Portman Presses President and CEO of Colonial Pipeline on Gaps in Cybersecurity Practices

WASHINGTON, DC – This morning, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC), pressed the President and CEO of Colonial Pipeline, Joseph Blount, on gaps in their cybersecurity practices. In his questioning, Portman highlighted the importance of strong cyber hygiene, including the need for multi-factor authentication, which prior to the ransomware attack, Colonial Pipeline did not have for all accounts. Portman also questioned Mr. Blount about the need for further cyber mandates from the federal government to better protect private and public entities from future cyberattacks. 

Last month, Senator Portman and Senator Gary Peters’ (D-MI), Chairman of HSGAC, bipartisan Cyber Response and Recovery Act was unanimously approved by the full Committee. The legislation will help improve the federal response to cyber breaches, like the recent attack against the Colonial Pipeline. The bill establishes a Cyber Response and Recovery Fund for the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to provide direct support to public or private entities as they respond to and recover from significant cyberattacks and breaches, following a declaration of a significant incident by the Secretary of Homeland Security. 

A transcript of the questioning can be found below and a video can be found here

Portman: “Thank you, Mr. Chairman. So, Mr. Blount, you’re a victim, and we understand that. And yet, we’re trying to provide oversight and even provide some new laws, potentially, to try and deal with this increasing, and really dramatic issue of cyberattacks and specifically today talking about ransomware. Let’s just clarify for the record, you made your ransomware payment to the hackers on the day you discovered it, is that correct?” 

Joseph Blount, President and CEO of Colonial Pipeline: “Ranking Member, thank you for that question. We did not. We made the decision that evening to negotiate.” 

Portman: “So that was the evening of May 7?” 

Mr. Blount: “Yes, sir.” 

Portman: “And so you didn’t make the payment until when?” 

Mr. Blount: “The payment was made the following day.” 

Portman: “May 8?” 

Mr. Blount: “Yes, sir.” 

Portman: “And you indicated today that the FBI was in discussions with you on May 7, is that correct?” 

Mr. Blount: “Ranking Member Portman, that is correct, yes, sir.” 

Portman: “And what did the FBI tell you? What did they advise you to do with regard to paying the ransom?” 

Mr. Blount: “Ranking Member Portman, I believe I was not involved in those conversations with the FBI, but in discussions with my team, I don’t believe that a discussion about the ransom actually took place the first day, on May 7. The focus was more on getting to the proper centers of expertise with the FBI. In this case, I believe it was the San Francisco office. We started with the Atlanta office in our notification, and then it was a function of they already started to collect data from us. Indications of compromise, and things like that.” 

Portman: “So, their official position is you shouldn’t pay ransoms, and yet they didn’t communicate that to you as far as you know?” 

Mr. Blount: “Ranking Member Portman, of course, I was not in that conversation. I can’t confirm or deny that but I do agree that their position is that they do not encourage the payment of ransom, it is a company decision to make.” 

Portman: “Yes, so you knew what their advice was going to be even if they didn’t provide it that day?” 

Mr. Blount: “Ranking Member Portman, yes, sir. We did.” 

Portman: “Okay. Did you talk to the Treasury Department’s Office of Foreign Assets Control? This is the office that’s in charge of sanctions and so if you’re a sanctioned individual and you make a payment, as you know the potential violations of law, did you contact the Treasury Department’s Office of Foreign Assets Control?” 

Mr. Blount: “Ranking Member Portman, the day that we decided to negotiate, we hired experts both on the legal side as well as on the negotiations side. We didn’t have any direct contact with DarkSide ourselves. And I can assure you that everyone involved in that process continually went and back checked to make sure that this was not an OFAC’s listed entity.” 

Portman: “So, you were in touch with OFAC to ensure you weren’t paying the ransom to a sanctioned entity or a sanctioned individual?” 

Mr. Blount: “Ranking Member Portman, I was not involved in those conversations and so I cannot attest to who actually talked to who, but I do know that repeatedly throughout the process the fact of whether DarkSide was on the sanctions list or not was fact-checked repeatedly.” 

Portman: “Okay, we may have some follow-up questions on that just to figure out what the relationship was there, and again, this is about looking forward. How do we avoid this situation where sanctioned individuals or entities are getting a ransom payment, which would be a violation of federal law. The Wall Street Journal says that the decryption tool didn’t really work, so you pay the ransom, they give you the decryption tool to be able to undo the harm that they did, that’s how it normally works. And yet, the decryption tool was not effective, is that correct?” 

Mr. Blount: “Ranking Member Portman, the encryption tool is an option that is made available to you so when you’re looking at bringing critical structure back up as quickly as you possibly can, you want to make every option available to you that you can. Mandiant could be the best one to answer about how important the encryption tool was restoring the critical options we needed within the first couple of days.” 

Portman: “Yes, but did the encryption tool work?” 

Mr. Blount: “It has worked, yes sir.” 

Portman: “So, the Wall Street Journal story was inaccurate? It was effective?” 

Mr. Blount: “Ranking Member Portman, I think that article came out pretty early on so I would say that we know subsequently that the encryption tool actually does work to some degree. As I stated earlier, it’s not a perfect tool.” 

Portman: “Okay. It was provided to you by the hackers, correct?” 

Mr. Blount: “Ranking Member Portman, yes, sir. That is correct.” 

Portman: “Okay, so there are also news reports about how this happened. As I said in my opening statement, there was a compromised password of a virtual private network, or VPN, account. This account apparently did not use multi-factor authentication, which again is kind of just a basic cybersecurity hygiene item that companies should have in place, making it harder for people to gain access. Prior to the attack, did your company require all employees to use multi-factor authentication?” 

Mr. Blount: “Ranking Member Portman, in the case of this particular legacy VPN, it did only have single-factor authentication. It was a complicated password so I want to be clear on that. It wasn’t a Colonial123 type of password. The investigation is ongoing by Mandiant to try to determine how that material was compromised. But in our normal operation, we use an RSA token allowance in order to create authentication difficulties for remote access.” 

Portman: “So, would your advice, going forward be that multi-factor authentication ought to be used?” 

Mr. Blount: “Ranking Member Portman, that’s absolutely the correct advice.” 

Portman: “So, TSA has given industry a lot of leeway. Critical infrastructure and voluntary compliance have been the approach. They came out late last month after your attack with some new directives and now there’s a mandate that reporting cyberattacks must happen, they must go to CISA – which again, is this group within the Department of Homeland Security – and then it will be shared with TSA. You have a designated cybersecurity coordinator within the company and you have to review your current activities against their recommendations on cyber risks, identify gaps, and develop remediation measures. Do you support that?” 

Mr. Blount: “Ranking Member Portman, if you look at our actions starting on May 7, we almost to the “T” duplicated what the new standards are and we are at full compliance today as well.” 

Portman: “So, I mentioned earlier that we have written legislation in this Committee over the years to try to deal with cybersecurity. Pretty much every member here today has been involved in that. And as I said earlier, we obviously need to do more. The question is, with regard to critical infrastructure in particular, should there be more mandates? And now there is and they have the authority to do this under a 2007 law it appears. Now there is the mandate on reporting it, a mandate on having a coordinator but still, there is not a mandate saying that you have to do certain things in terms of best practices or good cyber hygiene. Do you think there should be additional requirements from TSA with regard to critical infrastructure?” 

Mr. Blount: “Ranking Member Portman, first I would like to thank you for your leadership on these issues in the past, but certainly, on a go-forward basis, I think anything that can help industry have better security practices, standards to follow, would be extremely helpful. Especially for the smaller companies that are in other industries as well as my industry. Less sophisticated.” 

Portman: “Thank you, Mr. Chairman.”