are sufficient to defend ourselves against today’s cyber threats,” said Chairman Bennie Thompson, D-Miss.
Nor did those concerns reside purely on one side of the aisle, with moderate New York Republican John Katko, the top ranking GOP member of the committee, suggesting the private sector isn’t getting the job done by itself.
“As we learn from incidents like the Colonial Pipeline ransomware attack, I do believe the private sector also must look hard in the mirror,” Katko said. “I appreciate Colonial Pipeline’s identification of places where they are now hardening systems in response to the devastating ransomware attack in May, but this begs an obvious question. If your pipeline provides fuel to 45% of the East Coast, why are you only hardening systems after an attack?”
That’s not a characterization Blount agreed with, as he contended that his company had previously prioritized cybersecurity, too. And he said it would continue to do so. Asked if he would make security upgrades using the $2.3 million in cryptocurrency payment the Justice Department announced it had recovered from the DarkSide attackers who hit Colonial, Blount answered that the idea was “not a difficult one to address and agree to.”
The circumstances of Colonial’s $4.4 million bitcoin payment also preoccupied committee members. Blount said that his company had cyber insurance and had put in a claim for the ransom payment, which he said he suspected insurers would cover. A third party negotiator, whom he did not name, made the payment, he said.
According to Blount’s timeline, after the company suffered the attack beginning May 7, it paid the ransom the next day and then notified the FBI about the attackers’ digital wallet on May 9. Colonial discussed the payment with the FBI on May 12. The White House didn’t ask about the payment, Blount said. He said he wasn’t sure if there was any tax deduction related to the ransom.