Colonial Pipeline CEO Joseph Blount’s admission this week that he paid a $4.4 million ransom against the FBI’s wishes illustrates one of the most insurmountable cybersecurity problems in protecting the nation’s critical infrastructure from future attacks, experts say.
“Here’s the point: We cannot stop U.S. companies from paying ransom,” lamented one Justice Department lawyer involved in cybercrime and security issues.
Blount, in his much-anticipated testimony Tuesday before the Senate Homeland Security and Governmental Affairs Committee, said that Colonial Pipeline knew the FBI officially advises companies not to pay ransom money in cases like the one that shut down the nation’s largest fuel pipeline artery for five days last month. He also said that he knew the full well that the FBI can’t tell him or any other private sector CEO what to do when it comes to negotiating with digital extortionists.
And while he called the ransom paid to the DarkSide criminal hacking organization “the hardest decision I’ve made in my 39 years in the energy industry,” Blount suggested to senators that he would do it again.
On Thursday, the world’s largest meat processing company also confirmed that it paid the equivalent of $11 million to another group of Russian hackers that broke into its computer systems late last month, shutting down part of another sector of what is considered critical U.S. infrastructure.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, the CEO of JBS USA, a subsidiary of Brazil-based JBS SA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
“It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” Christopher Wray said in testimony before the House Judiciary Committee. He said paying ransoms not only encourages additional cyber-attacks, but doesn’t guarantee that victims get their data back.
But if companies work closely with FBI cybersecurity agents, “There are a whole bunch of things we can do to prevent this activity from occurring, whether they pay the ransom or not, if they communicate and coordinate with law enforcement right out of the gate,” Wray said. “That’s the most important part.”
The JBS attack targeted servers supporting its operations in North America and Australia, and disrupted production for several days. The company said the vast majority of its facilities were operational at the time it made the payment, but that it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated, according to the Associated Press.
In a June 2 statement, the FBI attributed the JBS attack to REvil, a private Russian-speaking ransomware-as-a-service gang that has made some of the largest digital extortion demands on record in recent months. The FBI said it will work to bring REvil – which stands for Ransomware Evil and is also known as Sodinokibi -- to justice and urged anyone who is the victim of a cyberattack to contact the bureau immediately.
“Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries,” the FBI said. “A cyberattack on one is an attack on us all.”
But the public disclosures by leaders of JBS and Colonial Pipeline illustrate how the FBI’s private sector partnerships can only go so far – and often clash with corporate ransomware victims that must also weigh paying the money to get their operations back online and to protect their data.
During his Senate appearance, Blount wasn’t asked too many probing questions about the ransom payment or about some reported cybersecurity lapses by Colonial Pipeline in the run-up to the attack. And he avoided, for the most part, the kind of grilling that some other CEOs have received on Capitol Hill after serious security breaches and other lapses affecting the so-called critical infrastructure that keeps America and its economy running.
And while Colonial Pipeline is just one of many companies that have paid ransoms to hackers who have taken control of their systems, it has become a focal point for the issue given the gas shortages, chaos and widespread panic the incident caused.
The FBI’s “official position is you shouldn't pay ransom,” Sen. Rob Portman, the committee’s ranking Republican, told Blount as the CEO was describing how Colonial Pipeline began working with specialized FBI cybersecurity agents within hours of the May 7 attack. “And yet they didn't communicate that to you, as far as you know?”
Blount responded that he wasn’t involved in those discussions, so “I can't confirm or deny that. But I do agree that their position is they don't encourage the payment of ransom. It is a company decision to make.”
“And so you knew what the advice was going to be that the agents provided that day,” Portman said.
Replied Blount: “Yes, sir, we did.”
Earlier, Blount said he kept the information closely held because of concerns about operational safety and security. “And we wanted to stay focused on getting the pipeline back up and running,” he said. “I believe with all my heart it was the right choice to make. But I want to respect those who see this issue differently.”
Robert Anderson, the former Executive Assistant FBI director overseeing all cybersecurity issues, said Blount’s testimony underscores the dilemma facing the U.S. government and the private sector when it comes to dealing with the current epidemic of ransomware attacks. That’s especially the case when it comes to the 16 U.S. critical infrastructure sectors – like Colonial Pipeline – whose assets, systems, and networks are considered vital to U.S. national security.
“In the government, it’s like, let's catch the bad guys, which is all good. But being out here for the last six years and running cyber companies, I totally get how he feels,” said Anderson, who now heads Texas-based Cyber Defense Labs. “When you're a CEO, you're worried about, you know, is my company going to go bankrupt? Can I pay these 10,000 people that are working for me? Is my stock price is going to drop?”
Even though the FBI has recovered much of the ransom by accessing Bitcoin wallets, Anderson and other former government cybersecurity officials said the case shows how little either side can accomplish without working together.
“Nowadays, I think we need to really start having meaningful communications and a plan between the government and private sectors on how we're going to tackle this,” Anderson said. “There’s just no way that private corporate America, or the government, or the United States law enforcement and intelligence organizations can do this on their own.”
On Tuesday, Portman and some other senators said they are working on a series of legislative proposals aimed at addressing the rampant spread of ransomware attacks in the United States. One possible solution is possibly forcing private companies to enact more stringent cybersecurity safeguards such as multifactor authentication so employees’ email accounts can’t be hacked so easily.
But the subject of whether or not Washington should consider banning companies from paying ransoms never came up – most likely because government lawyers acknowledge it would interfere with the independence of the private sector.
Currently, it is illegal for companies to pay ransoms to a select few hacker entities and individuals that have been sanctioned by the Department of Treasury. Blount said Colonial lawyers checked to make sure DarkSide wasn’t on that list before they began negotiations.
Retired Col. Gary Corn, the former staff judge advocate, or general counsel, to U.S. Cyber Command, said the issue is "very similar to what was going on with the problem of piracy. Companies were paying ransoms in those situations. And the more you paid ransom, the more you're making it a lucrative market for the criminals.”
“It's just a Gordian Knot of a problem – for the companies and for the FBI,” said Corn, who directs the Technology, Law, & Security Program at the American University Washington College of Law. “I don't dispute with the FBI is trying to get him to do or not to. But if (companies) don't pay the ransom, and the business goes under, is the FBI or the government going to underwrite that risk?”
This article originally appeared on USA TODAY: JBS, Colonial Pipeline paid $15 million in ransom, fueling FBI worries