The top executive for the biggest fuel pipeline operator in the United States told lawmakers he felt like he had no choice but to pay off hackers after a ransomware attack shut down operations along the East Coast.
Testifying Tuesday before the Senate Homeland Security and Governmental Affairs Committee, Colonial Pipeline Chief Executive Joseph Blount took responsibility for agreeing to pay the Russian-based DarkSide Network approximately $5 million to minimize potentially disastrous delays to fuel delivery.
"I know how critical our pipeline is to the country, and I put the interests of the country first," Blount said.
"It was the hardest decision I've made in my 39 years in the energy industry," he added. "We wanted to stay focused on getting the pipeline back up and running. I believe with all my heart it was the right choice to make."
The May 7 DarkSide ransomware attack on Colonial Pipeline spawned fuel shortages and panic-buying across parts of the U.S., pushing prices higher as drivers hunted for gas stations that had not run out of fuel.
U.S. law enforcement, including cyber experts at the Federal Bureau of Investigation (FBI), routinely warn companies against paying ransoms to hackers. But Blount said that even though the company was in contact with the FBI, he felt paying DarkSide was the most prudent option.
"It was our understanding that the decision was solely ours as a private company," he told lawmakers. "Considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly could, I chose the ransom."
Blount said Colonial did not deal with DarkSide directly and instead hired legal experts and negotiators to act as intermediaries. The payment was delivered May 8 to the ransomware network in the form of the bitcoin cryptocurrency.
In return, DarkSide provided Colonial with a decryption key that helped the company regain access to its systems and eventually resume operations, Blount said, noting that some systems are just now coming back online.
Blount's testimony comes just a day after the U.S. Justice Department and the FBI announced that they managed to track the ransom and recover the majority of the bitcoin, which was valued at about $2.3 million.
U.S. Deputy Attorney General Lisa Monaco on Monday described the development as significant, boasting that law enforcement had "turned the tables" on the ransomware network.
Former government officials, though, worry that while the development slashed the hackers' profits, it could put the government and the private sector on a slippery slope.
"I think it's a bad public policy outcome," Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told a virtual forum hosted by Aspen Digital on Tuesday.
"I would really hesitate trying to make this sort of engagement mainstream," he said. "It's not the FBI's job to go out there and claw back money from criminals once they've taken it."
Other experts worry that companies, organizations and governments, like Colonial Pipeline, are putting themselves at a disadvantage.
"With ransomware, the misconception is that there's two options: pay criminals or don't pay criminals," said Raj Samani, co-founder of No More Ransom, an organization that distributes decryption keys for free.
"Many of the decryptors that are developed by the ransomware groups are actually rubbish," said Samani, who is also the chief scientist at McAfee, a U.S.-based cybersecurity company. "So, even if you pay a fee, you may not get your data back."
In the case of the Colonial Pipeline ransomware attack, the decryption key did allow the company to start getting some systems up and running.
"It's not a perfect tool," Blount told lawmakers Tuesday, adding that the company is working to further harden its cyber defenses.
Blount said DarkSide was able to access Colonial's systems by exploiting a virtual private network (VPN) that was no longer in use and which was protected only by a single password.
CISA recommends using what is known as multifactor authentication, which requires users use a password and then complete a second step, such as replying to a text message, in order to access critical systems.