Yahoo Finance Colonial Pipeline CEO on paying ransom after hack: ‘Hardest decision I made’
Joseph Blount, the CEO of Colonial Pipeline, testified before Congress on Tuesday to answer questions regarding a ransomware attack on his company that cut off 45% of the fuel supply to the East Coast last month, leading to panic buying and gas shortages in a number of states.
“We believe the attacker exploited a legacy VPN profile that was not intended to be in use,” Blount said in his testimony before the Senate Homeland Security Committee. “We had cyberdefenses in place, but the unfortunate reality is that those defenses were compromised.”
Blount, who answered questions for roughly an hour and a half, was open about his company’s vulnerabilities in the lead-up to the attack that cost the company $4.4 million in ransom. He explained why he chose to pay the cybercriminal organization behind the attack, DarkSide, despite established recommendations by the FBI and Department of Homeland Security to avoid paying such ransoms.
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount told senators. "It was the hardest decision I made in my 39 years in the energy industry, and I know how critical our pipeline is to the country, and I put the interest of the country first.”
Ransomware attacks occur when hackers access a victim’s network and encrypt important files that can only be unlocked by the hackers’ keys. The hackers, meanwhile, say they will provide the keys in exchange for a ransom.
But Colonial Pipeline suffered a two-stage ransomware attack: Hackers first encrypted important files and then threatened to release them online. While backing up files online can help mitigate some of the damage, it can often take weeks or months to fully recover from such attacks.
'Private industry alone can't do everything'
On Monday, Department of Justice officials said they recovered $2.3 million of the ransom Colonial Pipeline paid to DarkSide. The recovery is the first by the DOJ’s new ransomware task force launched in response to the spike in ransomware attacks in recent years.
During Tuesday’s Homeland Security Committee hearing, senators questioned how Blount views the role of the private and public sectors with regards to cybersecurity, and how exactly the breach occurred in the first place.
While Blount said that DarkSide exploited an older VPN profile, cybersecurity firm FireEye (FEYE) says a lack of multi-factor authentication for the VPN made the attack easier. Multi-factor authentication requires users to provide a secondary passcode in addition to their password when signing into an online account. It’s a standard cybersecurity practice that everyday users are advised to use with their own accounts.
Senator Josh Hawley (R-MO), meanwhile, questioned how much Colonial Pipeline spends on its cybersecurity capabilities
“Given the importance of your company, the size of it, the reliance, what are you doing in terms of your investment in cybersecurity?” Hawley asked.
Blount responded by saying Colonial Pipeline spent $200 million on internet technology over the last five years, but couldn’t provide the exact amount spent on cybersecurity in particular. Blount also revealed that while Colonial Pipeline had plans in place to respond to cyberattacks, it did not have plans on how to deal with ransomware attacks specifically.
Some cybersecurity experts have called on the federal government to establish cybersecurity requirements for critical infrastructure companies like Colonial.
Herbert Lin, senior research scholar at Stanford University’s Center for International Security and Cooperation, previously told Yahoo Finance that without proper regulations, private infrastructure firms have little incentive to secure their own networks.
While Blount stopped short of calling for regulations, he did say that the federal government and private companies need to fight back against the kind of attacks that hit Colonial.
“If we look at the number of incidents that are taking place today, throughout the world, let alone in America, private industry alone can’t do everything, can’t solve the problem totally by themselves,” Blount told the senators. “So the partnership between private and government is very important to fight this ongoing [onslaught] of cyberattacks around the world.”
Got a tip? Email Daniel Howley at dhowley@yahoofinance.com over via encrypted mail at danielphowley@protonmail.com, and follow him on Twitter at @DanielHowley.
More from Dan:
Apple defends App Store in new study that says developers made $643B last year
The best gadgets to enjoy your summer now that you're vaccinated
Follow Yahoo Finance on Twitter, Facebook, Instagram, Flipboard, SmartNews, LinkedIn, YouTube, and reddit.
