Any minute now, the House Homeland Security Committee will host a critical infrastructure cybersecurity hearing with Joseph Blount, president and CEO of Colonial Pipeline.

Chair Bennie Thompson calls the system of (largely) voluntary cybersecurity guidelines in critical infrastructure into question.
Thompson: I hope colonial will use the recouped money to make necessary improvements in its cybersecurity.
Katko: "There's a valid question to why it took so long for TSA to finally leverage this authority."

TSA used emergency authority to issue its recent pipeline order. I'm not certain they can do that without an emergency.
Katko mentions the difficulty the international community has with Russia, believed to forgo investigating or extraditing cybercrime targeting foreign nations.
Blount: "This attack forces us to make difficult decisions, choices in real-time that no company ever wants to face."

He thanks law enforcement, Justice, and his employees, and apologizes for the impact.
Blount: Paying ransom as quietly as possible was his call, which he says was for the good of the country.
Charles Carmakal from Mandiant is now issuing his opening statement.
Carmakal: "The majority of today's intrusions by financially motivated threat actors involve multifaceted extortion. Threat actors will apply immense pressure to coerce victims to pay substantial extortion demands often in the seven to eight-figure range."
Thompson asks Blount to clarify timeline.

Ransomware note showed up May 7. By 6 am, shutdown decision was made.

"Short time after" (still that morning) contacted mandiant. Contacted FBI same morning.

CISA contacted by noon.
Made decision to negotiate (and pay) the ransom that afternoon. Payment sometime on Saturday. Did not talk to FBI about paying the ransom.
Blount: "Your request today, putting an additional $2.2 million into hardening our systems further is not a difficult one to address and agree to."

$2.2 million is the amount recovered from the FBI. It represents 63.7 out of 75 bitcoin paid in ransom.
Carmakal: "There was a legacy VPN profile that was in place, that wasn't believed to be active. And that enabled an attacker to leverage both the user and the password to log in."
The password was not common, but was reused on other sites.
Worth noting on above $2.2 million.
Katko: What are you doing now that you weren't before?

Blount's answer below, also says he can be more specific one on one.
Blount wants more information sharing from CISA.
Carmakal wants more information sharing in general.
Rep Jackson-Lee: "I would make the point, at this time in 2021, that because of this major crux of calamity that we face, that the private sector can no longer go it alone. It's a bluff. Do you agree with that, that the private sector can no longer go alone?"
Blount agrees as far as helping handle Russian harboring.
Blount says White House wasn't notified about ransom because they didn't ask.

Estimates Colonial notified FBI 48 hours after paying the ransom.
Carmakal can't identify which breach lead to password leak, but the password was in circulated password lists.
McCaul: "This is a fourth recent attack by either Russia - Russia as a nation-state or the Russian mafia."

It's not just four. Most ransomware isn't national news.
Given the affiliate model of Russian ransomware gangs, we don't know what country the hacker behind the actual breach is from.
McCaul touts his bill for mandatory incident reporting to CISA.
McCaul: We don't allow private companies to hack back, right? That's illegal. It would create a wild west scenario. But what is your opinion of the federal government, protecting itself and responding in kind to nation-state actors?
Carmakal: There are opportunities to be more aggressive
Blount: Did not consider insurance when deciding to pay ransom.
Blount won't commit to allowing CISA into systems because Mandiant, Dragos and Black Hills are already engaged.

"We have three sets of eyes already engaged."
Langevin asks why Mandiant was retained through outside counsel.

Blount doesn't know.

My understanding is actually pretty common. It protects the output as a legal product.
Blount says they are part of the Oil and Gas ISAC, which he didn't know off hand yesterday.
"We belong to a lot of organizations with a lot of different acronyms."
Blount says he meets with CIO daily for morning meetings.
Blount says concerns he "denied" TSA inspection are overblown - says it was more a matter of scheduling because they were moving to a new facility.

A TSA cyber audit is scheduled for July.
Blount corrects an earlier answer:
"We shared information with the FBI about the digital wallet on Sunday and discussed this ransom payment. On Wednesday, the Justice Department in its announcement a few days ago commended us for the quick communication with authorities."
Three Reps in a row have focused their questions on the TSA scheduling. Same answers each time.
As always, I'm using a hasty autotranscription program throughout my tweeting.

Typos will abound.
We have a mention of "Cyber 9/11" and a bonus "Cyber U.S.S. Cole."
Blount says Colonial uses outside auditors, and that that's a good practice.

He's right!
Carmakal, CTO of Mandiant, opts not to comment on sanctioning the Nord Stream Pipeline.
Blount says CEOs should be transparent on cyber incidents.
Blount notes that he was able to restore quickly because Colonial had working, quality backups.
It wasn't asked, but you may be wondering why someone would pay ransom if they had backups.

In fact, the law firm BakerHostetler says 20% of their clients who restore from backups also pay ransom.
Ransomware now involves several extortion vectors - it isn't just the encryption. Restoring from backup can be complicated if you don't already know when the initial attack took place. You could be restoring to a point hackers had access.
And, having said all that, Blount just explained that and more.
Blount on why Colonial paid the ransom, why that needs to be an option and why you'd do that even having backups.
Blount: Reaching out early, rather than keeping quiet, allowed Biden to relax trucking regulations faster.
Carmakal: What's happened the last few months, it's been happening the last several years.
The tone of this hearing has been fairly non-confrontational so far.

Several of the avenues that looked like they would veer into being contentious - particularly the TSA scheduling - were cut short with Blount's answers.
Rep. Clyde: "I've always believed the best defense is a good offense."

Asks if there's any evidence of state sponsorship.

(Carmakal says no)

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Joe Uchill

Joe Uchill Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JoeUchill

7 Jun
DOJ's Colonial Pipeline presser appears ready to start.
Lisa Monaco: "The Department of Justice is announcing a significant development in the ransomware attack on the Colonial Pipeline."
Monaco: "The sophisticated use of technology to hold businesses, and even whole cities hostage for profit is decidedly a 21st century, challenge, but the old adage, follow the money still applies. And that's exactly what we do."
Read 9 tweets
5 Apr
I had a thread yesterday about why banning payment of ransomware is not an easy solution to the problem
Just to go through some of the other policy options that are worth considering or combining into a comprehensive package:
One idea is to impose know-your-customer laws and mandatory intervention with warrants on cryptocurrencies sold on legitimate exchanges.

It would help recover funds and impose an extreme cost on criminals trying to stay anonymous.

Speculators would super hate it.
There are international diplomacy angles - increasing cooperation between the United States and traditional havens for ransomware gangs. Obviously, this would be incomplete without Russia and could escalate to sanctions.
Read 7 tweets
4 Apr
With respect to Chris Vickery and other people who've made this suggestion, it's not that easy.
Illegalizing ransoms is actually something with historic precedent. It's shown success against kidnappings in the past
But here's the thing...
In either case, countries find it extreme to penalize victims being coerced. Many will still pay - just illegally - which means they won't disclose to law enforcement, regulators or customers. And there are situations, like hospitals, where you may actually want people to pay.
Read 6 tweets
3 Apr
This is a weird article, but not for the reasons people seem to think it's a weird article.…
The article makes the assertion that 200 years in the future, only the Beatles and Bob Dylan will be remembered.

If you're angry about that name three 1760s composers.
If you didn't get Hayden, you probably didn't name two composers from the decade.
Read 4 tweets
10 Mar
CISA leadership will be testifying before the House Appropriations Committee's Homeland Subcommittee in about an hour about "Modernizing the Federal Civilian Approach to Cybersecurity."

I'll be live-tweeting it. 🧵
Interesting notes to consider in advance.

- Brandon Wales will testify as Acting Director.
While the Biden administration has discussed a task force in the wake of Hafnium, there's no confirmed CISA director, someone you'd expect on the task force.
Eagle-eyed readers will notice I've deleted and reposted that tweet twice after misspelling "Interesting" in two different ways.
Read 36 tweets
9 Mar
The interesting thing about gaffs is not that they happen.
They happen to everyone. Today, I forgot the word acronym. What's interesting is how the ones that stick are ones that confirm what people already suspect about the person who said them.
That's not to say legitimately not knowing something important isn't a problem. But if you give 4 hours of speeches a day, you're going to trip over words.

Yet no one honestly thought Obama didn't know how many states there were when he said he visited 53 of them.
Trump was unique in that regard: To the best of my knowledge, he is the only president to claim the facts change to justify a gaffe. Saying "covfefe" was intentional, altering weather maps to show Alabama would be hit by Hurricane Dorian, claiming he said "Tim from Apple".
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!