Oversight, Homeland Security Committees 'Extremely Concerned' After Pipeline Attack

Committee chairs said they were "disappointed" the operator of the nation's largest gas pipeline refused to give details about its ransomware attack.

The House Oversight and Homeland Security committees said Monday that they remain “extremely concerned” following a briefing with Colonial Pipeline, a major fossil fuel company that fell victim to a ransomware attack that caused a gas shortage in several states.

In a joint statement, House Oversight Chair Carolyn Maloney (D-N.Y.) and House Homeland Security Chair Bennie Thompson (D-Miss.) said it was “deeply troubling that cyber criminals were able to use a ransomware attack to disrupt gas supply on the East Coast and reportedly extort millions of dollars.”

Georgia-based Colonial Pipeline, the operator of the nation’s largest fossil fuel pipeline, suffered a ransomware attack ― a type of cyberattack in which hackers encrypt important data and demand a ransom to give it back — perpetrated by the cybercriminal group DarkSide. The dayslong attack affected the 5,500-mile pipeline’s markets from Texas through the Southeast and up to New Jersey.

The attack caused a shutdown of the pipeline, which delivers about 45% of the gasoline consumed on the East Coast. This led to gas shortages partly because consumers were panic-buying fuel. Colonial announced on Wednesday that it had restarted the pipeline and said Saturday that the company has resumed “normal operations.”

Multiple outlets confirmed that Colonial paid DarkSide a ransom of nearly $5 million in cryptocurrency for the software encryption key required to reconfigure its data network. The company paid the ransom, 75 bitcoin, a day after the attackers locked up its corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic.

President Joe Biden signed an executive order last week tightening cybersecurity, but it only applies to government entities and companies that contract with the government. Private companies like Colonial are not required to report cyberattacks to any government entity ― and the company chose to keep officials in the dark about much of its handling of the attack.

“We’re disappointed that the company refused to share any specific information regarding the reported payment of random during today’s briefing. In order for Congress to legislate effectively on ransomware, we need this information,” Maloney and Thompson’s joint statement read.

“This attack not only highlights glaring vulnerabilities in our critical infrastructure, it also exposes a marketplace in which it may be easier for a company to pay off a criminal than put resources toward preventing and defending against attacks.”

In a statement to HuffPost, Colonial Pipeline said Tuesday that the company was “pleased to have the opportunity to brief” lawmakers.

“We will continue to cooperate with Congress as the investigation of this cyber-attack on our company continues,” Colonial said. “At this point, our focus remains on safely delivering refined products as quickly as possible to the markets we serve.”

For private companies to be held accountable, Congress must require them to report cybersecurity incidents, said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency.

Over a dozen lawmakers led by Rep. Emanuel Cleaver (D-Mo.) on Friday reintroduced the Pipeline Security Act, a bill that would support the Homeland Security Department’s efforts to secure pipelines and related facilities from cyberattacks, terrorist attacks and other attempts at targeting pipeline infrastructure.

The bill would require the Transportation Security Administration, the main federal entity responsible for pipeline protection, to annually report to Congress about the activities of its Pipeline Security Section, a division of the TSA that carries out the federal government’s pipeline security efforts.

Lawmakers initially drafted the legislation soon after learning about last year’s huge SolarWinds breach, in which suspected Russian hackers tapped into nine federal agencies and about 100 companies by targeting the cyber company’s software. But the Colonial attack has added urgency to the matter, especially since the company likely paid the ransom against expert advice.

“The recent ransomware attack against Colonial Pipeline Company further highlights the threats facing our nation’s critical infrastructure and the potential cascading impacts cyber attacks can have on our economy. With attacks of this nature on the rise, it’s more important than ever to strengthen our cyber resilience,” Homeland Security Ranking Member John Katko (R-N.Y.) said in a statement.

“Right now, we need to focus on building existing capabilities and resources while ensuring federal roles and responsibilities are clear,” he continued. “I’ll continue working in a bipartisan manner to make sure our country is better prepared to mitigate future attacks on our critical infrastructure.”