Blount defended his choice to avoid involving federal agencies in decisions about paying ransom or repairing systems in the aftermath of the attack, but voiced support for new incident reporting requirements and legislators' proposals that the federal government take more aggressive action to deter would-be attackers.
Lawmakers in turn used the hearing to identify why Colonial paid a ransom, the extent to which the firm could have prevented the intrusion and how new laws and government action might better head off another event of such sweeping impact.
WHY COLONIAL PAID
Ransomware payments are a hot-button issue, with opinions often split between those who say the funds reward cyber criminals and incentivize repeated attacks and others who say the importance of maintaining certain systems justify the trade-off.
Several lawmakers homed in on the factors that led Blount to decide to pay and to avoid engaging federal representatives in the decision.
Colonial paid DarkSide $4.4 million for its decryption tool — a move that ultimately proved unnecessary when Colonial discovered it could restore its system using backups, explained Charles Carmakal, senior vice president and CTO of the Mandiant division of cybersecurity firm FireEye.
The FBI is known to discourage paying ransom, so the firm opted not to consult with it or any other government entity on the matter, Blount said. Colonial did inform the FBI on May 9 about the digital wallet, he said.
While Blount said he chose to pay ransom due to the importance of restoring critical infrastructure rapidly, Reps. James Langevin (D-RI) and Ritchie Torres (D-NY) asked about additional factors that could have made it an easier choice.
Langevin confirmed that Colonial’s cyber insurance will likely cover the ransom payment, while Torres asked whether Blount expected to seek a tax deduction on the ransom payment — a possibility Blount said he was not aware of.
The federal government has yet to officially clarify whether ransomware payments are tax deductible, but there are reasons to believe they could be counted as business expenses in certain scenarios, according to a February 2021 blog post by Elizabeth D. Mosley and Mark F. Sommer of law firm Frost Brown Todd. However, having insurance coverage would likely disqualify firms from the deduction, and paying ransom with cryptocurrency could introduce tax obligations, they noted.
PREVENTING ATTACKS?
House members sought to understand what went wrong and how private firms can tighten defenses, while Blount suggested that Colonial's strategy was successful.
“In hindsight, we responded extremely well to what happened to us,” Blount said, when asked how his company could have better prevented the attack. He cited his company’s voluntary decision to share details about the incident with government agencies. Policy issued in the wake of the attack now obligates information sharing.
Still, Rep. Bonnie Watson Coleman (D-NJ) expressed concern about Colonial’s defenses and whether private companies are taking advantage of government-provided cybersecurity resources. She questioned Blount over reports that the firm had at multiple points last year postponed participation in security assessments that the Transportation Security Administration (TSA) offers to pipeline operators.
“Delaying these assessments for so long amounts to declining them,” Watson Coleman said.
TSA’s Critical Facility Security Review (CFSR) examines and provides security recommendations on pipeline’s critical facilities, while the Validated Architecture Design Review (VADR) assesses cybersecurity and has been available in virtual format at least since July 2020. Both are voluntary programs.
Blount said his company held off on CFSR because offices have been closed during the pandemic and delayed VADR because Colonial’s ongoing move to a new facility created scheduling challenges. Colonial plans to participate in VADR during July 2021.
Colonial's systems appear to have been penetrated when attackers obtained VPN login credentials of a former employee, whose account the firm had believed was inactive. The employee’s account apparently relied on the same password that the person had used for a different website. Attackers likely obtained the password when the latter website was compromised, said Carmakal. Colonial engaged Carmackal's firm shortly after discovering the ransomware attack.
Carmakal said it's unknown how criminals obtained the username to go with the password and that multifactor authentication wasn't required on the account because Colonial believed it was deactivated.
GOVERNMENT ROLE?
The pipeline company is currently working with Mandiant, Dragos and Black Hills Information Security to improve cybersecurity and replace much of the existing IT system.
“We’re heading toward a lot more hardening and a lot different architecture than we had before, mainly because we’ve been compromised and have to change the architecture so it’s not as easily known by previous perpetrators,” Blount said.
Blount pushed back at the suggestion that Colonial accept direct assistance on the network from the Cybersecurity and Infrastructure Security Agency (CISA), saying that the company doesn't need additional insight beyond that of the three firms it has selected.
“I have three sets of eyes [on the problem] … From my perspective, I don’t think having a fourth or fifth or sixth gets productive,” Blount said.
Instead, he said CISA is better as a resource for companies without the money to hire high-quality private support.
Despite disinterest in engaging CISA in this way, Blount spoke positively of various forms of government support, including CISA’s ability to relay warnings throughout an industry.
He also said that collaboration with government agencies following the attack provided useful benefits, like waivers of rules that cap the amount of gasoline vehicles can carry on roads and highways, and the FBI’s later recovery of most of the ransom funds.
Some lawmakers also called for bringing greater repercussions against perpetrators and suggested federal government should take bolder action against countries that harbor ransomware actors.
“I think we need to start going on offense and hitting them back,” Rep. Michael McCaul (R-TX) said, while acknowledging international agreements must be established about what such action could look like.
Recent developments have seen the FBI recover the majority of the ransom, delivering some disruption to the attackers.
The FBI recovered bitcoins equal to 85 percent of the ransom payment. This amount appears to be the portion collected by the ransomware affiliate — the criminal group that infected Colonial’s system and handled negotiations — while the remaining 15 percent would have gone to the malware developer DarkSide, according to a blog post from Tom Robinson, co-founder and chief scientist of Elliptic.
According to an affidavit, the FBI used the affiliate’s private key to obtain access to the wallet. How the FBI pulled off this feat is unclear.