Portman: We Need to Reevaluate How We Defend Against Ransomware

WASHINGTON, DC – This morning, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC), delivered opening remarks at a hearing to examine the Colonial Pipeline ransomware attack and the ongoing cyber threats to critical infrastructure. In his remarks, Portman highlighted four topics: that these attacks have real-world consequences; determining if ransomware victims should pay the ransom; identifying the gaps in information sharing between impacted organizations and the federal government, and; recognizing these ransomware attacks as a serious national security threat. 

A transcript of his remarks can be found below and a video can be found here

“Thank you, Mr. Chairman, and Mr. Blount, thank you for being here today. We’re going to get into some tough questioning, and unfortunately what happened to your company is not an isolated incident. We’ve had some good bipartisan work over the years to improve cybersecurity on this Committee – with you, Senator Peters, with you, Senator Johnson, and others – and yet, let’s face it, there’s a lot more to do. And what happened with regard to Colonial Pipeline is one example. 

“This is about ransomware attacks on critical infrastructure, and that’s the topic of the hearing broadly today. This paralyzes a company by locking its computer systems and holding its data and operations hostage until a ransom is paid. Interestingly, these ransoms are not just on the company itself, typically. Increasingly, the hackers also pursue a two-pronged ransom approach where they download and threaten to release sensitive victim data. So individuals, say your customers, may also have been subject to ransomware. 

“There seems to be a new ransomware attack every week. We’re going to hear today again, about Colonel Pipeline and some of the details there. But no entity – public or private – is safe from these attacks. 

“Last week, we learned that ransomware shut down the world’s largest meat processor, JBS, including nine beef plants in the United States. Both the Colonial Pipeline attack and the JBS attacks were attributed to a Russian criminal organization, by the way.  

“Just this morning, news broke that a constituent outreach services platform that nearly 60 offices in the United States Congress, the House of Representatives uses was hit with a ransomware attack. As I said before, no one is safe from these attacks, including us. 

“I hope that we will cover four specific areas here today. One is, we’ve got to understand that these attacks have real-world consequences. On May 7, Colonial Pipeline learned they suffered a ransomware attack impacting their information technology, or IT, systems by this Russian-based criminal group called DarkSide. Recent news reports indicate that hackers accessed Colonial’s systems through a compromised password of a Virtual Private Network account. This account did not use multifactor authentication, which is a very basic cybersecurity best practice – we’ll talk more about that, why they didn’t – and this easily allowed the hackers to gain access. Colonial moved quickly to disconnect their operational systems to prevent hackers from moving laterally and accessing those systems. That of course, although an appropriate response to a cyberattack, made Colonial’s critical pipelines unusable. That was a huge problem, so real-world consequences. 45 percent of the East Coast’s fuel was coming from Colonial. With operations shut down, people across the East Coast bought fuel in a panic, unsure how long the shortage would last. A lot of service stations ran out of fuel altogether, so people couldn’t get gas, couldn’t get to work. And of course, prices skyrocketed. Again, real-world consequences. 

“Second, I hope today we’ll talk how this shows the difficult decision ransomware victims face: should they pay the ransom or not? The U.S. government has a position on this. Both CISA at the Department of Homeland Security and the FBI strongly recommend organizations do not pay ransoms. Why? Because paying ransoms rewards ransomware hackers – if no one paid ransoms, criminals would have little incentive to engage in ransomware attacks. And even if an entity pays, there is no guarantee that the hackers will give them the decryption key or not strike again. And we’ll talk more about that too in terms of this incident. However, organizations obviously have to weigh these consequences against keeping the operations offline – in this case, limiting 45 percent of the East Coast’s fuel supply. Colonial Pipeline paid DarkSide a ransom, we’re told, of 75 bitcoins – worth over $4 million at the time. Yesterday, the good news is, the Department of Justice announced the recovery of 63.7 of those bitcoins, but DOJ won’t be able to recover those ransom payments in other cases. So we’ll talk more about that, and how they did it, and what that means. I appreciate Mr. Blount’s transparency in acknowledging that his company paid the $4.4 million ransom. I hope today we can explore the reasons for that decision. 

“Third, this attack demonstrates the gaps in information sharing between these impacted organizations and the federal government. Last month, Brandon Wales was before us in that very seat. He’s the Acting Director of CISA. He testified in response to one of my questions that he didn’t think Colonial Pipeline would have contacted CISA at all if the FBI didn’t bring it to them. CISA’s authorities allow the agency to engage on a voluntary basis, when requested by an affected organization. And CISA has the federal government’s best practices as how to deal with these cyberattacks and it was set up at the Department of Homeland Security for those purposes. While I think that CISA being able to engage is the right approach, they must have relevant information to be able to share it among other critical infrastructure owners and operators who may be similarly targeted. So we’ve got to get them that information, there’s a gap now. 

“Finally, we’ve got to recognize these ransomware attacks for what they are: it’s a serious national security threat. Attacks against critical infrastructure are not just attacks on companies; they are attacks on our country itself. When DarkSide attacked Colonial Pipeline, it wasn’t just the company that was affected. Americans across the East Coast felt the squeeze at fuel pumps when Colonial shut off nearly 50 percent of the fuel supply. The criminals conducting these attacks often operate with at least the tacit acceptance and approval of the foreign countries they operate out of. The U.S. government needs to take stronger steps to hold those countries, like Russia, accountable. At the upcoming summit, President Putin and President Biden, one would hope that this is going to be at the top of the agenda. 

“Ransomware attacks will continue to plague U.S. companies and critical infrastructure. As the committee of jurisdiction over both cybersecurity and critical infrastructure security, we need to reevaluate how we defend against ransomware, and identify solutions to mitigate the consequences of these attacks.”