The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Officials call for greater TSA accountability after Colonial Pipeline cyberattack

with Aaron Schaffer

Correction: An earlier version of this newsletter incorrectly spelled Bryson Bort's name. This version has been corrected.

Concerns about the security of America's pipelines have roiled Washington since a major pipeline providing 45 percent of the East Coast's fuel was taken offline Friday after a cyberattack. The incident has highlighted the vulnerabilities in America's aging infrastructure, a problem  officials and experts say has been worsened by a lack of cybersecurity regulations.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector, Federal Energy Regulatory Commission Chairman Richard Glick said in a statement Monday. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.

FERC sets cybersecurity standards for the electricity industry. Security of the nation's pipelines, however, is overseen by the Transportation Security Administration, which lacks the same kinds of strict cybersecurity regulations for industry. Government watchdogs have dinged the agency in the past for weaknesses with its pipeline security program.

The administration is still weighing potential policy responses to the situation, Homeland Security Secretary Alejandro Mayorkas said yesterday.

“So, our conversations within the administration are ongoing and have been underway with respect to what measures we need to take both administratively and, of course, in a companion effort, the legislature to see how we can raise the cyber hygiene across the country,” Mayorkas said.

Colonial Pipeline took its systems offline Friday after cybercriminals encrypted its servers and data in exchange for a ransom. The company is expected to restart operations by the end of the week, Energy Secretary Jennifer Granholm said yesterday. Granholm called the attack “a reminder that we need to take a hard look at how we need to harden our necessary infrastructure, and that includes cyber threats.”

Lawmakers will want to hear from TSA leadership about what steps its taking to secure America's pipelines.

“We need more accountability from TSA for the nation's pipelines,” Rep. Jim Langevin (D-R.I.) said in an interview. He said the agency needs a more robust plan for responding to and preparing for incidents such like the Colonial Pipeline attack. He suggested evaluating whether TSA is best positioned to oversee oil and gas pipelines. 

Rep. John Katko (R-N.Y.), ranking member of the House Homeland Security Committee is requesting that Cybersecurity and Infrastructure Security Agency provide a briefing on its joint Pipeline Cybersecurity Initiative with TSA and the Energy Department. Katko in a letter to acting CISA director Brandon Wales asked for details on how many cybersecurity assessments have been conducted under the initiative and whether the agency plans to extend the program beyond natural gas pipelines to fuel pipelines like Colonial. 

Congress has already responded to the concerns with plans for hearings.

Granholm will testify next week about the pipeline attack in front of the House Energy and Commerce energy subcommittee. She's expected to face questions about the department's vacant top cybersecurity role, which lawmakers say is critical to a response.

The House Homeland cybersecurity subcommittee will also hold hearings on the attack and the government's response, Chairwoman Rep. Yvette D. Clarke (D-N.Y.) announced on Twitter.

Details about the attack are still emerging

Wales updated lawmakers yesterday on CISA's efforts to address the situation. He said CISA continues to work with the interagency task force assembled by the White House but it is still waiting on some technical information from Colonial to make further assessments about the extent of the damage. There is no indication the ransomware reached the operational technology controlling the pipeline, according to an alert from the agency yesterday.

Katko and other lawmakers have also requested a briefing from that task force on the national security implications of the attack. Mayorkas, Granholm and Transportation Secretary Pete Buttigieg are expected to brief a bipartisan group of lawmakers today, Ryan Nobles at CNN reported.

The keys

The number of victims of the Darkside strain of ransomware has risen in recent months, FireEye said.

The creators of Darkside, which was used to hit Colonial Pipeline, and their affiliates have hit victims in 15 countries and across multiple industries, the cybersecurity firm said. Each of the groups using the ransomware employed varying levels of sophistication in their campaigns, with one employing a previously unknown vulnerability also known as a “zero-day.”

The new information on the group came as U.S. authorities, including CISA and the FBI, issued a joint advisory to the critical infrastructure entities warning them about ransomware. The advisory warns that critical infrastructure should “adopt a heightened state of awareness” and should take steps to limit the likelihood of a successful attack.

Hackers released the personal information of 22 D.C. police officers.

A ransomware group that last month hacked the police department said its $100,000 counteroffer to a $4 million demand was “unacceptable,” NBC News’s Kevin Collier reports. And the group, which calls itself Babuk, threatened to release “all the data” if the police department didn’t “raise the price,” the Associated Press’s Alan Suderman reports.

The released files, which included information on current and former officers, contained personal information such as social security numbers, psychological assessments and the results of polygraph tests. 

Two officers whose information was published said the police department didn’t tell them their information was accessed by the hackers. Five officers previously had their information published. The department did not respond to a request for comment.

Thousands of fake Twitter accounts amplified Chinese diplomats.

More than 26,000 accounts retweeted Chinese diplomats or state media 200,000 times before being suspended, the Associated Press’s Erika Kinetz reports

Twitter said many of the fake accounts, some of which were suspended, faced consequences and that the company is investigating whether they were part of a Chinese influence operation. “We will continue to investigate and action accounts that violate our platform manipulation policy, including accounts associated with these networks,” a Twitter representative said.

China’s Foreign Ministry dismissed the accusations in a statement. “There is no so-called misleading propaganda, nor exporting a model of online public opinion guidance,” the ministry said. “We hope that the relevant parties will abandon their discriminatory attitude, take off their tinted glasses, and take a peaceful, objective, and rational approach in the spirit of openness and inclusiveness.”

Industry report

  • A Proofpoint survey of more than 1,000 chief information security officers around the world found that 75 percent of those from the United States said human error was their organization’s biggest cyber vulnerability.


  • Tammy Kupperman Thorp, who worked as a journalist at CNN and NBC News, will lead the CIA’s Office of Public Affairs.
  • HP is launching HP Wolf Security, a portfolio of secure-by-design hardware and security software and services.

Chat room

The first sentence of this CNN story on the Colonial Pipeline attack was quite something. Motherboard’s Lorenzo Franceschi-Bicchierai:

The author of the article, Zach Wolf, responded:

SCYTHE founder and CEO Bryson Bort:

Reuters’s Joseph Menn:


  • Lt. Gen. Vincent Stewart, the former director of the Defense Intelligence Agency and former deputy commander of U.S. Cyber Command, speaks at an event hosted by the Intelligence and National Security Alliance today at 4:30 p.m.
  • Morgan Adamski, who leads the National Security Agency’s Cybersecurity Collaboration Center, speaks at the GovConWire Defense Cybersecurity Forum today at 2 p.m.
  • Sen. Thom Tillis (R-N.C.), former Google CEO Eric Schmidt and Gilman Louie, who ran the CIA’s In-Q-Tel venture capital fund, discuss artificial intelligence at a Center for Strategic and International Studies event on Thursday 3 p.m.
  • Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang on Friday at 11 a.m.
  • Steve Luczynski, who leads CISA’s coronavirus task force, speaks at 4:15 p.m. on May 17, the first day of the RSA Conference.
  • Deputy national security adviser for cyber and emerging technologies Anne Neuberger speaks at the RSA Conference at 11:45 a.m. on May 18.
  • SolarWinds president and CEO Sudhakar Ramakrishna speaks at the RSA Conference at 11:50 a.m. on May 19.

Secure log off