On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.
On June 8th and 9th, the Senate Committee on Homeland Security and Governmental Affairs and the House Homeland Security Committee heard testimony from Joseph Blount, President and CEO of Colonial Pipeline, about the company’s cybersecurity practices and its response to the DarkSide cyberattack. The House also questioned Charles Carmakal, Senior Vice President for Strategic Services and CTO of the cybersecurity firm FireEye, about the firm’s role in assisting Colonial Pipeline’s incident response.
Some key takeaways from these hearings include the fact that members of Congress expect companies will have plans in place anticipating possible ransomware attacks; companies should consult with the FBI on ransom payments; and companies should participate in government cybersecurity initiatives that are relevant to their business. These and other points are discussed below:
- Lawmakers on both sides of the aisle are keenly aware of the growing risk of cyberattacks on critical infrastructure. In both the Senate and the House Committee hearings, committee members proposed a litany of legislative strategies to respond to this risk. Some legislators were inclined to directly regulate cybersecurity practices—particularly for critical infrastructure companies—while others were focused on greater disclosure requirements or mandatory participation in cybersecurity training.
- At the forefront of many legislators’ minds was Colonial Pipeline’s decision to pay the ransom demanded by the cybercriminals. In both hearings, Republican and Democratic lawmakers alike were critical of Colonial Pipeline’s ransom payment, and the fact that the company did not consult the FBI about that decision. Moreover, multiple legislators inquired into the company’s emergency response plan, showing concern over the fact that the company did not have a specific strategy in place for responding to ransomware attacks.
- On the point of ransom payments, many lawmakers voiced concerns about companies paying ransoms and stated that companies should not pay ransom to cybercriminals. Members cited two primary reasons for this position. First, paying ransom provides the financial incentive for future ransomware attacks. Second, there is no guarantee that a company that does pay ransom will in fact receive a working encryption key to reclaim control over the affected data. For the Colonial Pipeline attack, both witnesses stated that the encryption key was functional, though imperfect, and explained that the company was ultimately able to restore its systems using data backups.
- Regardless of the specific policy objectives of the committee members, a key point of agreement between the legislators and the witnesses was the importance of communicating cybersecurity information between and among private entities and the federal government. In particular, members stressed the relationship between private companies and federal entities, such as the TSA (given its recent security directive in the pipeline industry – for more information, please see here), the Department of Energy, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (“CISA”).
- Finally, many lawmakers made a point to stress the national security issues raised by the recent uptick in cyberattacks. These legislators argued that the federal government must take strong action against foreign nations that engage in cyberattacks or shelter cybercriminals. They suggest a combination of diplomatic efforts, stronger enforcement measures, and greater offensive capacity to disrupt cybercriminal networks.