The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Biden says the Russian government was not involved with Colonial Pipeline hack

with Aaron Schaffer

The issue of whether the U.S. government is doing enough to tackle international cybercriminals moved to center stage this week after the high-profile attack on a major East Coast energy supplier.

Even though Colonial Pipeline has restarted operations, there are still lingering questions about the group that executed the attack and how to prevent future assaults on critical infrastructure.

In a news conference yesterday, Biden emphasized the U.S. government's belief that the cybercriminals behind the pipeline company attack are based in Russia  – which has become a safe harbor for such groups – but do not work directly for the Russian government. U.S. intelligence and researchers have also noted extensive ties between some criminal hacking groups in Russia and Russia's intelligence services.

“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” Biden said. “We're also going to pursue a measure to disrupt their ability to operate.”

Russia has denied any involvement in the cyber attack.

Biden reiterated calls from the U.S. government for stronger international cooperation to take down international cybercriminals and said he intended to bring up the topic with Russian President Vladimir Putin when the two are expected to meet in June.

“We are working to try to get to the place where we have sort of an international standard that governments knowing that criminal activities are happening from their territory, that we all — we all move on those — those criminal enterprises,” said Biden. “I expect that’s one of the topics I’ll be talking about with — with President Putin.”

Biden did not rule out any retaliatory cyberattacks to shut down the hackers of the pipeline company. The White House is “not quite there yet,” spokeswoman Jen Psaki said in clarifying the president's remarks. 

The Justice Department has in recent months worked with the private sector and international law enforcement to take out infrastructure used by ransomware groups. 

Biden declined to comment on reports that Colonial Pipeline paid its hackers to regain systems' access.

The company reportedly paid the cybercriminal group DarkSide nearly $5 million in ransom to get its systems online. In exchange for the payment, the hackers gave Colonial Pipeline a key to decrypt the files locked up in the attack. The tool was reportedly so slow, however, that the company continued to use its own backup files to get its systems online, Bloomberg News reported.

The payment was first reported by Bloomberg News and subsequently confirmed by other outlets. The Washington Post has not confirmed the payment. 

The FBI has as a general policy discouraged victims from paying ransom in cyberattacks deploying ransomware software. Doing so is “causing more ransomware incidents to happen” acting Cybersecurity and Infrastructure Security Agency director Brandon Wales told reporters yesterday.

“It continues to be the position of the federal government, the FBI, that it is not in the interests of of the private sector for companies to pay ransom because it incentivizes these actions,” Psaki said yesterday.

Much of the nation's critical infrastructure is owned by private companies such as Colonial, limiting how much the White House can do on its own.

“Private entities are in charge of their own cybersecurity, and we need — and we have to — we know — we know what they need,” Biden said. “They need greater private-sector investment in cybersecurity.”

The Biden administration launched a private-public partnership last month focused on strengthening critical industries including gas and oil pipelines. Biden on Wednesday signed an executive order tightening security standards for software sold to the federal government. While the standards do not apply to private companies more broadly, officials hope they will push the industry toward better practices.

Biden called on Congress to step up its work in protecting critical infrastructure, starting with confirming Chris Inglis as national cyber director and Jen Easterly to be CISA director.

Lawmakers have recently grappled with how to best deter and prevent ransomware attacks.

Some experts suggest outlawing all ransomware payments. That idea hasn't picked up much traction on Capitol Hill, however, where at a recent hearing experts urged lawmakers to take a more nuanced approach. That includes making more resources available to victims to discourage payments that might be seen as a cheaper alternative to rebuilding entire computer systems.

Even the White House has acknowledged making a decision about whether to pay a ransom can be complicated for victims, especially those who need to urgently get their networks back online.

“We recognize that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” deputy national security adviser for cyber and emerging technology Anne Neuberger said earlier this week.

The Department of Homeland Security, Justice Department and White House have all launched initiatives to combat ransomware.

Meanwhile, Darkside's threat to critical industries in North America may just be getting started.

DarkSide also reportedly hit the North American division of chemical distributor Brenntag with a ransomware attack, according to BleepingComputer. The company reportedly paid hackers a ransom close to $4.4 million two days ago. Brenntag confirmed to BleepingComputer it suffered a “limited information security incident.” Brenntag could not be reached for a comment on whether the attack involved ransomware or whether the company had reported the attack to U.S. law enforcement.

The group is “showing no sign that they’re stopping what they’re doing,” Wales said before the Brenntag attack was reported. CISA was unable to provide comment by the time of publication.

Chat room

DarkSide's apparent failure to give Colonial Pipeline a quick way to decrypt its data turned it into a laughingstock. IBM's Denilson Nastacio:

Forbes's Thomas Brewster questioned the shutdown of the pipeline:

Motherboard's Joseph Cox noted that it undermines DarkSide's credibility and leverage:

The keys

Biden’s cybersecurity executive order received some industry pushback.

Consumer Technology Association President and CEO Gary Shapiro criticized the order, noting that although well-intentioned, it “misses the mark in promoting thoughtful cybersecurity policies.” Shapiro’s statement took particular issue with the mandatory labeling and certification elements of the order, which he said would “only slow response to cyberattacks and hurt U.S. leadership and competitiveness.”

Other industry groups, such as BSA | The Software Alliance, have cheered the order. “We’re impressed by the breadth and boldness of this executive order, which takes an important step toward ensuring that the software the government procures is developed and deployed in line with security best practices,” Aaron Cooper, the group’s vice president for global policy, said in a statement.

And reception from lawmakers, however, has been overwhelmingly positive. It has even received support from Republicans. Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, and Rep. Andrew R. Garbarino (N.Y.), the top Republican on that committee’s cyber panel, said in a statement that the order is a “natural continuation, and necessary follow through, that should be commended,” though they warned that it was “incredibly important” that the Biden administration diligently track the progress of the order’s implementation.

Hackers leaked a cache of purported D.C. police documents after the police department didn’t pay a ransom.

The leaked files include information about investigations related to the Jan. 6 riot at the Capitol and documents on gang activity, Peter Hermann and Dalton Bennett report. The documents were apparently released after negotiations between a ransomware group, Babuk, and the police department broke down.

“We publish the full data of the police department,” the group wrote in a post. It added that District authorities made a counteroffer “but the amount turned out to be too small,” noting, “There is no way back you had very many chances” (sic).

District officials have declined to comment on negotiations with the group and they have not confirmed the documents’ authenticity.

A cybersecurity firm said it was affected by a breach of another company’s software.

Rapid7 said in a statement that a “small subset” of internal source code was accessed by hackers, along with “some internal credentials” and customer data. It’s the latest company to say it was affected by a breach of Codecov, which provides tools that help test computer code and reported a hack last month.

Last week, cloud communication company Twilio said some of its code had been copied by hackers and that a “small number of email addresses” were stolen.

Rapid7 said a “small subset of customers who may be impacted” by the incident have been notified. The company said in an SEC filing this month that as of March 31, it had more than 8,900 customers, including government agencies, across 140 countries.

Hill happenings

Pentagon surveilling Americans without a warrant, senator reveals (Motherboard)

Global cyberspace

The United States is “not hopelessly behind China” in the race for 5G technology, a report said.

America’s cyber workforce, chip design expertise, and advocacy for clean networks and parts are distinct advantages, while it’s lagging behind in R&D funding, domestic production of 5G technology and doesn’t have enough skilled software engineers, Booz Allen Hamilton said in a new report. “The U.S. must adapt policies to fill those gaps and position the country to dominate and thrive in the 5G era,” the report says. “The U.S.’s successes in developing a modern informatized nation over the past half century can be repeated.”

Irish health service hit by ‘very sophisticated’ ransomware attack (Reuters)


  • The CMMC Accreditation Body named Melanie Kyle Gingrich, the former director for products at Monster Worldwide, as its vice president for training and development. The body also announced that Unisys executive Mathew Newfield and Unison executive Clifton H. Poole have been appointed to its board.
  • Rear Admiral Heidi K. Berg has been assigned to be U.S. Cyber Command’s director for plans and policy. She previously worked as director of intelligence for U.S. Africa Command.


  • Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang today at 11 a.m.
  • Steve Luczynski, who leads CISA’s coronavirus task force, speaks at 4:15 p.m. on May 17, the first day of the RSA Conference.
  • The Homeland Security and Governmental Affairs Committee holds a hearing on the Department of Homeland Security’s intelligence and analysis office on May 18 at 10 a.m.
  • Deputy national security adviser for cyber and emerging technologies Anne Neuberger speaks at the RSA Conference at 11:45 a.m. on May 18.
  • The Senate Armed Services Committee’s cyber panel holds a hearing on the cybersecurity of the industrial base on May 18 at 2:30 p.m. 
  • SolarWinds president and CEO Sudhakar Ramakrishna speaks at the RSA Conference at 11:50 a.m. on May 19.
  • The House Armed Services Committee’s cyber subcommittee holds a hearing on President Biden’s budget request for Defense Department technology programs on May 20 at 11 a.m.
  • Col. Jeff Erickson, the director of the Army Cyber Institute, speaks at an event hosted by the Information Systems Security Association Northern Virginia Chapter on May 20 at 6 p.m.

Secure log off