The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Congress is tiring of the ‘don’t blame hacked companies’ line

with Aaron Schaffer

Colonial Pipeline CEO Joseph Blount will today face his second round of congressional grilling from lawmakers who are clearly frustrated with the private sector’s slow pace in getting its cybersecurity up to snuff.

Blount’s company, which suffered a devastating ransomware attack last month, has vowed to close any remaining gaps in its cyber protections. 

But even business-friendly lawmakers are wearying of such commitments to cybersecurity that come after a major attack

The Colonial attack disrupted U.S. gas supplies and prompted panic buying in the southeastern United States. The company paid hackers from the DarkSide ransomware gang $4.4 million to unlock their computers, much of which was later recouped by the Justice Department

“I do believe the private sector … must look hard in the mirror,” Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, plans to say during this morning’s hearing with Blount, according to an opening statement shared with me in advance. 

The comments reflect a slow shift in Congress and in Washington from typically sympathizing with hacked companies as the victims to largely blaming those companies for insufficiently protecting themselves

“While I don’t think a culture of blaming the victim is ultimately constructive, clearly we can all do better to protect our critical networks,” Katko plans to say. The company’s commitment to improve its cybersecurity “begs an obvious question,” he will say. “If your pipeline provides fuel to 45 percent of the east coast, why are you only hardening systems AFTER an attack?”

The frustration with hacked companies has grown precipitously in recent years. 

Cyberattacks have become far more damaging during that time — to the point of routinely threatening U.S. national and economic security. 

Yet hackers have typically accomplished those breaches by exploiting the same bush-league security weaknesses, such as companies using shared and simple passwords and not requiring multi-factor authentication — a system where users provide another identifying factor such as a fingerprint or SMS code in addition to a password.

“Government officials and cybersecurity experts have been warning about the growing threat of ransomware for years and it is critical we know if the private sector has acted on those warnings,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) will say this morning. “I am concerned that too few have robust cyber incident response and continuity of operations plans in place.”

In Colonial's case, hackers exploited a virtual private network system to remotely access its networks. 

That system didn’t have multi-factor authentication, but did require “a complicated password,” Blount told members of the Senate Homeland Security Committee yesterday, Aaron Gregg reports.

“It was a complicated password, so I want to be clear on that. It was not a ‘colonial123’- type password,” he said. 

While Colonial is still working to get its systems back online following the breach, it is also rushing to implement new cybersecurity requirements the Transportation Security Agency imposed on pipeline companies in the breaches’ wake, Blount said. 

“If you look at our actions starting on May 7, we almost to the T duplicated what the new standards are and we are in full compliance today,” he said.

Senators yesterday ranged from frustrated to outraged by the Colonial attack and Blount’s testimony. 

On the outraged side was Sen. Maggie Hassan (D-N.H.) who slammed Blount’s admission the company did not have a specific plan in place for being hit with ransomware despite preparing more generally for a possible cyberattack. 

I’ve talked with small school districts in my state of New Hampshire that are better prepared for cyberattacks than Colonial Pipeline was,” Hassan said after the hearing. “Colonial Pipeline operates critical infrastructure that families and our economy rely on. It is unacceptable that it was so unprepared for a cyberattack, and it is a wake-up call that more must be done to secure our critical infrastructure.”

Committee Chairman Sen. Gary Peters (D-Mich.) was more measured. 

“Mr. Blount, I am glad your company continues to recover from this malicious attack and that the FBI was able to recover millions of dollars in ransom paid, but I am alarmed that this breach ever occurred in the first place and that communities from Texas to New York suffered as a result,” he said. 

Sen. Ron Johnson (R-Wis.) was the least critical.

“You were the victim of a crime. You're not the bad guy here, and I appreciate my colleagues who pretty well acknowledge that,” he said. 

Johnson also praised Colonial’s decision to pay the hackers' ransom demand — something many of his colleagues were more dubious about

“A lot of people can do Monday morning quarterbacking and it's easy for federal agencies to say ‘no, don't pay ransoms cause it just encourages more,’ but I just kind of want you to, for the record, lay out how much worse could it have been had you not made that very difficult decision,” he said. 

Blount said he was aware the FBI discourages paying ransomware hackers but he decided the risk of allowing his pipeline to remain shut down outweighed other concerns. 

“It was the hardest decision I made in my 39 years in the energy industry and I know how critical our pipeline is to the country and I put the interests of the country first,” he said. 

Frustration with companies’ poor cybersecurity protections has been growing steadily among cybersecurity experts. 

They’re increasingly advocating for government to impose minimum cybersecurity standards on companies that are vital to U.S. security. 

Rob Knake, a former top White House cybersecurity official, was arguing against treating hacked companies solely as victims as early as 2017 when the major credit ratings agency Equifax suffered a mammoth breach. He called letting such companies off the hook for security weaknesses “morally repugnant” and “bad policy.”

“No one should blame individual victims of crimes,” Knake wrote. “However, when companies like Equifax try to drum up sympathy by portraying themselves as the victim, we should all be extremely suspect. No one in corporate America should be surprised any longer that connecting their systems to the internet puts the data they hold at risk. All companies should recognize that protecting the data they hold is their responsibility.”

The House hearing with Blount starts at noon. Watch it here.

Correction: A previous version of this article misstated Sen. Ron Johnson's party affiliation. 

Chat room

Another day of congressional cybersecurity hearings means it was another day of bickering over how to correctly pronounce the acronym for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA. The agency’s former director, Chris Krebs:

Cybersecurity reporter Kim Zetter:

Aspen Institute Digital Executive Director Vivian Schiller:

The keys

Meat supplier JBS chose not to boost its cyber defenses before it was hit by a ransomware attack, former employees said.

Executives rejected recommendations to increase cybersecurity spending at the company after an internal audit in 2017 and 2018, Bloomberg News’s Ryan Gallagher and Alyza Sebenius report. The company did not prioritize cybersecurity as a corporate issue, the former employees said.

JBS disputed the claims. 

“Relying on former, disgruntled employees as sources and positioning dated information as fact is not relevant to this week’s events,” JBS USA spokeswoman Nikki Richardson said. 

Richardson did not respond to questions about whether the company paid a ransom to the hackers.

China-linked hackers were behind a campaign targeting Russia’s government, according to a cybersecurity firm.

Early speculation theorized that a Western government such as the United States was behind the attack. That argument was buoyed because it came soon after the Biden administration blamed Russia for the SolarWinds cyberattack. Yet strong evidence suggests that China-linked hackers were in fact behind the attack, SentinelOne’s Juan Andres Guerrero-Saade writes

The malware used in the attack was a variant of software used by a China-linked group, Guerrero-Saade said. That software linked the campaign to a hacking group that has historically targeted organizations in Russia and Asia.

Nearly 60 congressional offices are caught up in a ransomware attack against an email vendor.

The attack on iConstituent has left the lawmakers’ offices unable to access some constituent information for weeks, Punchbowl News’s John Bresnahan, Anna Palmer and Jake Sherman report. IConstituent is used by state and local governments in addition to Capitol Hill offices.

House data does not appear to be affected, according to Catherine Szpindor, the House’s chief administrative officer. Her office is working to make sure that Capitol Hill networks and data aren’t affected, she said. IConstituent did not respond to a request for comment.

Hill happenings

The Senate passed a sprawling bill to boost U.S. tech and counter China.

The chamber, which is often racked by partisan division, found rare agreement in the bill, which invests more than $50 billion in semiconductors. Read more from Tony Romm here

Industry report

Fastly blames software bug for major global internet outage (Reuters)

Secretive Israeli cyber firm selling spy-tech to Saudi Arabia (Haaretz)


  • The Middle East Institute hosts its annual cyber conference today.
  • Quinn Carman, the director of operations of the NSA’s Red Team, speaks at the Silicon Valley Cyber Security Summit today at 10:50 a.m.  
  • The Senate Intelligence Committee holds a confirmation hearing for Christine Abizaid, President Biden’s pick to lead the National Counterterrorism Center, and Robin Ashton, who he nominated to be the CIA’s inspector general, today at 2:30 p.m.
  • Colonial Pipeline CEO Joseph Blount testifies before the House Homeland Security Committee today at noon. 
  • FBI director Christopher A. Wray testifies before the House Judiciary Committee on Thursday at 10 a.m.
  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation for Jen Easterly and Chris Inglis, Biden’s picks for director of the Cybersecurity and Infrastructure Security Agency and national cyber director, on Thursday at 10:15 a.m.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event on Friday at 10 a.m.
  • Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence & Security Ronald Moultrie on Friday at 11 a.m.
  • Dustin Moody, the head of the National Institute for Standards and Technology’s cryptographic technology group, discusses the future of cybersecurity and quantum technology at a Center for Strategic and International Studies event on June 15 at 3 p.m.

Secure log off