WASHINGTON — Amid an ongoing disruption to the delivery of fuel to the East Coast due to a cyberattack on a major U.S. pipeline, a top cybersecurity official said Thursday the U.S. government is looking at how to prevent companies and individuals from paying the hackers.
“The U.S. government is looking at what can be done. ... There are active discussions in the federal government about what more we can do to disrupt that business model,” said Brandon Wales, the acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, during a digital webinar hosted by George Washington University.
Colonial Pipeline, the company that runs the pipeline that delivers fuel to 45 percent of the East Coast, was hit by a ransomware attack last week and reportedly handed over $5 million in ransom to regain access to its business networks, though Wales and other U.S. government officials have so far denied any knowledge of such a payment.
The FBI’s official advice is not to pay ransom, because it keeps the criminals in business and makes it more likely they’ll launch similar attacks in the future, and it’s not a guarantee the victim will get the data back. According to Bloomberg News, the decryption tool that Colonial Pipeline paid for on Friday worked so slowly that the company turned to its own digital backups first, with assistance from cybersecurity company Mandiant.
Colonial did not respond to a request for comment from Yahoo News.
Companies and individuals face a challenging, ultimately personal decision about whether to pay hackers who use ransomware, as there are few legal requirements about how to handle the situation, beyond a recent U.S. Treasury advisory about potential liability when paying ransoms to sanctioned individuals or entities.
“We recognize companies are in very challenging circumstances,” Wales acknowledged on Thursday. “But the long-term implications for our country are profound.”
Ransomware, a form of malware that allows hackers to infiltrate networks, encrypt private files and demand payment in exchange for unlocking them, is becoming an increasingly profitable criminal enterprise. Such attacks have increased by more than 300 percent in the last year, earning hundreds of millions of dollars for the hackers, according to Department of Homeland Security statistics.
As criminals are increasingly turning to ransomware to make money, the FBI’s advice to not pay may fall on deaf ears when the stakes are high or the victim doesn’t have other options.
“Having ransomware hit you is never fun. It’s designed as a form of extortion,” said Sam Curry, the chief security officer at cybersecurity firm Cybereason. “The whole purpose is to put pressure on people. If you’re a business, your whole lifeblood is to stay up and running.”
Additionally, there are no strict requirements for companies to notify federal law enforcement or Homeland Security when they become victims of ransomware or other digital attacks, and many companies may prefer to handle the damage quietly and move on, to escape further victimization, liability or public embarrassment. “As with any crime, it’s hard to know if victims aren’t reporting,” said Curry.
According to Wales, the Homeland Security official, Colonial Pipeline shared some details of how the attackers infiltrated its business networks with the government on Wednesday night, which will allow the agencies to publish those details to allow other critical infrastructure companies to protect their networks. The FBI and Homeland Security expected to publish the details as early as Thursday, Wales said.
However, the information shared “doesn’t tell the whole story,” Wales explained, and there was some delay in getting access to those details, as the attack happened late last week. Being able to access information about how the attackers infiltrated Colonial’s networks “could prevent the actual ransom from being executed” if the attackers have penetrated other companies’ networks.
There are a range of potential options to try to help address the scourge of ransomware, though probably no “silver bullets,” Curry said.
The best option, he suggested, is to build in better defenses before the ransomware hits. “Preparing in peacetime is critical,” he said.
President Biden signed a sweeping new cybersecurity executive order on Wednesday evening targeted at raising the level of digital defenses across the federal government and its contractors. Among other measures, the order puts in place tight deadlines for various new cybersecurity mandates, including multifactor authentication, encryption and endpoint detection.
Wales expressed confidence in the Biden administration’s commitment to making sure federal agencies follow through on those requirements. “There is far more focus in the current White House in terms of achieving, getting positive outcomes out of this,” he said.
But ransomware, including in the Colonial Pipeline incident, is often aimed at private sector companies, which the government has far less control over. Wales said the solution would require the input of countries around the world, including those that are home to the attackers.
The developers of the ransomware that hit Colonial Pipeline are likely in or near Russia, Biden said on Thursday after being briefed by the FBI.
Rep. Jim Langevin, a Democrat from Rhode Island and a prominent voice in efforts to improve cybersecurity standards, said he was impressed with the speed of the administration’s response to address the situation during a phone interview with Yahoo News. He was briefed on the administration’s response to the ransomware attack on Colonial on Wednesday evening.
However, even in light of the administration’s quick move to convene an interagency task force, ease restrictions to move fuel and work with Colonial, Langevin said he felt that more needed to be done to prevent cyberattacks on critical infrastructure, including to mitigate the damaging effects of ransomware payments.
He said he was concerned the administration did not define the Colonial Pipeline attack as a “significant” cyber incident, a term of art to describe a breach with a certain level of urgency and impact. Langevin said he believed that decision was the result of the incident deriving from routine criminal activity, rather than being the work of a nation-state.
“There is no doubt this was a serious attack on our critical infrastructure,” he told Yahoo News. “It’s the type of attack I’ve feared the most for quite some time now.”
Besides calling for the Senate to confirm the national cyber director — a single person in charge of major incident response — within the federal government, Langevin said he is seeking an additional $400 million to fund the Cybersecurity and Infrastructure Security Agency and suggested that additional legislation may be necessary to plug holes that weren’t addressed in Biden’s new executive order.
Ransomware payments, Langevin said, are “tough,” and best approached on a “case-by-case basis.” He said the Biden administration did not brief lawmakers on whether Colonial Pipeline paid a ransom, but the issue goes beyond a single incident.
“We need to make sure there are no safe havens for criminals,” he said.
While he said there are “no indications” the Russian government is behind the Colonial incident, “any country that has criminal organizations within it that are carrying out these kinds of attacks, the countries should be working with us.”
“Sanctions should be on the table to deal with this,” Langevin said.
Read more from Yahoo News: