Cyberattacks are posing an increasing threat on critical transportation infrastructure in the United States. A recent, high-profile ransomware attack on the Georgia-based energy company, Colonial Pipeline, shut down systems that supply about 45 percent of fuel consumed on the U.S. East Coast. Not only did the attack send gas prices soaring, the Colonial Pipeline President and CEO Joseph Blount elected to pay a ransom totaling $4.4 million. While the FBI was able to recover most of that payment, the incident highlights the vulnerability of transportation infrastructure and leverage that hackers have over its owners. These were the subjects of two hearings this week on Capitol Hill.

On Tuesday June 8, the Senate Committee on Homeland Security and Governmental Affairs held the hearing “Threats to Critical Infrastructure: Examining the Colonial Pipeline Cyber Attack”. One witness was present. The witness testimony can be found here:

• Joseph Blount, President and CEO Colonial Pipeline Company

A second hearing held on Wednesday, June 9 by the House Committee on Homeland Security, “Cyber threats in the pipeline: using lessons from the colonial ransomware attack to defend critical infrastructure,” had two witnesses. No written testimonies were available.

• Joseph Blount, President and CEO Colonial Pipeline Company
• Charles Carmakal, SVP & CTO, FireEye Mandiant

The Senate hearing was opened by committee chairman Gary Peters (D-MI) and Sen. Rob Portman (R-OH), the ranking minority member of the committee. In their opening statements, both leaders acknowledged the increase in cases of cyberattacks directed at U.S. companies. These sentiments were echoed by several members of the committee throughout the hearing. Since the beginning of the COVID-19 pandemic, companies in different sectors including health care, meat processing and energy have become victims of ransomware attacks. In a press briefing on June 7, FBI Deputy Director Paul Abbate said the FBI had identified more than 90 victims of ransomware attacks across sectors perpetrated by Darkside, the hacking group believed to be responsible for the attack on Colonial Pipeline.

The House hearing opened on the same note. Chairman Bennie G. Thompson (D-MS) and Rep.  John Katco (R-NY), the ranking minority member of the committee emphasized that the events at Colonial Pipeline are not unique to the company. As such, most committee members highlighted the importance of using the lessons learned from Colonial Pipeline to “harden” cybersecurity in other U.S. companies. Several committee members sought the views of the witnesses on the involvement of government in strengthening cybersecurity policies in public and private sectors. The resounding response was government involvement is needed to develop sound cybersecurity policies and best practices. Panel members also suggested establishing diplomatic ties with countries that play host to cyber criminals are essential in fighting cyber criminals.

During both hearings, Blount was faced with the question of why he chose to pay ransom to attackers against FBI advisory. Paying ransom is highly discouraged by the FBI as it may encourage attacker’s behavior. Blount defended himself by saying that he believed this was the right decision at the time and it was made in the interest of the country and millions of Americans who depend on Colonial Pipeline products for critical everyday operations. Blount is not the only CEO that chose to pay ransom in a cyberattack crisis. The CEO of JBS, a meat packing company that supplies about one-fifth of U.S. meat supply, admitted that he paid $11 million to cyber criminals to regain access to the company systems after an attack. Blount was applauded for being honest and forthcoming about his decision to pay ransom to cyber attackers because many cyberattacks go unreported making it more difficult to fight cyber criminals.

While several committee members and the witnesses acknowledged that the responsibility of securing company systems fall on private companies, there was a general consensus that the government must be involved in developing policies that will support public and private companies in matters of cybersecurity. Notably, two bills that have been recently introduced were mentioned: Ranking member of the House Committee on Homeland Security John Katco (R-NY) mentioned the HR 1833 ‘‘DHS Industrial Control Systems Capabilities Enhancement Act of 2021’’ and committee member Sharon Jackson Lee (D-TX) mentioned HR 2980 “Cybersecurity Vulnerability Remediation Act’’.

The debate on cybersecurity policies and best practices for U.S. infrastructure is far from over. Transportation and other infrastructure that support the national economy remain vulnerable and it is increasingly difficult to predict when or where or who the next victim will be. Since the attack on Colonial Pipeline in May, several organizations including the NYC Metropolitan Transportation Authority and Steamship Authority have revealed that they were victims of cyberattacks. Matters of cybersecurity for key U.S. transportation infrastructure should be treated with urgency because of their outsized role in the national economy.