It didn’t take Joe Blount much time to make that decision, either. In an interview aired on NPR’s All Things Considered last night, the Colonial Pipeline CEO revealed that he paid the ransomware hackers their demanded $4.4 million in cryptocurrency within the first day. Blount insists that while he didn’t want to reward “these contemptible criminals,” he had larger interests to consider — like the health and welfare of the country:
[It was] obviously, probably the hardest decision I’ve ever made in my career. I’ve been around this asset for a long time: I’ve been an employee of Colonial Pipeline for three and a half years, but I’ve been in the industry for almost 39 now. So once we identified the risk and contained the risk by shutting the pipeline system down and immediately called in cyber experts to help us with identifying further what had been done to our system, one of the things that came up, ultimately, was the ransom and whether to pay the ransom or not.
The conversation went like this: Do you pay the ransom or not? And of course, the initial thought is: You don’t want to pay the ransom. You don’t want to encourage [hackers], you don’t want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the Southeastern and Eastern seaboard of the United States, it’s a very critical decision to make. And if owning that de-encryption tool gets you there quicker, then it’s the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.
One cannot easily dismiss this argument. In the short time that hackers controlled Colonial’s operation, they created massive disruptions and shortages across a wide swath of the Southeast. In fact, those disruptions and shortages outlasted the hostaging of Colonial’s systems by several days. Had Colonial taken the principled path of refusing to pay the Danegeld, those disruptions would have lasted weeks or months. In that equation, Blount has a point — $4.4 million looks pretty cheap, even without the obvious implications for safety created by the seizure of their internal computer systems.
Unfortunately, that choice has consequences of its own. The hackers now have a boon in resources that they can use to extend their attacks to other companies. Now that they have had success in extorting a key part of American infrastructure, where that kind of failure is unthinkable, we’re going to see a lot more of those attacks. Blount says that the answer to this threat is government action in partnership with the private sector, as well as recognizing this as a hostile threat to national security.
On the last point, the White House now agrees. NBC’s Today reports that the Biden administration is mulling over covert intel operations to target the ransomware hackers by giving them a taste of their own medicine:
On the hells of several high-profile cyberattacks, the White House is now moving to treat ransomware attacks as a national security threat, and reportedly contemplating their own cyber offensive against hackers inside Russia. @Miguelnbc reports. pic.twitter.com/1xDtLT93KI
— TODAY (@TODAYshow) June 4, 2021
The only way to end this problem is to remove the incentives for it. That requires action from law enforcement (domestic) and intelligence (foreign) resources, but it also requires businesses to prepare better for this threat. That’s especially true of key players in infrastructure like utilities and food distribution. It would be better if those victimized by these hackers didn’t pay the ransom, which only increases incentives while providing fresh resources for more hacking.
Blount appears to agree with that in the broad strokes, seemingly discounting government responsibility for Colonial’s situation:
On the government’s role when private companies face cyberattacks and ransom
At the end of the day, it’s a decision that has to be made by the company. … I think that obviously private industry has a responsibility here. Pipelines do invest in cyberware and security. It’s a natural extension of what we’ve done historically, which is focus on the physical security of our asset. So it really pretty much needs to become a private-public partnership.
Indeed. But we do have to recognize that, after the Colonial and JBS threats, that this is more than just crime. It’s an attack on our national security, food supply, and way of life. Time to step up for an effective counterattack.