WASHINGTON — Colonial Pipeline Chief Executive Joseph Blount took a defensive stance Tuesday during a Senate hearing amid questioning about his company’s handling of a devastating ransomware attack that shut off fuel access to much of the Eastern Seaboard last month.
In his first remarks to Congress since the breach, he cast his company as a victim of forces beyond its control, noting that “being extorted by criminals is not a position any company wants to be in.” He defended the decision to shut off pipeline access, as well as his controversial decision to pay the ransom — 75 bitcoin, or roughly $4.3 million — to a Russian criminal group known as DarkSide.
Hackers were able to gain access to the company’s network through an account that was not protected with multifactor authentication, a basic tenet of corporate cybersecurity. Rather, the account was protected by a single password.
“It was a complicated password … I want to be clear on that … it was not a ‘colonial123’ type password,” Blount said. He later added that the company is now compliant with new cybersecurity regulations “almost to a T.”
In prepared remarks obtained by The Washington Post, Blount apologized for the shutdown’s effect on customers and called for the public and private sectors to “develop even more robust tools and intelligence” to prevent future ransomware attacks.
“We are deeply sorry for the impact that this attack had, but are heartened by the resilience of our country and of our company,” Blount said in remarks prepared for delivery to the Senate Committee on Homeland Security and Governmental Affairs.
The hearing delved into the company’s preparedness and response, as well as cast a spotlight on the broader cybersecurity posture of U.S. energy infrastructure. Though companies like Colonial play key roles within the nation’s economic infrastructure, they are largely left on their own with respect to cybersecurity.
The scale of the cyberattack has forced action from the highest levels of government. President Joe Biden plans to raise it during his meeting with Group of Seven nations, known as G-7, in Britain later this month, a senior official said Monday. The Biden administration hopes it can spur the bloc to come up with a robust action plan to prevent and respond to future ransomware attacks.
On Monday, federal officials announced that more than $2 million of the Colonial ransom had been recouped, the first such recovery by a new Justice Department ransomware task force.
Biden also intends to press the issue directly with Russian President Vladimir Putin, whose government has long sponsored cyberattacks on U.S. companies.
Blount said he recognized that there are discussions about what additional regulations may be appropriate in the wake of attack. He offered little insight on whether any federal rules could have prevented such an incident, although he recommended the establishment of a single point of contact to help coordinate the federal response to future attacks.
Blount said there are also limits to what any single company can do to prevent these sorts of attacks. “Colonial Pipeline can — and we will — continue investing in cybersecurity and strengthening our systems,” he said. “But criminal gangs and nation states are always evolving, sharpening their tactics, and working to find new ways to infiltrate the systems of American companies and the American government. These attacks will continue to happen, and critical infrastructure will continue to be a target.”
Blount said he decided to pay the ransom hackers demanded to “have every tool available to us to swiftly get the pipeline back up and running.” He added that it was one of the toughest decisions he had ever had to make in his life.
“I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country,” Blount said in prepared remarks.
Blount said in Tuesday’s hearing that his company asked the Treasury Department whether the hacking group was a sanctioned entity before it paid the ransom. Paying a sanctioned entity would have been a violation of federal law.
The House will take up the issue in a hearing scheduled for Wednesday.