[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                  CYBER THREATS IN THE PIPELINE: USING LES-
                    SONS FROM THE COLONIAL RANSOMWARE 
                    ATTACK TO DEFEND CRITICAL INFRASTRUC-
                    TURE

=======================================================================


                                 HEARING

                               BEFORE THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 9, 2021

                               __________

                           Serial No. 117-15

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                                    

        Available via the World Wide Web: http://www.govinfo.gov
        
        
                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-085 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................     3
  Prepared Statement.............................................     5
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     6

                               Witnesses

Mr. Joseph Blount, President and Chief Executive Officer, 
  Colonial Pipeline:
  Oral Statement.................................................    10
  Prepared Statement.............................................    11
Mr. Charles Carmakal, Senior Vice President and Chief Technology 
  Officer, FireEye Mandiant:
  Oral Statement.................................................    14
  Prepared Statement.............................................    16

 
    CYBER THREATS IN THE PIPELINE: USING LESSONS FROM THE COLONIAL 
          RANSOMWARE ATTACK TO DEFEND CRITICAL INFRASTRUCTURE

                              ----------                              


                        Wednesday, June 9, 2021

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 12 p.m., via 
Webex, Hon. Bennie G. Thompson [Chairman of the committee] 
presiding.
    Present: Representatives Thompson, Jackson Lee, Langevin, 
Payne, Correa, Slotkin, Cleaver, Clarke, Titus, Watson Coleman, 
Rice, Demings, Gottheimer, Torres, Katko, McCaul, Bishop, Van 
Drew, Norman, Miller-Meeks, Harshbarger, Clyde, Meijer, 
Cammack, Pfluger, and Garbarino.
    Chairman Thompson. The Committee on Homeland Security will 
come to order. The committee is meeting today to receive 
testimony on ``Cyber Threats in the Pipeline: Using Lessons 
from the Colonial Ransomware Attack to Defend Critical 
Infrastructure.'' Without objection, the Chair is authorized to 
declare the committee in recess at any point. The gentlelady 
from New Jersey, Mrs. Watson Coleman, shall assume the duties 
of the Chair, should I have technical difficulty. I now 
recognize myself for an opening statement.
    Last month, malicious hackers infiltrated Colonial 
Pipeline's network and infected its IT systems with ransomware. 
For nearly a week, 5,500 miles of pipeline supplying 45 percent 
of the fuel on the East Coast was shut down, and panic buying 
resulted in fuel shortages in the Southeast. Since pipeline 
service was restored, we have learned more about what happened. 
We know hackers exploited an unprotected VPN account that was 
no longer in use to gain access to Colonial Pipeline's network. 
We know Colonial Pipeline paid the ransom demand and the FBI 
has since recovered most of it. We know Colonial Pipeline is 
hardly alone.
    This spring, ransomware attacks hit the world's largest 
meat processor, transportation systems in New York City and 
Martha's Vineyard, and Scripps Health in San Diego. But the 
potential impact of a long-term shutdown of the country's 
biggest pipeline crystalized the devastating consequences of 
ransomware. More importantly, it raised serious questions about 
the cybersecurity practices of critical infrastructure owners 
and operators and whether voluntary cybersecurity standards are 
sufficient to defend ourselves against today's cyber threats.
    I was glad to see the Transportation Security 
Administration issue a security directive to mandate some 
security requirements for the pipeline industry, but more 
requirements may still be needed to drive the policies 
necessary to defend against and mitigate the impacts of future 
ransomware attacks. We need a complete understanding of the 
circumstances surrounding the ransomware attack against 
Colonial and the decisions it made during the incident 
response.
    Today, our goal is to examine the cybersecurity practices 
in place at Colonial prior to the May 2021 ransomware attack, 
and assess whether other critical infrastructure operators 
might be similarly situated and vulnerable. We need to 
understand the degree to which Colonial utilized the full range 
of security resources made available by TSA, Colonial's Sector 
Risk Management Agency, and Cybersecurity Infrastructure 
Agency. I am troubled by reports that Colonial declined 
repeated offers by TSA over the past year to assess its 
security defenses.
    We also need to understand whether Colonial had a 
ransomware incident response and continually of operation 
plan--continuity of operation plan and whether it had been 
practiced and tested. Government officials and cybersecurity 
experts have been warning about the growing threat of 
ransomware for years. We need to know how private-sector 
entities, like Colonial, acted on these warnings. I am 
concerned that too few have robust cyber incident response and 
continuity of operation plans in place.
    Finally, we need to understand the threat actor, how it 
targets victims, what tools it utilizes to infiltrate networks, 
and how we can deter this kind of behavior.
    Before I close, I would like to commend the FBI for its 
work recovering Colonial's ransomware payment and depriving the 
hackers of the financial benefit of their malicious cyber 
activity. I hope the FBI success serves as an incentive for 
future ransomware victims to engage with law enforcement early. 
I hope Colonial will use the recouped money to make necessary 
improvements in its cybersecurity.
    I look forward to a productive discussion, and I thank the 
witnesses for being here today. With that, I recognize the 
Ranking Member, the gentleman from New York, Mr. Katko, for an 
opening statement.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                              June 9, 2021
    Last month, malicious hackers infiltrated Colonial Pipeline's 
network and infected its IT systems with ransomware. For nearly a week, 
5,500 miles of pipeline supplying 45 percent of the fuel on the East 
Coast were shut down, and panic buying resulted in fuel shortages in 
the Southeast. Since pipeline service was restored, we have learned 
more about what happened.
    We know hackers exploited an unprotected VPN account that was no 
longer in use to gain access to Colonial Pipeline's networks. We know 
Colonial Pipeline paid the ransom demand--and the FBI has since 
recovered most of it. And we know Colonial Pipeline is hardly alone--
this spring, ransomware attacks hit the world's largest meat processor, 
transportation systems in New York City and Martha's Vineyard, and 
Scripps Health in San Diego.
    But the potential impact of a long-term shut-down of the country's 
biggest pipeline crystalized the devastating consequences of 
ransomware. More importantly, it raised serious questions about the 
cybersecurity practices of critical infrastructure owners and operators 
and whether voluntary cybersecurity standards are sufficient to defend 
ourselves against today's cyber threats.
    I was glad to see the Transportation Security Administration issue 
a security directive to mandate some security requirements for the 
pipeline industry--but more requirements may still be needed. To drive 
the policies necessary to defend against and mitigate the impacts of 
future ransomware attacks, we need a complete understanding of the 
circumstances surrounding the ransomware attack against Colonial and 
the decisions it made during incident response.
    Today, our goal is to examine the cybersecurity practices in place 
at Colonial prior to the May 2021 ransomware attack, and assess whether 
other critical infrastructure operators might be similarly situated and 
vulnerable. We need to understand the degree to which Colonial utilized 
the full range of security resources made available by TSA--Colonial's 
sector risk management agency--and the Cybersecurity and Infrastructure 
Security Agency (CISA). I am troubled by reports that Colonial declined 
repeated offers by TSA over the past year to assess its security 
defenses. We also need to understand whether Colonial had a ransomware 
incident response and continuity of operations plan and whether it had 
been practiced and tested.
    Government officials and cybersecurity experts have been warning 
about the growing threat of ransomware for years. We need to know how 
private-sector entities like Colonial acted on those warnings. Finally, 
we need to understand the threat actor--how it targets victims, what 
tools it utilizes to infiltrate networks, and how we can deter this 
kind of behavior.
    Before I close, I would like to commend the FBI for its work 
recovering Colonial's ransomware payment and depriving the hackers of 
the financial benefit of their malicious cyber activity. I hope the 
FBI's success serves as an incentive for future ransomware victims to 
engage with law enforcement early. And, I hope Colonial will use the 
recouped money to make necessary improvements to its cybersecurity.

    Mr. Katko. Thank you, Mr. Chairman, and I thank you for 
calling this most timely and important hearing today. I thank 
you for your continued partnership in the joint effort to 
increase American cybersecurity resilience. From the added 
integrity on Federal systems to pipelines, to meat processing, 
to e-transportation assets, the connected systems that underpin 
our way of life are constantly under attack by cyber 
adversaries. It has been getting worse and it must stop. This 
isn't hypothetical or the plot of a Hollywood film. These 
attacks on our critical infrastructure are happening right in 
front of our eyes.
    The next steps we take are of vital importance. They should 
be a mix of short-term tactical and longer-term foundational 
policy shifts. The next step, the Government will need to take 
the lead in certain areas. For other responsibilities, the onus 
will be on industries.
    Throughout all of this, however, we must work together. 
Foundational to the work of this committee must be maximizing 
the role of CISA. We must mature the relationship between CISA 
and the Nation's lead civilian cybersecurity agency with 
centralized capacity and tools, and the Sector Risk Management 
Agencies, who have the sector-specific relationships and 
expertise. Optimizing, not eroding, these relationships between 
CISA and the various SRMAs will be critical going forward. Now 
is not the time to relitigate previous turf battles.
    I am hopeful that the recent TSA security directive is an 
important first step forward in strengthening both TSA and 
CISA's ability to respond to these rapidly evolving cyber 
threats, although there is a valid question of why it took so 
long for TSA to finally leverage this authority. It is vital 
that TSA be relentless in its focuses going forward to secure 
the Nation's 2.7 million miles of pipelines. TSA needs to 
continue to involve industry in the implementation of this 
security directive and future ones.
    As we continue to provide clarity and confidence in Federal 
roles and responsibilities, we also must keep on the full court 
press to provide CISA with the resources it needs to help the 
critical infrastructure community. I recently introduced H.R. 
1833, the DHS Industrial Control Systems Capabilities 
Enhancement Act of 2021, a bill with bipartisan support that is 
designed to protect critical infrastructure from cyber attacks 
and further bolster the deployable and scalable pool of 
resources CISA offers to assess--to assist stakeholders. I am 
pleased that this bill passed out of committee unanimously, and 
I am hopeful for its prompt consideration on the floor of the 
House.
    Make no mistake about it, the Federal Government has some 
significant execution challenges on the horizon where it cannot 
afford to fumble. I recently worked with the Chairman to sound 
the alarm on the implementation time line of continuity of the 
economy planning as mandated by last year's NDAA. This is a 
provision we supported that was designed exactly for moments 
like this. Where is it? We need it now, and we need it the 
most.
    Following the devastating SolarWinds attack in December 
2020, I created a 5-pillar plan to enhance American 
cybersecurity. I am encouraged to see that the software-heavy 
provisions of the administration's new cyber Executive Order 
tread very closely to my suggestions, but, again, we must hold 
the administration's feet to the fire to ensure the aggressive 
but necessary deadlines are met.
    The Federal Government also faces a moment of reckoning 
when it comes to deterrents. While many of the recent hacks 
have come from so-called apolitical organizations, certain 
countries, in particular Russia, are creating safe havens for 
these bad actors. The President is meeting with Putin next 
week. I hope to see the President send a clear message: Turning 
a blind eye to cyber criminals who attacked our critical 
infrastructure is completely unacceptable. He must make it 
abundantly clear what the continued harboring of these groups 
will mean. Ultimately, strength only respects strength, and 
that is what we need to project now.
    As we learned from incidents, from like the Colonial 
Pipeline ransomware attack, I do believe the private sector 
also must look hard in the mirror. While I don't think a 
culture of blaming the victim is ultimately constructive, 
clearly, and I mean clearly, we can all do better to protect 
our critical infrastructure networks.
    I appreciate Colonial Pipeline's identification of places 
where they are now hardening systems in response to the 
devastating ransomware attack in May, but this begs an obvious 
question: If your pipeline provides fuel to 45 percent of the 
East Coast, why are you only hardening your systems after an 
attack has occurred? Why wasn't it done beforehand? Again, I am 
not interested in blaming the victim here, but we must all 
learn from these incidents to prevent future destruction.
    As we painfully witnessed a string of even more ransomware 
attacks since Colonial, it is clear to all of us that we must 
break the ransomware business model once and for all. We cannot 
accept default to accepting extortion. As an industry leader, 
there is certainly heavy pressure to get your own systems up 
and running when facing a frightening cyber attack. But these 
the effects of today only fund some ransomware attacks of 
tomorrow.
    Everything should be on the table here with know your 
customer and cryptocurrency reporting requirements being the 
low-hanging fruit. While it is encouraging that the FBI was 
able to recover the majority of the bitcoin ransom in this 
instant, and I, along with the Chairman, applaud them for that, 
we can't rest on the capability of this happening going 
forward.
    Finally, this string of devastating cyber incidents with 
real-world impacts has reinforced that we need a codified 
process of identifying systematically important critical 
infrastructure. I look forward to working with a wide range of 
stakeholders to get this right. I anticipate that much of 
today's hearing will highlight just how much time is of the 
essence. I am heartened to see that tomorrow the Senate will 
hold confirmation hearings for the CISA and National cyber 
directors. Let us keep our foot on the gas pedal. Let us work 
together. There is no other option.
    I yield back, Mr. Chairman.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    I thank the Chairman for calling this timely and important 
discussion, and I thank him for his continued partnership in the joint 
effort to increase American cybersecurity resilience. From data 
integrity on Federal systems, to pipelines, to meat processing, to key 
transportation assets--the connected systems that underpin our very way 
of life are under constant attack by cyber adversaries. It's been 
getting worse, and it must stop. This isn't hypothetical or the plot of 
a Hollywood film. These attacks on our critical infrastructure are 
happening right in front of our eyes.
    The next steps we take are of vital importance. They should be a 
mix of short-term tactical and longer-term foundational policy shifts. 
The Government will need to take the lead in certain areas. For other 
responsibilities, the onus will be on industry. Throughout all of this, 
however, we must work together.
    Foundational to the work of this committee must be maximizing the 
role of CISA. We must mature the relationship between CISA--as the 
Nation's lead civilian cybersecurity agency with centralized capacity 
and tools--and the Sector Risk Management Agencies, who have the 
sector-specific relationships and expertise. Optimizing, not eroding, 
these relationships between CISA and the various SRMAs will be critical 
going forward. Now is not the time to relitigate previous turf battles.
    I am hopeful that the recent TSA security directive is an important 
step forward in strengthening both TSA and CISA's ability to respond to 
these rapidly-evolving cyber threats, although there's a valid question 
of why it took so long for TSA to finally leverage this authority. It's 
vital that TSA be relentless in its focus going forward to secure the 
Nation's 2.7 million miles of pipelines. TSA needs to continue to 
involve industry in the implementation of this security directive and 
future ones.
    As we continue to provide clarity and confidence in Federal roles 
and responsibilities, we also must keep on the full court press to 
provide CISA with the resources it needs to help the critical 
infrastructure community. I recently introduced H.R. 1833, the DHS 
Industrial Control Systems Capabilities Enhancement Act of 2021, a bill 
with bipartisan support that is designed to protect critical 
infrastructure from cyber attacks and further bolster the deployable 
and scalable pool of resources CISA offers to assist stakeholders. I am 
pleased that this bill passed out of committee unanimously and look 
forward to its prompt consideration on the floor of the House.
    Make no mistake--the Federal Government has some significant 
execution challenges on the horizon where it cannot afford to fumble. I 
recently worked with the Chairman to sound the alarm on the 
implementation time line of Continuity of the Economy planning as 
mandated by last year's NDAA. This is a provision we supported that was 
designed exactly for moments like this. Where is it now when we need it 
the most?
    Following the devastating SolarWinds hack in December 2020, I 
created a 5-pillar plan to enhance American cybersecurity. I am 
encouraged to see that the software-heavy provisions of the 
administration's new Cyber Executive Order track very closely to my 
suggestions. But again, we must hold the administration's feet to the 
fire to ensure the aggressive, but necessary, deadlines are met.
    The Federal Government also faces a moment of reckoning when it 
comes to deterrence. While many of the recent hacks have come from so-
called ``apolitical'' organizations, certain countries, in particular 
Russia, are creating safe havens for these bad actors. The President 
has a meeting with Putin next week. I hope to see the President send a 
clear message that turning a blind eye to cyber criminals who attack 
our critical infrastructure is completely unacceptable. He must make it 
abundantly clear what the continued harboring of these groups will 
mean. Ultimately, strength only respects strength, and that's what we 
need to project now.
    As we learn from incidents like the Colonial Pipeline ransomware 
attack, I do believe the private sector also must look hard in the 
mirror. While I don't think a culture of blaming the victim is 
ultimately constructive, clearly we can all do better to protect our 
critical networks. I appreciate Colonial Pipeline's identification of 
places where they are now hardening systems in response to the 
devastating ransomware attack in May, but this begs an obvious 
question. If your pipeline provides fuel to 45 percent of the East 
Coast, why are you only hardening systems after an attack? Again, I'm 
not interested in blaming the victim here, but we all must learn from 
these incidents to prevent future destruction.
    As we've painfully witnessed a string of even more ransomware 
attacks since Colonial, it's clear to all of us that we must break the 
ransomware business model once and for all. We cannot default to 
accepting extortion. As an industry leader there is certainly heavy 
pressure to get your own systems up and running when facing a 
frightening cyber attack, but the easy fix of today only funds the 
ransomware attacks of tomorrow. Everything should be on the table here, 
with Know Your Customer and cryptocurrency reporting requirements being 
the low-hanging fruit. While it is encouraging that the FBI was able to 
recover the majority of the Bitcoin ransom in this instance, we can't 
rest on this capability as free pass going forward.
    Finally, this string of devastating cyber incidents with real-world 
impacts has reinforced that we need a codified process of identifying 
Systemically Important Critical Infrastructure. I look forward to 
working with a wide range of stakeholders to get this right.
    I anticipate that much of today's hearing will highlight just how 
much time is of the essence. I'm heartened to see that tomorrow the 
Senate will hold confirmation hearings for the CISA and National cyber 
directors. Let's keep our foot on the gas pedal. There is no other 
option.

    Chairman Thompson. Thank you very much, Mr. Ranking Member. 
Other Members of the committee are reminded that under 
committee rules, opening statements may be submitted for the 
record.
    [The statement of Honorable Sheila Jackson Lee follows:]
               Statement of Honorable Sheila Jackson Lee
                              June 9, 2021
    Chairman Thompson, and Ranking Member Katko thank you for holding 
today's hearing on ``Cyber Threats in the Pipeline: Using Lessons 
Learned from the Colonial Ransomware Attack to Defend Critical 
Infrastructure.''
    I look forward to the questions that will follow the testimony of:
   Mr. Joseph A. Blount, Jr., president & CEO, Colonial 
        Pipeline Company; and
   Mr. Charles Carmakal, senior vice president for strategic 
        services & CTO, FireEye.
    I thank today's witnesses for agreeing to testify before the House 
Homeland Security Committee.
    The private sector has 85 percent of the Nation's critical 
infrastructure and much of it has some connectivity to the internet--
they can no longer go it alone.
    The vulnerabilities in computing technology from the most complex 
systems to the smallest devices are often found in its software.
    This was true in the early 1990's when the first desktop computing 
technology was produced.
    Desktop computing devices were quickly adopted for business and 
Government use.
    The market and regulatory forces that should have forced security 
and safety improvements on computing technology never developed due to 
interference from Congress and the courts that excused or deflected 
culpability for known computing technology errors or omissions in 
product development or manufacturing that left systems open to attack.
    The last defense for computing technology and systems are the 
concrete steps that organization, companies, and agencies can take to 
secure their computing assets; and business continuity measures that 
can be in place to allow meaningful recovery of operations should a 
successful cyber attack occur.
    Business continuity refers to the capability of an organization to 
continue the delivery of products or services at acceptable levels 
following a disruptive incident, and business continuity planning or 
business continuity and resiliency planning is the process of creating 
systems of prevention and recovery to deal with potential threats to 
operations.
    To survive in the current high-risk computing landscape both 
Government and private-sector entities must engage in risk mitigation 
strategies that assess operations from top to bottom to identify 
potential cyber threats and risk vectors.
    This assessment should include both internal and external threats 
that could compromise business continuity.
    Some risks are firmly within an organization's ability to control, 
such as the controls they implement to secure data and systems.
    Continuity planning is also firmly under the control of 
organizations, and to not invest in proven strategies to survive a 
cyber attack, is not only irresponsible on the part of owners--but it 
creates unacceptable risks for their employees, customers, and 
investors.
    I introduced the Cybersecurity Vulnerability Remediation Act was 
introduced and passed the House during the 115th and 116th Congresses 
and has been updated again in the 117th Congress to meet the ever-
evolving nature of cyber threats faced by Federal and private-sector 
information systems and our Nation's critical infrastructure.
    This bill goes significantly further than the first Cybersecurity 
Vulnerability bill that I introduced in the 115th Congress, to address 
the instance of Zero-Day Events that can lead to catastrophic 
cybersecurity failures of information and computing systems.
    The ANS to H.R. 2980 responds to the recent cyber attacks on 
America's private sector and establishes the Federal Government as 
having a major role in fighting cyber attacks that target Government 
agencies and the private-sector critical infrastructure.
    H.R. 2980, the Cybersecurity Vulnerability Remediation Act:
   Changes the Department of Homeland Security (DHS) definition 
        of security vulnerability to include cybersecurity 
        vulnerability,
   Provides the plan to fix known cybersecurity 
        vulnerabilities,
   Gives the Department of Homeland Security the tools to know 
        more about ransomware attacks and ransom payments, and
   Creates greater transparency on how DHS will defend against 
        and mitigate cybersecurity vulnerabilities and lays the road 
        map for preparing the private sector to better prepare for and 
        mitigate cyber attacks.
    The bill requires a report that can include a Classified annex, 
which I strongly recommend to the Secretary of DHS so that it can be 
available should the agency elect to engage private-sector entities in 
a discussion on cyber attacks and breaches targeting critical 
infrastructure.
    This bill is needed because the Nation's dependence on networked 
computing makes us vulnerable to cyber threats.
    In 30 years the world has gone from one divided by oceans to one 
that is interconnected through the internet.
    An interconnected world has brought us closer together, created new 
opportunities for business, and citizen engagement, while at the same 
time given new tools to those who may wish to cause harm using cyber 
attacks.
    In cyber space an attack against one entity or device can devolve 
into an attack against many.
    The work that must be done to secure critical infrastructure from 
cybersecurity vulnerabilities that include oil and gas pipelines; the 
electric grid, water treatment facilities, and other privately-held 
infrastructure must occur with much more order and purposefulness.
    The consolidation of cybersecurity for both the .gov domain and for 
the private sector is now under the jurisdiction of the Committee on 
Homeland Security was is an important step to better coordinating 
domestic cybersecurity.
    This is especially critical to the protection of large complex 
information systems that run on applications and hardware that may be 
decades old, which is the case with some supervisory control and data 
acquisition (SCADA) control system architectures that are pervasive in 
the provision of essential services provided critical infrastructure 
owner and operators.
    H.R. 2890 bolsters the efforts to engage critical infrastructure 
owners and operators in communicating cybersecurity threats; and lays 
the foundation for greater transparency on the real threats posed by 
cyber terrorist to private and Government sector critical 
infrastructure and information systems.
    The legislation allows the Science and Technology Directorate in 
consultation with CISA to establish an incentive-based program that 
allows industry, individuals, academia, and others to compete in 
identifying remediation solutions for cybersecurity vulnerabilities to 
information systems and industrial control systems including 
supervisory control and data acquisition systems.
    This bill when it becomes law would put our Nation's best minds to 
work on closing the vulnerabilities that cyber thieves and terrorists 
to use them to access, disrupt, corrupt or take control of critical 
infrastructure and information systems.
    In addition to these changes, the bill requires a report to 
Congress that may contain a Classified annex.
                 need for the report's classified annex
    Congress needs to know how prevalent and persistent cybersecurity 
threats targeting critical infrastructure and information systems might 
be, especially if those threats result in a payment of ransom.
    As the Chair of the House Judiciary Committee's Subcommittee on 
Crime, Terrorism, and Homeland Security, I can assure you that the best 
way to keep criminals at your door is to give them what they want.
    The initial post event news report said that Colonial Pipeline may 
have paid a ransom to regain control of its pipeline is particularly 
troubling because of what this, if true, might mean for the entire oil 
and gas industry at every level.
    Paying a ransom for ransomware emboldens and encourages cyber bad 
actors and places everyone at greater risk for the financial and 
societal costs of increases in threats as other seek payouts.
    As long as there is silence about cyber attacks like ransomware the 
criminals and terrorists will remain out of reach and continue to feel 
safe in carrying out these attacks often from the soil of our enemies 
or peer competitors.
    A company cannot stand up to Russia or China, but the United States 
can and has done so to protect our National interest.
    I applaud and thank the Biden administration for its quick action 
to respond to the attack against Colonial Pipeline in issuing a new 
Executive Order.
    It is troubling that some news accounts report that Colonial 
Pipeline did not respond to the administration when contacted about the 
attack against its pipeline.
    If true, the cyber terrorist may have been aided in their attack by 
this lack of cooperation and engagement by the target with authorities 
that could provide aid and unbounded access to know how to address the 
crisis created by the attack.
    Today, our Nation is in a cybersecurity crisis.
    My concern regarding the security of information networks began in 
2015 when the Office of Personnel Management's data breach resulted in 
the theft of millions of sensitive personnel records on Federal 
employees.
    What few understood in 2015 was that the attack on the OPM may have 
actually begun in 2013 when cyber criminals breached the computer 
network and stole the operation manuals for the agency's information 
system.
    The on-going attacks against Federal, State, local, territorial, 
and Tribal governments, as well as threats posed to private information 
systems, and critical infrastructure systems makes this bill necessary.
    On May 13, 2021 it was reported that the DC Metropolitan Police 
Department had experienced the worst reported cyber attack against a 
police department in the United States.
    The gang, known as the Babuk group, released thousands of the 
Metropolitan Police Department's sensitive documents on the dark web.
    A review by The Associated Press found hundreds of police officer 
disciplinary files and intelligence reports that include feeds from 
other agencies, including the FBI and Secret Service.
    This type of attack has the potential to undermine trust within the 
ranks regarding the security of personal information in the 
department's information network as well as reduce cooperation of other 
Federal law enforcement agencies with the DC Police Department out of 
cybersecurity concerns.
    These problems are not limited information related to Government 
employees.
    In February 2021, a cyber attack on an Oldsmar, Florida water 
treatment facility involved increasing the levels of sodium hydroxide 
from 100 parts per million to 11,100 parts per million in drinking 
water.
    At low levels sodium hydroxide is used in the treatment of drinking 
water to raise the pH of the water to a level that minimizes the 
corrosion.
    Raising the pH remains one of the most effective methods for 
reducing lead corrosion and minimizing lead levels in drinking water.
    However, the levels of this chemical in the water produced by 
Oldsmar, Florida was increased to levels that would cause harm to 
people if they drank or used it.
    This is just one example of how terrorists can attack critical 
infrastructure and cause threats to health, safety, and life.
    Cyber terrorists and cyber criminals are also motivated to attack 
information networks in exchange for money.
    This was the case with the DC Metropolitan Police Department who 
were threatened if they did not pay the thieves.
    The sources of revenue from cyber attacks has moved from demands of 
payment for thieves not to release information--to the sale of stolen 
information on the dark web and now to a sophisticated denial of 
service attack in the form of ransomware that locks a system using 
encryption until the victim pays.
                               ransomware
    Ransomware is becoming the tool of choice for those seeking a 
payout because it can be carried out against anyone or any entity by 
perpetrators who are far from U.S. shores.
    The ill-gotten gain reaped from ransomware can be used to fuel 
terrorist networks, drug cartels, attacks against the homeland, human 
trafficking, or other efforts to undermine homeland security.
    The Colonial Pipeline incident is just one in a long line of 
successful attacks or infiltrations carried out against domestic 
information systems and critical infrastructure with increasing 
consequences for the life, health, safety, and economic security of our 
citizens.
    There is no way of knowing how many attacks resulted in payouts to 
criminals, who would use the funds to fuel additional attacks that 
target business, Government, or other entities in the United States.
    There are few concrete details on how the cyber attack took place, 
and it is likely that this will not change until Colonial Pipeline and 
the third-party company brought in to investigate have concluded their 
analysis of the incident.
    However, what did occur was a ransomware outbreak, linked to the 
DarkSide group, that struck Colonial Pipeline's networks.
    The initial attack entry point into Colonial Pipeline's network is 
not known, but it may have been an old, unpatched vulnerability in a 
system; an email that got passed its firewall to an employee who opened 
it unknowingly; the use of a legitimate employee's computer access 
credentials that were purchased or obtained by the thieves that were 
leaked previously, or any other number of tactics employed by cyber 
criminals to infiltrate a company's network.
    There would be no need for the Cybersecurity Vulnerability 
Remediation Act if owners and operators were succeeding in meeting the 
cybersecurity needs of critical infrastructure.
    I know that there is more that should and ought to be done to 
address the issue of cyber crime and I will be pursuing this avenue 
under the jurisdiction of the House Judiciary Committee, as the Chair 
of the Subcommittee on Crime, Terrorism, and Homeland Security.
    Thank you.

    Chairman Thompson. Members are also reminded that the 
committee will operate according to the guidelines laid out by 
the Chairman and Ranking Member in our February 3 colloquy 
regarding remote procedures.
    I welcome our witnesses. Our first witness, Mr. Joseph 
Blount, is the president and CEO of Colonial Pipeline. Mr. 
Blount joined Colonial in 2017, with more than 3 decades of 
experience in the energy industry. Our second witness, Mr. 
Charles Carmakal, is senior vice president and chief technology 
officer at FireEye Mandiant. In that role, he oversees a team 
of security professionals that assist organizations in 
responding to security breaches by foreign governments and 
organized criminals. Without objection, the witnesses' full 
statements will be inserted in the record.
    I now ask Mr. Blount to summarize his statement for 5 
minutes.

   STATEMENT OF JOSEPH BLOUNT, PRESIDENT AND CHIEF EXECUTIVE 
                   OFFICER, COLONIAL PIPELINE

    Mr. Blount. Chairman Thompson, Ranking Member Katko, and 
Members of the committee, my name is Joe Blount, and since 
2017, I have served as president and CEO of the Colonial 
Pipeline Company. Thank you for the opportunity to testify 
before the committee today.
    Since 1962, we have been shipping and transporting refined 
products to market. Our pipeline system spans over 5,500 miles. 
It is one of the most complex pieces of energy infrastructure 
in America, if not the world. On any given day, we transport 
more than 100 million gallons of gasoline, diesels, jet fuel, 
and other refined products. Shipping that product safely and 
securely is what we do. The product we transport accounts for 
nearly half of the fuel consumed on the East Coast, providing 
energy for more than 50 million Americans, the Americans who 
rely on us to get the fuel to the pump, but so do cities and 
local governments. We supply fuel for critical operations, such 
as airports, ambulances, and first responders.
    The safety and security of our pipeline system is something 
we take very seriously, and we always operate with the interest 
of our customers, shippers, and the country first in mind. Just 
1 month ago, we were the victims of a ransomware attack by a 
cyber criminal group, and that attack encrypted our IT systems. 
Although the investigation is still on-going, we believe the 
attacker exploited the legacy VPN profile that was not intended 
to be in use. DarkSide demanded a financial payment in exchange 
for a key to unlock the impacted systems. We had cyber defenses 
in place, but the unfortunate reality is those defenses were 
compromised. This attack forced us to make difficult decisions, 
choices in real-time, that no company ever wants to face. But I 
am proud of the way our people reacted quickly to isolate and 
contain the attack, so we could get the pipeline back up and 
running safely.
    I am also very grateful for the immediate and sustained 
support of law enforcement, CISA, and other Federal 
authorities, including the White House. We reached out to 
Federal authorities within hours of the attack, and they have 
continued to be true allies as we worked so quickly and safely 
to restore our operations. I especially want to thank the 
Department of Justice and the FBI for their leadership and the 
progress they announced in this matter earlier this week.
    I also want to express my gratitude to the employees of 
Colonial Pipeline and the American people for your actions and 
support as we responded to the attack and dealt with the 
disruption that it caused. We are deeply sorry for the impact 
that this attack had, but we are also heartened by the 
resilience of our country and of our company.
    Finally, I want to address 2 additional issues that I know 
are on your minds, and I am going to address them in the only 
way I know how to, directly and honestly.
    First, the ransom payment. I made the decision to pay and I 
made the decision to keep the information about the payment as 
confidential as possible. It was the hardest decision I have 
ever made in my 39 years in the energy industry. I know how 
critical our pipeline is to the country, and I put the interest 
of the country first. I kept the information closely held 
because we were concerned about operational security and we 
wanted to stay focused on getting the pipeline back up and 
running. I believe with all my heart that it was the right 
choice to make. I also want to now state publicly that we 
quietly and quickly worked with law enforcement in this matter 
from the start, which may have helped lead to the substantial 
recovery of funds announced by the DOJ this week.
    Second, we are further hardening our cyber defenses. We 
have rebuilt and restored our critical IT systems and are 
continuing to enhance our safeguards, but we are not yet where 
I want us to be. If our CIO needs resources, she will get them. 
We also have brought in several of the world's leading experts 
to help us fully understand what happened and how we can 
continue, in partnership with you, to add defenses and 
resiliency to our networks.
    I especially want to thank Mandiant, Dragos, and Black 
Hills on the consultant side, and the White House and all the 
Government agencies who assisted us, both with the criminal 
investigation and with the restart of the pipeline. We are 
already working to implement the recent guidance and directives 
on cybersecurity. Our forensic work continues and we will learn 
more in the months ahead. I appreciate your support and I look 
forward to our discussion today.
    [The prepared statement of Mr. Blount follows:]
                  Prepared Statement of Joseph Blount
                              June 9, 2021
                            i. introduction
    Chairman Thompson, Ranking Member Katko, and Members of the 
committee: My name is Joe Blount, and since late 2017, I have served as 
the president and chief executive officer of Colonial Pipeline Company. 
Thank you for the opportunity to testify before the committee today.
    The Colonial Pipeline Company was founded in 1962 and is proud of 
its long history of connecting refineries with customers throughout the 
Southern and Eastern United States. Today, we have about 950 employees 
across the United States. Colonial Pipeline is the largest refined 
products pipeline by volume in the country and transports many 
products, such as gasoline, diesel, aviation fuels, and home heating 
oil. Our pipeline system is one of the most complex pieces of 
infrastructure in America, if not the world. On any given day, we may 
transport more than 100 million gallons of product. Shipping that 
product is what we do. We do not own the fuel, the refineries, the 
marketers, or gas stations. Rather, we transport it from 29 refineries 
in the Gulf Coast all the way up to the New York Harbor.
    Colonial Pipeline is cognizant of the important role we play as 
critical infrastructure. We recognize our significance to the economic 
and National security of the United States and know that disruptions in 
our operations can have serious consequences. Our pipeline system spans 
more than 5,500 miles. The product we transport accounts for nearly 
half of the fuel consumed on the East Coast, providing energy for more 
than 50 million Americans. Not only do everyday Americans rely on our 
pipeline operations to get fuel at the pump, but so do cities and local 
governments, to whom we supply fuel for critical operations, such as 
airports, ambulances, and first responders. The safety and security of 
our pipeline system is something we take very seriously, and we operate 
with the interests of our customers, shippers, and country top of mind.
    Just 1 month ago, we were the victims of a ransomware attack by the 
cyber criminal group DarkSide. At this time, we believe the criminal 
attack encrypted our IT systems, and DarkSide demanded a financial 
payment in exchange for a key to unlock those systems. We responded 
swiftly to the attack itself and to the disruption that the attack 
caused. We were in a harrowing situation and had to make difficult 
choices that no company ever wants to face, but I am proud of the fact 
that our people reacted quickly to get the pipeline back up and running 
safely. I am also extraordinarily grateful for the immediate and 
sustained support of Federal law enforcement and Governmental 
authorities, including the White House. We reached out to Federal 
authorities within hours of the attack and since that time we have 
found them to be true allies as we've worked to quickly and safely 
restore and secure our operations. We also look forward to their 
support as the United States enhances its response to the increasing 
challenges private companies must address in light of the proliferation 
of ransomware attacks and the actions of these cyber criminal groups. I 
appreciate your interest in this incident and our response, and I 
welcome the opportunity to discuss it with you. Our hope is that we 
will all learn from what happened and, through sharing, develop even 
more robust tools and intelligence to address this threat moving 
forward.
    I also want to express my gratitude to the employees of Colonial 
Pipeline, our numerous partners, and the American people for their 
actions and support as we responded to the attack and dealt with the 
disruption that it caused. We are deeply sorry for the impact that this 
attack had, but are heartened by the resilience of our country and of 
our company.
         ii. time line of the morning of the ransomware attack
    We identified the ransomware attack just before 5 o'clock AM 
Eastern Daylight Time (EDT) on Friday, May 7, when one of our employees 
identified the ransom note on a system in the IT network. Shortly after 
learning of the attack, the employee notified the Operations Supervisor 
at our Control Center who put in the stop work order to halt operations 
throughout the pipeline. This decision was driven by the imperative to 
isolate and contain the attack to help ensure the malware did not 
spread to the Operational Technology (OT) network, which controls our 
pipeline operations, if it had not already. At approximately 5:55 AM 
EDT, employees began the shutdown process. By 6:10 AM EDT, they 
confirmed that all 5,500 miles of pipelines had been shut down. 
Overall, it took us approximately 15 minutes to close down the conduit, 
which has about 260 delivery points across 13 States and Washington, 
DC.
    On May 7, our employees activated our company-wide incident 
response process and executed the steps they were trained to carry out. 
Shutting down the pipeline was absolutely the right decision, and I 
stand by our employees' decision to do what they were trained to do.
    We have an incident response process that follows the same 
framework used by some Federal agencies. Everyone in the company--from 
me to the operators in the field--has stop work authority if they 
believe that the safety of our systems is at risk, and that is a 
critical part of our incident response process.
    I recognize that the attackers were able to access our systems. 
While that never should have happened, it is a sobering fact that we 
cannot change. That being said, I am proud and grateful to report that 
our response worked: We were able to quickly identify, isolate, and 
respond to the attack and stop the malware from spreading and causing 
even more damage. We then turned to remediating the problem and safely 
restoring service. We retained a leading forensic firm, Mandiant, and 
with their help, within hours, we were able to return some of our local 
lines to manual operation. Within days, we returned all of our lines to 
operation. We are well under way, with the assistance of leading 
outside experts and our own team, with efforts to further strengthen 
our defenses against future attacks.
    iii. communication with federal law enforcement and government 
                              authorities
    We are grateful for the constructive relationship and cooperation 
of our Federal regulators in our efforts to respond to the attack and 
get the pipeline restarted as quickly as possible.
    On the morning of the attack, we proactively reached out to the 
Federal Bureau of Investigation (FBI) to inform them that cyber 
criminals had attacked Colonial Pipeline. We also scheduled a call 
within hours to debrief both the FBI and the Cybersecurity & 
Infrastructure Security Agency (CISA) with information about the 
attack, and we remained in regular communication with law enforcement. 
We proactively shared Indicators of Compromise (IOCs) with law 
enforcement as well as other valuable threat intelligence in an effort 
to help thwart these kinds of attacks in the future, and assist the 
Federal Government with its endeavor to bring the criminals to justice.
    We also have worked closely with the White House and National 
Security Council, the Department of Energy, which was designated as the 
lead Federal agency, as well as with the Department of Homeland 
Security, the Pipeline and Hazardous Materials Safety Administration 
(PHMSA), the Federal Energy Regulatory Commission (FERC), the Energy 
Information Administration, and the Environmental Protection Agency 
(EPA).
    Our cooperation with Federal agencies continues to this day, which 
is why I am grateful for your invitation to be here today and am 
pleased to support your efforts in determining how Government can play 
a role in helping private companies better defend themselves against 
similar threats.
    Our engagement with those Federal authorities helped us achieve 
meaningful milestones in our response process to address the attack and 
restore pipeline operations as quickly as possible. In particular, we 
are appreciative for the cooperative way that Federal agencies worked 
with us. Their focused collaboration made it easier to restart the 
pipelines and improved the speed with which we could transport fuels to 
their destinations.
                        iv. post-attack response
    We take our role in the United States infrastructure system very 
seriously. We recognize the gravity of the disruption that followed the 
shutdown, including panic-buying and shortages on the East Coast, and 
we express our sincerest regret to everyone who was impacted by this 
attack. The interests of our customers, shippers and the country are 
our top priorities and have been guiding our response.
    I want to emphasize that the importance of protecting critical 
infrastructure drove the decision to halt operations of the pipeline to 
help ensure that the malware was not able to spread to our OT network. 
When we learned of the attack, we did not know the point of origination 
of the attack nor the scope of it, so bringing the entire system down 
was the surest way--and the right way--to contain any potential damage.
    After halting operations, we took steps to continue to move product 
manually where we could, while working systematically and methodically 
to scan all of our systems for any potential malware or indicators of 
compromise. Once we knew we could safely restart the pipeline, we 
worked as quickly as possible to get our pipeline back up and running. 
Bringing our pipeline back on-line is not as easy as ``flicking a 
switch on,'' as President Biden correctly stated. It is an 
extraordinarily intricate and complex system, and this process required 
diligence and a Herculean, around-the-clock effort to restore our full 
OT network and begin returning all pipelines to service on Wednesday 
evening, May 12.
    While working through the restart process, we increased air 
surveillance, drove over 29,000 miles while inspecting our pipeline, 
and worked with local law enforcement agencies to secure our physical 
pipeline. Employees manually collected and real-time reported key 
pipeline information along our entire system to ensure the integrity of 
the system while our OT was not visible. We worked tirelessly to 
restore system integrity and bring the pipeline back in service as soon 
as we could do so safely.
    Being extorted by criminals is not a position any company wants to 
be in. As I have stated publicly, I made the decision that Colonial 
Pipeline would pay the ransom to have every tool available to us to 
swiftly get the pipeline back up and running. It was one of the 
toughest decisions I have had to make in my life. At the time, I kept 
this information close hold because we were concerned about operational 
security and minimizing publicity for the threat actor. But I believe 
that restoring critical infrastructure as quickly as possible, in this 
situation, was the right thing to do for the country. We took steps in 
advance of making the ransom payment to follow regulatory guidance and 
we have explained our course of dealings with the attackers to law 
enforcement so that they can pursue enforcement options that may be 
available to them.
v. on-going investigation into how this happened and what we can do to 
                    further strengthen our defenses
    Colonial Pipeline is an accountable organization, and that starts 
with taking proactive steps to prevent an attack like this from 
happening again. To further strengthen our defenses against future 
threats and cybersecurity attacks, we need to get to the bottom of how 
this one occurred. Over the past 4 weeks, we have learned a great deal. 
But forensic investigations, as many of you know, take time. Our 
experts are reviewing massive amounts of evidence and indicators of 
compromise and devoting ample resources to retracing the attackers' 
footsteps so we know, if possible, exactly where they got in, how they 
were able to move within our systems and what they may have been able 
to access. That investigation is on-going, and while we may not have 
all of the answers today to the questions that you have, we are working 
hard to get them.
    Although the investigation is on-going, we believe the attacker 
exploited a legacy virtual private network (VPN) profile that was not 
intended to be in use. We are still trying to determine how the 
attackers gained the needed credentials to exploit it.
    We have worked with our third-party experts to resolve and 
remediate this issue; we have shut down the legacy VPN profile, and we 
have implemented additional layers of protection across our enterprise. 
We also recently engaged Dragos' Rob Lee, one of the world's leading 
industrial and critical infrastructure and OT security specialists to 
work alongside Mandiant and assist with the strengthening of our other 
cyber defenses. We have also retained John Strand from Black Hills 
Information Security, another leader in the cybersecurity space, who 
will provide additional support to strengthen our cybersecurity 
program.
    It will take time to review all the evidence to make sure we get 
the most accurate answers possible, and we will continue to look for 
ways to further enhance our cybersecurity. We're committed to sharing 
lessons learned with the Government and our industry peers. As painful 
as this experience has been for us and those that rely on our pipeline, 
it is also an opportunity to learn more about how these criminals 
operate so that we and others can better protect ourselves moving 
forward. Once we complete our investigation into this event, we plan to 
partner with the Government and law enforcement and share those 
learnings with our peers in the infrastructure space, and more broadly 
across other sectors, so that they too learn from this event.
             vi. federal government response going forward
    I recognize that Congress and Federal agencies have been discussing 
what additional regulations may be appropriate in the wake of this 
ransomware attack. As the leader of Colonial Pipeline, I have been 
focused on restoring our normal operations and further strengthening 
our cyber defenses. One recommendation I have is to designate a single 
point of contact to coordinate the Federal response to these types of 
events. Having a single point of contact was helpful and constructive 
as Colonial Pipeline worked around the clock to respond to the 
ransomware attack and restore operations, and I believe that would be 
valuable in the event of future cyber attacks.
    There are also limits to what any one company can do. Colonial 
Pipeline can--and we will--continue investing in cybersecurity and 
strengthening our systems. But criminal gangs and nation-states are 
always evolving, sharpening their tactics, and working to find new ways 
to infiltrate the systems of American companies and the American 
Government. These attacks will continue to happen, and critical 
infrastructure will continue to be a target. Whichever organization may 
be designated as the single point of contact, Congress must ensure it 
is adequately staffed and resourced to support industry, facilitate 
information sharing, and respond appropriately. We will also need the 
continued support of law enforcement to disrupt cyber crime networks 
and to bring attackers like DarkSide to justice.
                            vii. conclusion
    In closing, I want to reiterate that we were the victims of a 
ransomware attack by criminals. I am proud of the way we were able to 
react and respond. We quickly took measures to secure critical 
infrastructure, to notify the appropriate authorities, and to work to 
safely restore operations. I appreciate Congress' interest in this 
attack and the lessons it may have for Government and industry, and I 
welcome the opportunity to answer your questions.

    Chairman Thompson. Thank you very much. I now ask Mr. 
Carmakal to summarize his statement for 5 minutes.

STATEMENT OF CHARLES CARMAKAL, SENIOR VICE PRESIDENT AND CHIEF 
             TECHNOLOGY OFFICER, FIRE EYE MANDIANT

    Mr. Carmakal. Thank you for this opportunity to share our 
observations and experiences regarding this important topic, as 
well as for your leadership on cybersecurity issues. My name is 
Charles Carmakal and I am a senior vice president and CTO at 
FireEye Mandiant. We commend the committee for holding this 
hearing to further examine the recent ransomware attack against 
Colonial Pipeline. Both Governmental and corporate responses to 
this attack continue to evolve and the committee plays an 
important role in overseeing these efforts.
    As requested, I am going to share our observations of the 
threat actor associated with the ransomware attack against 
Colonial Pipeline and discuss cybersecurity threats to 
organizations in the United States.
    In my role at Mandiant, I oversee a team of incident 
responders that help organizations respond to complex 
cybersecurity incidents. My team and I have had the opportunity 
to help organizations across the globe deal with some of the 
most significant cybersecurity incidents in history. Mandiant 
is on the front lines of the cyber battle, actively responding 
to computer intrusions at some of the largest organizations on 
a global scale. We employ over 1,000 cybersecurity experts in 
over 25 countries, with skills in digital forensics, malware 
analysis, intelligence collections, threat actor attribution, 
and security strategy and transformation.
    Over the last 17 years, we have responded to tens of 
thousands of security incidents. It is unfortunate, but, 
unfortunately, every day we get calls from organizations that 
are dealing with a cybersecurity breach. On the early morning 
of May 7, 2021, Mandiant was engaged to help Colonial Pipeline 
respond to the ransomware incident earlier that day. Prior to 
that date, Mandiant had not provided cybersecurity consulting 
services to Colonial Pipeline. Shortly after being called by 
Colonial Pipeline in the morning, we mobilized a team of 
experienced incident responders to help Colonial Pipeline 
investigate and contain the incident, eradicate the threat 
actor, and further enhance the security posture of the network 
to facilitate a safe restart to the pipeline.
    Additionally, Mandiant is advising Colonial Pipeline on 
ways to become more resilient to cyber attacks. Cyber 
intrusions have become more increasingly disruptive over the 
past decade. Every year, Mandiant publishes an annual security 
report, where we summarize the trends that we have observed in 
the past year. In 2015, Mandiant observed a notable surge in 
disruptive intrusions in which the threat actors deliberately 
destroy data, leak confidential data, taunt business 
executives, and extort victim organizations. We anticipated 
that these intrusions would become more disruptive over time 
given the high impact to victim organizations and the low cost 
to threat actors.
    In late 2019, a hacking group by the name of Maze changed 
the way the threat actors would conduct their intrusions. Prior 
to deploying ransomware, they would steal data from victim 
organizations in a way to conduct multifaceted extortion. They 
launched a website in which they would shame victim 
organizations by amplifying the message that they have hacked 
into those organizations and published tranches of data from 
those victim organizations.
    Last October, the threat to the United States had reached 
an unprecedented level. Hospitals across the United States 
dealt with an acute threat from Eastern European criminals that 
wanted to deliberately disrupt operations. Hospital technology 
systems were taken off-line, and medical professionals and 
administrative staff had to rely on paper-based mechanisms to 
document procedures and medicine.
    The impact of cyber intrusions to human lives had never 
been more dire. The majority of today's intrusions by 
financially motivated threat actors involve multifaceted 
extortion. Threat actors will apply immense pressure to coerce 
victims to pay substantial extortion demands, often in the 7- 
to 8-figure range. Some threat actors will convince news and 
media organizations to write embarrassing stories about the 
victims, they may call or harass employees, and they may also 
conduct security service attacks against those organizations.
    I want to spend a moment talking about the DarkSide threat 
group. DarkSide is a ransomware service that enables a network 
of different groups to conduct cyber intrusions under the name 
DarkSide. Like many financially motivated threat actors, the 
criminals affiliated with the DarkSide service conduct 
multifaceted extortion schemes to coerce victims into paying 
large extortion demands. The exfiltrate victim data, deploy 
DarkSide ransomware encryptors, and threaten to publish the 
stolen data to victim-shaming sites. They have launched a 
global crime spree affecting organizations in more than 15 
countries and multiple industry verticals since initially 
surfacing in August 2020. Following the security incident at 
Colonial Pipeline and the FBI's public attribution to DarkSide, 
the group claimed to have lost access to the infrastructure, 
including their blog, payment, and content distribution network 
servers, and they said they would be closing down their 
service.
    Operational technology and industrial control systems are 
responsible for managing and monitoring the industrial 
equipment, machines, and processes across the world. They 
facilitate the generation and distribution of power, operations 
of manufacturing plants, and transportation of people and 
products.
    To mitigate the risks associated with OT environments, 
organizations often segment their IT environments from their OT 
environments. There have been relatively fewer publicly 
disclosed intrusions of OT environments, but, certainly, the 
impact is incredible.
    On behalf of Mandiant, I thank you for the opportunity to 
testify before the committee. We stand ready to work with you 
to devise effective solutions to deter malicious behavior in 
cyber space and to build better resiliency into our networks.
    [The prepared statement of Mr. Carmakal follows:]
                 Prepared Statement of Charles Carmakal
                              June 9, 2021
                              introduction
    Chairman Thompson, Ranking Member Katko, and Members of the House 
Homeland Security Committee, thank you for the opportunity to share our 
observations and experiences regarding this important topic, as well as 
for your leadership on cybersecurity issues. My name is Charles 
Carmakal and I am a senior vice president and chief technology officer 
at FireEye-Mandiant (``Mandiant'').
    We commend the committee for holding this hearing to further 
examine the recent ransomware attack against Colonial Pipeline. Both 
governmental and corporate responses to the attacks continue to evolve, 
and the committee plays an important role in overseeing these efforts.
    As requested, I am going to share our observations of the threat 
actor associated with the ransomware attack against Colonial Pipeline 
and discuss the cybersecurity threats to organizations in the United 
States.
                               background
    In my role at Mandiant, I oversee a team of security professionals 
that help organizations respond to complex security breaches 
orchestrated by foreign governments and organized criminals. My team 
and I have had the opportunity to help organizations across the globe 
deal with some of the most significant and catastrophic cybersecurity 
incidents in history.
    Mandiant employees are on the front lines of the cyber battle, 
actively responding to computer intrusions at some of the largest 
organizations on a global scale. We employ over 1,000 cybersecurity 
experts in over 25 countries, with skills in digital forensics, malware 
analysis, intelligence collections, threat actor attribution, and 
security strategy and transformation. Over the last 17 years, we have 
responded to tens of thousands of security incidents. It is 
unfortunate, but we receive calls almost every single day from 
organizations that have suffered a cybersecurity breach. For every 
security incident we respond to, our mission is to help our clients 
investigate the attack, contain the incident, eradicate the attackers, 
guide our clients through the recovery of their environments, and help 
them become more resilient to future attacks.
               the cyber intrusion into colonial pipeline
    On the early morning of May 7, 2021, Mandiant was engaged by Hunton 
Andrews Kurth LLP, on behalf of Colonial Pipeline, to help respond to 
the ransomware event that was discovered earlier that day. Prior to 
that date, Mandiant had not provided cybersecurity consulting services 
to Colonial Pipeline. Shortly after being called on the morning of May 
7, we mobilized a team of experienced incident responders and 
information technology and operational technology security experts to 
help Colonial Pipeline investigate and contain the incident, eradicate 
the threat actor, and further enhance the security posture of the 
network to facilitate the safe restart of the pipeline. Additionally, 
Mandiant is advising Colonial Pipeline on ways to become more resilient 
to cyber attacks in the future.
    The earliest evidence of compromise that we have identified to date 
occurred on April 29, 2021. On that date, the threat actor had logged 
into a virtual private network (VPN) appliance using a legacy VPN 
profile and an employee's username and password. The legacy VPN profile 
did not require a one-time passcode to be provided. The legacy VPN 
profile has since been disabled as part of Colonial Pipeline's 
remediation process.
  the evolution of disruptive intrusions: ransomware to multifaceted 
                               extortion
    Cyber intrusions have become increasingly disruptive over the past 
decade. Every year, Mandiant publishes an annual report, M-Trends, 
which covers the cybersecurity trends we observed from our breach 
investigations.\1\ In 2015, Mandiant observed a notable surge in 
disruptive intrusions in which threat actors deliberately destroyed 
critical business systems, leaked confidential data, taunted 
executives, and extorted organizations. We anticipated that intrusions 
would become more disruptive over time given the high impact and low 
cost to threat actors.
---------------------------------------------------------------------------
    \1\ M-Trends, https://www.fireeye.com/current-threats/annual-
threat-report/mtrends.html.
---------------------------------------------------------------------------
    Over the next few years, financially motivated threat actors began 
shifting away from stealing payment card information to deploying 
malicious software that encrypts data on systems, commonly referred to 
as ransomware. Threat actors asked for ransom payments in exchange for 
the software that would enable victim organizations to recover their 
encrypted data.
    In late 2019, a hacking group by the name of Maze changed the way 
threat actors would conduct their intrusions. Prior to deploying 
ransomware across victim environments, they would look for and steal 
sensitive corporate information. They launched a website where they 
would publicly shame the victim organizations that they compromised and 
publish the data that they stole. They would demand money in exchange 
for tools to recover the data that they encrypted, a promise to not 
publish the data they stole, and details of how they compromised the 
organization. Extortion demands were often in the 6- and 7-figure 
ranges, but sometimes went up to 8 figures.
    Last October, the cyber threat in the United States reached an 
unprecedented level. Hospitals across the United States were disrupted 
by a group of eastern European threat actors. Hospital technology 
systems were taken off-line and medical professional and administrative 
staff had to rely on paper and pen to record data. Many hospitals had 
to divert patients and ambulances to emergency departments at other 
hospitals. The impact of cyber intrusions to human lives has never been 
more dire.
    The majority of today's intrusions by financially motivated threat 
actors involve multifaceted extortion. Threat actors will apply immense 
pressure to coerce victims to pay substantial extortion demands--often 
in the 7- to 8-figure range. Some threat actors will convince news and 
media organizations to write embarrassing stories about victims. They 
may call and harass employees. They may notify business partners that 
their data was stolen due to a breach of their partner, creating 
friction in business relationships. They may also conduct denial-of-
service attacks to create further chaos and disruption.
    Ransomware and multifaceted extortion events have reached an 
intolerable level and we must come together as a community to help 
organizations defend their networks.
                       the darkside threat group
    DarkSide is a ransomware service that enables a network of 
different groups to conduct cyber intrusions under the name 
``DarkSide.'' Like many other financially motivated threat actors, the 
criminals affiliated with the DarkSide service conduct multifaceted 
extortion schemes to coerce victims into paying large extortion 
demands. They exfiltrate victim data, deploy DarkSide ransomware 
encryptors, and threaten to publish stolen data to their victim-shaming 
website. Since initially surfacing in August 2020, they have launched a 
global crime spree affecting organizations in more than 15 countries 
and multiple industry verticals.
    DarkSide operates as a ransomware-as-a-service (RaaS) wherein 
profit is shared between its owners and partners, or affiliates, who 
provide access to organizations, steal sensitive victim data, and 
deploy the ransomware encryptors. Mandiant currently tracks multiple 
threat groups that have conducted these intrusions, some of whom have 
also worked on behalf of ransomware services besides DarkSide. These 
groups demonstrate varying levels of technical sophistication 
throughout intrusions.
    Mandiant has identified multiple DarkSide victims through our 
incident response engagements and from reports on the DarkSide victim-
shaming website. Most of the victim organizations were based in the 
United States and span across multiple sectors, including financial 
services, legal, manufacturing, professional services, retail, and 
technology.
    Following the security incident at Colonial Pipeline and the FBI's 
public attribution to DarkSide, Mandiant has observed multiple actors 
cite a May 13, 2021 announcement that appeared to be shared with 
DarkSide RaaS affiliates by the operators of the service. This 
announcement stated that they lost access to their infrastructure, 
including their blog, payment, and content distribution network (CDN) 
servers, and would be closing their service. The post cited law 
enforcement pressure and pressure from the United States for this 
decision. Multiple users on underground forums have since come forward 
claiming to be unpaid DarkSide affiliates, and in some cases privately 
provided evidence to forum administrators who confirmed that their 
claims were legitimate. We have not seen evidence suggesting that the 
operators of the DarkSide service have resumed operations.
   operational technology (ot) and industrial control systems (ics) 
                                security
    Operational Technology (OT) and Industrial Control Systems (ICS) 
are responsible for managing and monitoring the industrial equipment, 
machines, and processes. They facilitate the generation and 
distribution of power, operations of manufacturing plants, and 
transportation of people and products. To mitigate the risks associated 
with OT environments, organizations segment their OT environments from 
IT environments (i.e., the environment that supports email, web 
browsing, and other business processes).
    There have been relatively fewer publicly disclosed intrusions of 
OT environments as compared to IT environments, but the impact can be 
exponentially more significant. Some of the most notable incidents 
include the disruption of power distribution in Ukraine in 2015 and 
2016, the development of malware that could manipulate safety control 
systems that was used against an organization in the Middle East in 
2017, and an attack on a Florida water treatment plant in 2021.
                               conclusion
    On behalf of Mandiant, I thank you for this opportunity to testify 
before the committee. We stand ready to work with you and other 
interested parties to devise effective solutions to deter malicious 
behavior in cyber space and to build better resiliency into our 
networks.

    Chairman Thompson. Yes, I thank the witnesses for their 
testimony. I will remind each Member that he or she will have 5 
minutes to question the witnesses. I now recognize myself for 
questions.
    Mr. Blount, I want to clarify the time line of certain 
events following the ransomware attack. Would you please walk 
the committee through the 24 hours or so after Colonial learned 
of the attack? In that, would you include the approximate time 
you reached out to Mandiant, when you reached out to and met 
with various offices, with the FBI, when you reached out to and 
met with CISA, when you reached out to the Department of 
Energy, when you reached out to TSA, and exactly when did you 
pay the ransom?
    Mr. Blount. Mr. Chairman, I will be glad to answer your 
questions. I may have to ask you to repeat a few of them along 
the way but let me start with what I gathered here.
    The attack, the ransom note, showed up on a system in our 
control room at approximately around 5 a.m. on May 7. The 
controller that saw the ransomware note immediately took it to 
a supervisor and they consulted quickly with our IT group. The 
decision was made right before 6 a.m., as a result of that 
threat and in order to contain that threat, to shut down the 
pipeline system and all the IT associated with that.
    Shortly thereafter, within an hour or so, and I will be 
glad to get the exact time for you because I don't have it, we 
contacted Mandiant to come in and determine exactly what we had 
and to start the investigative process and, obviously, to start 
the restoration process. So, that is the conversation there.
    Shortly thereafter, and still early in the morning, we 
contacted the local office, the Atlanta office, of the FBI. We 
have a relationship there. Told them what we had seen on our 
computer systems and our concern regarding that. The agent in 
charge there agreed that we needed more conversation, and they 
volunteered that they would call CISA and bring them into the 
conversation, which the FBI scheduled for slightly after 12 
noon of that day.
    While all that was going on, we had various employees 
responsible for making contact to any number of other 
Governmental entities. So, again, I can give you a more 
detailed time line, but I will tell you over the course of that 
day, in the early morning hours following, we contacted the 
White House, we contacted the National Security Council, we 
contacted DOE, we contacted PHMSA, we contacted FERC, we 
contacted DHS, and we contacted EIA. In addition to that, to 
help to start sharing what we knew with our industry 
counterparts, we also contacted the API and the AOPL, as well, 
of which we are members, in order to make sure they were aware 
of what was going on and if they had any opportunity to keep a 
closer eye on their systems, in case there was a similar threat 
attack to them as a result of that.
    Chairman Thompson. Thank you. We will send a specific 
request on the time line following, but I appreciate what you 
have done. What time and what day did you pay the ransom?
    Mr. Blount. Mr. Chairman, we had a discussion about the 
ransom in the late, late afternoon of May 7, consulting with 
legal--outside legal representatives who have been involved in 
cyber attacks in the past, and we made the decision that 
afternoon to proceed forward with negotiations with the 
criminal on the possibility of paying the ransom. The actual 
payment of the ransom was not made until sometime on Saturday, 
and, again, it--if you need that exact time, I can get that for 
you, sir, but I don't have that here.
    Chairman Thompson. But it would be helpful. The other 
thing, did you talk to the FBI or any other Government official 
about paying the ransom?
    Mr. Blount. We are having additional discussions with the 
FBI or any other Governmental agency regarding the ransom.
    Chairman Thompson. I did not get the first part of your 
question--your answer.
    Mr. Blount. My apologies, Mr. Chairman. We did not have any 
discussion with the FBI or any other Governmental entity about 
the actual negotiation or the payment of the ransom at that 
time.
    Chairman Thompson. Thank you very much. Now, I understand 
you have received about $2.3 million. In my opening statements, 
I talked about are you committed to investing some, if not all, 
of that money toward hardening your systems, so that something 
like this might not happen again?
    Mr. Blount. Mr. Chairman, I am glad you asked me that 
question, and, you know, I will go back to what I heard from 
Ranking Member Katko, as well. We are always in the process of 
hardening our systems and making investments in IT and 
cybersecurity at Colonial. So, to your request today of putting 
an additional $2.2 million into hardening our systems further 
is not a difficult one to address and agree to. In my opening 
statement, I already explained that we, not only in addition to 
Mandiant, have also brought in Dragos to take a very close look 
at our OT system and further strengthen whatever needs to be 
done there. They are a world-known expert in that, as well as 
to bring in Black Hills to also look at the entire process. We 
are making a substantial investment, and part of the reason for 
that is we have been compromised, we have had criminals within 
our system now, and we need to change a lot of things that we 
already had because they would be familiar with them from 
having been in the system over the course of those days.
    Chairman Thompson. Thank you very much. Mr. Carmakal, just 
2 quick questions. Would an open VPN system with a normal 
security or IT security system have been picked up?
    Mr. Carmakal. Yes, so, let me just provide a little bit of 
context into what is now believed to be the earliest evidence 
of compromise. As we conduct investigations, we try to figure 
out what is the earliest evidence of what the attacker has done 
within the environment. Based on our investigation, the 
earliest evidence was a login to the Colonial Pipeline VPN. We 
do know that an employee's credentials were used. So, a 
username and a password was used to do that. We did not figure 
out exactly how the attacker was able to get access to the 
username, but it is a possibility that the attacker was able to 
leverage credentials that the employee may have used on another 
website that was compromised prior to this date. So, it is 
certainly possible that that is how the attacker got in. 
Whether or not the vulnerability or the misconfiguration--and 
let me, you know, clarify it as a misconfiguration--whether it 
would have been picked up by a vulnerability assessment is hard 
to tell. But I just want to clarify that what actually occurred 
was there was a legacy VPN profile that was in place that 
wasn't believed to be active, and that enabled an attacker to 
leverage both the user and the password to login.
    Chairman Thompson. So, how would one correct that problem?
    Mr. Carmakal. Yes, so, the problem has been corrected at 
this point in time. The legacy VPN profile has been completely 
removed. So, a user, whether an attacker or an employee, would 
not be able to attempt to login to the system without requiring 
multifactor authentication. So, in addition to a password, you 
would need a one-time code in order to be able to login to the 
Colonial Pipeline VPN at this point in time.
    Chairman Thompson. All right. Do, you just said it was a 
common password that allowed the breach to occur?
    Mr. Carmakal. Yes. So, I want to clarify, the password that 
the account was set to was not a common password, it was not a 
easily guessable password. In fact, it was a relatively complex 
password in terms of length, special characters, and case set. 
It wasn't something that somebody would be able to easily guess 
or predict. However, it was a password that had been used on a 
different website at some point in time.
    I just wanted the group and the audience to understand that 
it is actually really common for everyday people to use similar 
passwords or the same exact passwords across different 
websites, across social media accounts, or email accounts or 
financial accounts, and this is a very common problem. So, 
unfortunately, what happened here is a password for an account 
that wasn't believed to be in use anymore had the same password 
as what was used for that employee on a different website that 
had, unfortunately, been compromised.
    Chairman Thompson. I mean, I understand, but, you know, we 
are not talking about ordinary people. We are talking about a 
pipeline that controls 55 percent of the energy resources in 
the Northeast. So, you would expect a more robust system than 
just an ordinary system.
    Mr. Carmakal. Understood.
    Chairman Thompson. Thank you. The Chair recognizes the 
Ranking Member for 5 minutes.
    Mr. Katko. Thank you, Mr. Chairman, and thank you to Mr. 
Blount and Mr. Carmakal for being here today. This is a very, 
very important hearing, and not just for what happened at 
Colonial Pipeline, but what we can do going forward to protect 
our critical infrastructure and our computer systems Nation-
wide. This is an issue that is getting more ubiquitous, 
unfortunately, and we are going to have to deal with it.
    So, Mr. Blount, I appreciate your candor, and I appreciate 
your professionalism in testifying. I am not interested in 
playing doctor, but I do want to clear up something from 
yesterday. You were asked a question, by I believe it was 
Senator Hawley, about the money you spent to secure your 
systems. I think you said over the past decade it was over $200 
million, and I think that includes for your entire IT system 
all together, correct? That is not just for the hardening of 
that system?
    Mr. Blount. Ranking Member Katko, that is a correct 
statement. Yes, sir.
    Mr. Katko. OK. OK. Thank you for that clarification. I 
appreciate it. You talked about hardening the system now, 
right, and, again, and we are not trying to play got you, I 
know you have--you referenced a little bit about the hardening 
of the system before. What are you doing now that you weren't 
doing before to harden your system?
    Mr. Blount. I thought that was a good point you made 
before, because I think a lot of people are hearing about 
hardening of the system right now and they think that that 
means that operators haven't been doing that all along. As we 
all know, these threat actors evolve very quickly. They have 
very sophisticated tools. So, all responsible operators are 
continuing to assess their investment and where they need to go 
next. So, from a Colonial perspective, as I stated previously, 
we have had a bad actor, we have had a criminal inside our 
system. So, we are making a lot of changes in our system with 
the help of Mandiant as they go about restoring our systems, as 
well as mitigating the damage done. Again, with Dragos and 
Black Hills involved, we will be doing a lot of things 
differently that we certainly could share with you probably 
more one-on-one because we don't want to give a road map to the 
outside criminal characters that they could come in and have a 
successful attack again. But we have got a lot of things in 
progress right now, and we will continue to make those 
investments.
    We take cybersecurity as well as physical security 
extremely serious at Colonial, so that is where we are headed. 
We are heading toward a lot more hardening and a lot different 
architecture than we had before, mainly because we have been 
compromised and we need to change the architecture, so that it 
is not as easily known by previous perpetrators.
    Mr. Katko. You know, and I understand that. I appreciate 
your candidness there. My concern in you--you are learning from 
the attack, right? The next question is how do we get other 
critical infrastructure into entities that have not been 
subject to attack yet? I hope they never do, but if they happen 
in a subsequent attack, how do we get them to take those 
similar additional steps that you are now taking out of 
necessity? How do we get them to pay attention to this issue?
    You have competing interests all the time from your 
budgets, but there is no question this is going to cost money, 
but there is no question that the critical infrastructures 
across this country have to do it. I am quite confident that 
they are not all doing it. So, what would you say to them or 
how would you--what would--what do you think we should be doing 
to help them, basically, see the light? You are muted, sir, I 
am sorry.
    Mr. Blount. I knew I would get that wrong at some point. I 
apologize. Thank you.
    Ranking Member, I share your concern. You know, as a large 
operator who has been making investments in this area, I think 
that we need to work together and find a way to work together 
to share those best practices and what makes sense, and perhaps 
what made sense yesterday that no longer makes sense today as 
the threat actor continues to evolve. You know, we participate, 
all of us responsible operators participate, in a lot of 
tabletop exercises, and we have standards that we follow, like 
API security standards for SCADA and things like that. But I 
think we need to continue to communicate, communicate, and 
communicate.
    You know, the one fortunate thing about this unfortunate 
event, it certainly highlighted the risk to all the operators 
in the United States and it certainly has heighted the 
Government's focus on the issue. Again, as private operators, 
we can continue to make the investments and do the things that 
we should do to be accountable and responsible, but there is 
certainly things that the Federal Government can do, like 
approach the host of these bad actors in these foreign 
countries and things like that, and put political pressure on 
them, so that we can stop it before it even starts.
    Mr. Katko. Well, the President certainly has an opportunity 
to do that this week when he meets with President Putin, that 
is for sure. Yesterday, in your hearing you mentioned that the 
free services offered by CISA generally weren't considered to 
be value-adds to what you are already doing. Is there something 
more that CISA could be providing that would further enhance 
your engagement with them? Because we want to make CISA more 
proactive in this area.
    Mr. Blount. Ranking Member Portman, you know, as I look at 
lessons learned along the way, I think one of the things I saw 
pretty early on was the involvement of all the Federal 
agencies, which we greatly appreciated. If I look at it from a 
CISA-alone perspective, some of the things that I saw them 
doing was participating in the FBI calls, learning about, you 
know, indications and compromised evidence that they could sort 
through and then figure out how to share with others in the 
industry on a real-time basis.
    You know, the new mandates that they have right now are 
designed to do the same thing. If you are being attacked or 
being--someone is knocking on that door every day, you know, is 
there a random pattern there or is there an actual pattern of 
threat there that they can share with all the industry? I think 
those are the things that, you know, we should see policies 
around and focus on, on the part of CISA, that would be helpful 
to all operators of critical infrastructure in the United 
States today.
    Mr. Katko. Mr. Chairman, I don't know how much time I have 
left. I just want to check with you real quick.
    Chairman Thompson. One more question.
    Mr. Katko. Pardon me?
    Chairman Thompson. One more question.
    Mr. Katko. Oh, OK. Thank you very much. Dr. Carmakal, I 
wanted to give you an opportunity to comment. What can we do to 
make sure that the other critical infrastructure entities 
across the spectrum take the cybersecurity and the hardening 
actions that they need to take that a lot of them just aren't 
taking?
    Mr. Carmakal. Yes.
    Mr. Katko. So, what can we do other than what Mr. Blount 
has stated?
    Mr. Carmakal. Yes. Thank you for the question. I really 
think what we need to do is share as much information as we 
possibly can about the threat actor, the threats, and really 
what--some of the learnings at Colonial Pipeline, as well as 
other organizations, that are dealing with cyber attacks on a 
day-to-day basis are learning from their investigations and 
their response. So, if we can get information out to other 
organizations more quickly, I think it will help enable them to 
better defend their environments.
    Mr. Katko. Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you very much. The gentleman 
yields back. The Chair recognizes the gentlelady from Texas for 
5 minutes, Ms. Jackson Lee.
    Ms. Jackson Lee. Mr. Chairman, Mr. Ranking Member, thank 
you so very much for this hearing. Let me express the urgency 
that I feel about this particular crisis that we are in the 
midst of. To both gentlemen, we know that the private sector 
over the years has had 85 percent of the Nation's critical 
infrastructure, including cyber. I would make the point at this 
time, 2021, that because of this major crux of calamity that we 
face, that the private sector can no longer go it alone. Mr. 
Blount, do you agree with that, that the private sector can no 
longer go it alone with respect to its infrastructure that it 
possesses versus the Federal Government?
    Mr. Blount. Thank you, Representative Lee, for your 
question. I think there is no question that these threat actors 
are extremely capable. They are housed in countries other than 
the United States. We are responsible, as operators, for our 
own internal security and our cybersecurity, but we need the 
Government's help to put pressure on the host countries, so 
that we can stop these attacks before they start.
    Ms. Jackson Lee. Thank you. Can you explain, again, why, 
when you were requested to provide information as to whether or 
not you paid ransom, that you hesitated and took, really, a 
considerable length of time to the extent that it was reported 
that the White House was not getting a direct answer regarding 
whether you paid ransom?
    Mr. Blount. Representative Lee, as far as the White House 
goes, they never asked whether we--they never talked about the 
ransom at all, period. Never had a question about it from 
anybody that I talked to. Never had a question about it from 
any of my employees that talked to Federal agencies. So, that 
is the reason why the White House,they weren't--they never 
asked about it.
    Ms. Jackson Lee. Who was the first Governmental entity that 
you reported to that indicated that you paid ransom?
    Mr. Blount. The first entity that we reported to that we 
paid ransom would have been the FBI.
    Ms. Jackson Lee. What was the gap between the time that you 
paid it and the time that you spoke to the FBI? The time.
    Mr. Blount. Representative Lee, I would say that was 
approximately 48 hours. I could give you the more definitive 
number, but that would be my guesstimate.
    Ms. Jackson Lee. Thank you so very much. So, it was 2 
days--there was a 2-day gap between the time you paid it and 
the time you spoke to the FBI.
    Mr. Blount. Representative Lee, I would share with you 
that, obviously, we communicated with the FBI throughout the 
course of the week, shared a lot of evidence with them, and we 
made ourselves as open----
    Ms. Jackson Lee. Thanks.
    Mr. Blount. [continuing]. As we possibly could.
    Ms. Jackson Lee. Thank you very much. Let me, again, 
compliment the FBI for being able to secure dollars. This may 
be your question, I think, Mr. Carmakal. Why wasn't a 
multifactor authentication used on that VPN? I am going to give 
you a series of questions, if you want to take quick notes, 
because my time is running out. Who had a legitimate access to 
that password? Where else was the password used? Was the 
password listed in any of the company's on-line documentation?
    So, it is authentication, legitimate access to that 
password. So, do you want to start with the authentication?
    Mr. Carmakal. Sure.
    Ms. Jackson Lee. If you can be concise and as quickly as 
possible.
    Mr. Carmakal. Yes, thanks, ma'am. In terms of multifactor 
authentication, it was not required for the specific VPN 
profile that was used for this specific account. It is because 
the account and the VPN profile wasn't believed to actually be 
enabled.
    Ms. Jackson Lee. OK. Can I move to----
    Mr. Carmakal. So, it was known at the time. Yes?
    Ms. Jackson Lee. Can I move to the next question?
    Mr. Carmakal. Yes, ma'am.
    Ms. Jackson Lee. Who had a legitimate access to the 
password, sir?
    Mr. Carmakal. One person, as far as we know.
    Ms. Jackson Lee. Is that person vetted, from your 
perspective?
    Mr. Carmakal. Yes, it was an employee's account.
    Ms. Jackson Lee. Where else was the password used?
    Mr. Carmakal. We do not know the exact source of the 
website that it was used, but presumably it was used on at 
least one other website because there are passwords that are 
readily available on the internet, and we did find that it was 
one of the passwords that was stolen from another website. But 
we don't know exactly where it came from.
    Ms. Jackson Lee. Was the password listed in any of the 
company's on-line documentation?
    Mr. Carmakal. Not that I am aware of.
    Ms. Jackson Lee. You started out by saying you can't go it 
alone. We are ready to help you. I introduced H.R. 2980, which 
deals with Cybersecurity Vulnerability Mediation Act. The 
committee was kind enough to pass it out of the committee. 
Hopefully, it will go to the floor.
    But the crux of this is that part of it is a reporting 
feature that really requires companies to the DHS to secure a 
report that indicates what kind of mitigation companies are 
engaged in. Do you think that if a company crosses into the 
public domain, and when I say that Colonial Pipeline impacts, 
as you well know, massive energy streams that literally shut 
down the East Coast, that the Government should come in more 
quickly than it obviously did because it has moved into the 
public domain? Do you believe that that would be an appropriate 
approach in terms of assessing how the Government comes in to 
help those who have been attacked?
    Mr. Carmakal. I think private corporations would welcome 
any support they could get from the Government dealing with 
cybersecurity incidents.
    Ms. Jackson Lee. OK. Thank you, Mr. Chairman.
    Chairman Thompson. The gentlelady's time has expired. Yes, 
ma'am.
    Ms. Jackson Lee. Thank you very much.
    Chairman Thompson. The Chair recognizes the gentleman from 
Texas, Mr. McCaul, for 5 minutes.
    Mr. McCaul. Thank you, Mr. Chairman. Mr. Blount, this was 
the fourth recent attack by either Russia as a nation-state or 
organized----
    Mr. Blount. The what?
    Mr. McCaul [continuing]. Russian Mafia. You know, this is 
the kind of thing that keeps us up at night, a pipeline 
shutting down in the Nation from New York to Houston. The 
problem, as I see, the Chairman and I stood up to CISA, which 
is on the defensive side, but the problem, as I see it, is we 
continue to see hundreds of these attacks, billions of dollars 
in ransomware, and yet there is no consequence to bad behavior. 
They get away with this every day.
    I introduced and marked up on the Foreign Affairs Committee 
the Cyber Diplomacy Act, which sets up an ambassador-at-large 
at the State Department to set up international norms and 
standards. So, Mr. Blount, my question to you is, as the 
President now is going to sit down with Mr. Putin, and 
certainly I hope the President is going to raise these attacks, 
the recent attacks by Russia, either as a nation-state or by 
organized crime. I believe that we need it to start thinking 
about going on the offensive and hitting them back, and there 
should be consequences.
    In a recent statement, you have stated, ultimately, the 
Government needs to focus on the actors themselves. As a 
private company, we don't have a political capability of 
shutting down the host countries that have had these bad actors 
in them. Do you agree with my bill? But, more importantly, that 
we need to start--stop just taking it. We need to respond and 
we need to start hitting them back. Do you agree with that 
assessment?
    Mr. Blount. Representative, I appreciate your leadership in 
this particular issue. That does, very much, address what you 
read in the press statement that I made. We have a 
responsibility, obviously, as operators to continue to 
strengthen our systems and protect our asset base, but we have 
to stop the threat actor themselves. We have to stop the 
criminals, and that is something private industry can't do 
without a partnership with the public sector.
    So, I think your proposal is dead on and we certainly 
support it, and I think every other operator in the United 
States would love to see us stand up and push back and not 
allow this to continue. It is unfortunate you had to take a hit 
on a, you know, critical infrastructure asset to get the focus 
that it is getting now. But I think it is very important and, 
again, I appreciate your leadership on it.
    Mr. McCaul. Thank you, Mr. Blount. Mr. Carmakal, you know, 
FireEye has been a leader in this issue and, you know, we, 
Congressman Langevin and I, introduced a mandatory breach 
notification law. You know, CISA is only as good as the 
information it gets and the private sector has the majority of 
the threat information. I think Colonial Pipeline did a good 
job notifying CISA, but other companies don't. Would you agree 
with the assessment or the tone of this bill that we need to 
start looking at, instead of 50 different States, a Federal 
law, instead of patchwork in 50 States, that would require a 
mandatory breach notification if the identifiers can be taken 
out, that it can be sanitized and scrubbed, like we do with the 
Classified information, so that the producer is not compromised 
in any way. But the threat information is mandatorily shared 
with CISA, so it can better protect the Nation from these 
attacks.
    Mr. Carmakal. Yes, Congressman, I certainly agree that 
right now the data breach disclosure laws are highly complex. 
Every State has their own nuanced requirements, and it would 
certainly be a welcome change to have one standard data breach 
disclosure requirement. It will be much more simple for the 
organizations that are trying to figure out the complexity 
around notification requirements.
    In terms of getting information out to help other 
organizations defend themselves, absolutely. We agree with the 
spirit and the intent of that. We welcome the opportunity for 
CISA to take that information and disseminate it as best as 
they can, but they certainly need victim organizations to come 
forward and provide that, the threat information, to them, so 
they have something to share. I think one of the challenges 
that organizations deal with today is the fear or the 
repercussions and the scrutiny around data breaches. So, if 
there is a way to get information out to the Government, to 
CISA, and to the broader community in a way where it doesn't 
feel like the victim organizations are going to face a penalty, 
I think that would be a welcome change.
    Mr. McCaul. The last question to you, sir, would be, you 
know, we don't allow private companies to hack back, right? 
That is still illegal and it would create a Wild West scenario. 
But what is your opinion of the Federal Government protecting 
itself and responding in kind to nation-state actors when they 
perpetrate these acts of cyber warfare, for lack of a better 
term, because they are destructive and it shut down, you know, 
the energy supply for days on the East Coast? What would be the 
best way to show them that there are consequences to their bad 
actions?
    Mr. Carmakal. Yes, so, I certainly agree that private 
organizations shouldn't hack back, but from a Government 
perspective, and perhaps, you know, certain select private 
organizations that maybe have the capability and the 
operational security to be able to conduct these offensive 
operations, I certainly think there is a way and an opportunity 
to disrupt the aggressive threat actors that continue to cause 
havoc in the United States. So, I do believe that there is an 
opportunity for us to get more aggressive, but we certainly 
need to define what are the rules of engagement.
    Mr. McCaul. OK, thank you, Mr. Chairman. I think the time 
to act is now and that the international norms and standards 
need to be set with our allies and across the globe. With that, 
I yield back.
    Chairman Thompson. Thank you. The gentleman's time has 
expired. The Chair recognizes the gentleman from Rhode Island 
for 5 minutes, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. Good afternoon. I 
want to thank Mr. Blount and Mr. Carmakal for your testimony 
here today and helping us to understand this. I have a list of 
questions I want to get through, and if you can be as brief and 
direct as possible, it would be appreciated.
    So, if I could start with Mr. Blount. So, I understand that 
Colonial has cyber insurance. So, do you expect your insurers 
to cover--will cover the $4.4 million ransom payment?
    Mr. Blount. Congressman, thank you for that question. We do 
have cyber insurance. We have had cyber insurance for quite 
some time. We have submitted a claim for that ransom payment, 
and I haven't had that confirmed to me yet, but I suspect that 
it will be covered.
    Mr. Langevin. OK, thank you. Did you have discussions about 
whether your insurers would cover the ransom payment before you 
made the decision to pay?
    Mr. Blount. I think there were consultations going on 
through my CFO at the time, but that wasn't my focus. Again, my 
focus was to get access to that de-encryptor, to have all the 
options that I could get available to me in an effort to try to 
restart that pipeline as quickly and safely as possible. So, 
from my perspective, the insurance wasn't even in the forefront 
of my mind.
    Mr. Langevin. OK, thank you. Mr. Blount, yesterday you 
testified that you recommended to other companies that they be, 
``extremely transparent in their contact with the authorities 
who indeed do have resources that potentially could help move 
through a very difficult process.'' So, in talking with CISA, 
my understanding is that regional representatives offered 
Colonial assistance, including assistance ensuring that the 
incident was contained and validate the integrity of your OT 
network. Allowing CISA to help on your network could also allow 
them to provide better information to other critical 
infrastructure entities. You know, I am not interested in 
litigating the past month of what services were offered when, 
but will you commit today to take CISA up on their offer of 
direct assistance on your network?
    Mr. Blount. Thank you, Representative, for that question. 
Just for clarity, we reached out almost immediately to Mandiant 
that morning to basically do the same thing, which was to come 
in, investigate, and help restore our systems. By the time that 
the conversation with CISA took place, with the FBI, they were 
well engaged and in the process of doing that. I think CISA 
offers great services for companies that perhaps don't have the 
resources we have, to bring in the best in class with regard to 
people like Mandiant, Dragos, and Black Hills. So, I think that 
is a good service. But in this particular case, we were already 
engaged.
    Mr. Langevin. All right, yes, let me stop you there, if I 
could. You know, you have testified that you will--if there was 
a 1 percent chance that OT could be affected, it is worth 
shutting it down. So, you know, in that light, you know, isn't 
it--if there is a 1 percent chance that Mandiant had missed 
something, isn't it worth bringing CISA in? Aren't 2 sets of 
eyes better than one?
    Mr. Blount. Representative, with all due respect, I have 3 
sets of eyes in already with the parties that I have explained 
we have engaged with.
    Mr. Langevin. OK.
    Mr. Blount. So, from my perspective, I don't think having a 
fourth, a fifth, and a sixth gets productive.
    I think that CISA has been very, very helpful in the 
process of sharing information that they have learned through 
us----
    Mr. Langevin. Yes.
    Mr. Blount. [continuing]. Indications and compromise and 
things like that to other operators.
    Mr. Langevin. So, you are not going to take them up on 
their offer of direct assistance on your networks at this time?
    Mr. Blount. Again, Representative, we have 3 world-class 
experts in there right now.
    Mr. Langevin. Yes, OK. Mr. Blount, what outside firms did 
Colonial contact before Mandiant?
    Mr. Blount. Representative, as I said earlier, we contacted 
the FBI and Mandiant.
    Mr. Langevin. Yes.
    Mr. Blount. It was almost simultaneously.
    Mr. Langevin. Did you contact outside legal counsel, 
though, before you had hired Mandiant, and the legal counsel 
hired Mandiant?
    Mr. Blount. We have retained outside legal counsel, and, 
yes, probably did talk to them before Mandiant. I would have to 
give you the time line on that. I am not as familiar with it.
    Mr. Langevin. OK, thank you. Mr. Carmakal had testified 
that Mandiant was retained by an outside legal firm. Are you 
contending that--so, you contacted Mandiant before Hunton 
Andrews Kurth LLP, or was it the other way around? I am just 
curious as to why you did----
    Mr. Blount. Representative, I am sorry, Representative, is 
that question for me? I thought you were addressing Mr. 
Carmakal.
    Mr. Langevin. Yes, no, that was for you. I am sorry. Mr. 
Carmakal had testified that Mandiant was retained by outside 
legal counsel.
    Mr. Blount. That is a correct statement, yes, sir.
    Mr. Langevin. OK, and why did you retain Mandiant's 
services through outside counsel?
    Mr. Blount. Representative, I don't know the answer to 
that. I would have to ask my general counsel why we went down 
that avenue.
    Mr. Langevin. OK. I see my time is expired, but I had a 
bunch of other questions. Hopefully, we can submit those for 
the record. Thank you for your time here today, Mr. Blount. 
Thank you, Mr. Chairman, I yield back.
    Chairman Thompson. Mr. Garbarino for 5 minutes.
    Mr. Garbarino. Thank you very much, Mr. Chairman. Just some 
questions for Mr. Blount. As you may know, the Information 
Sharing and Analysis Centers, or ISACs, can provide member 
owners and operators useful services and insight into the 
current threats facing their sectors. This can include 
information sharing, actionable intelligence, Federal and 
private-sector information, and more. Yesterday, you, in front 
of the Senate, you said you weren't sure if Colonial was a 
member of an ISAC. Have you tracked down that answer yet? Is 
Colonial a member of the Oil and Natural Gas ISAC?
    Mr. Blount. Thank you for asking for that clarification 
because I actually did do that, and, indeed, we are. It is the 
acronym that threw me off. I have heard it through the long 
name, not through the acronym. So, I wanted to be careful 
yesterday that I stated it correctly.
    Mr. Gabarino. OK, so, you are a member. So, can you provide 
in detail your engagement with them? How do you leverage their 
services? What do you provide back to the group?
    Mr. Blount. We are a learning organization and it is in our 
DNA to share. We participate in a lot of industry collaborative 
processes like that. I would have to call upon my CIO to really 
explain in detail exactly what they share with regard to our 
systems and how we approach cyber risk and all those things. 
But, again, we belong to a lot of organizations like that, that 
have--also have a lot of acronyms, and they may differ from 
cyber all the way to pipeline integrity and things like that.
    Mr. Gabarino. OK, so, your CIO is the one who deals 
directly with the Oil and Natural Gas ISAC?
    Mr. Blount. That is correct, Representative, or someone on 
her staff.
    Mr. Gabarino. OK. How often do you--would you say you meet 
with your CIO?
    Mr. Blount. Thank you for that question. I meet with my 
staff every day. We have a staff meeting every day. So, I meet 
with each one of my executives every morning and typically, 
throughout the day, I will have one-on-ones with them. 
Certainly at least twice a month I meet with each one, on one-
on-one, to talk about things in general, so, constant contact. 
It is a small team. It is a very close-knit team.
    Mr. Gabarino. So, you, in the past year, you have met with 
your CIO every day. For how long is that meeting? Is it just a 
morning meeting? Is it just updates? What is discussed when 
you--or, and, you know, you meet every day, but are there more 
in-depth discussions about cyber risk and whatnot, and how many 
times do you have those meetings?
    Mr. Blount. Yes, Representative, the meetings that we have 
in the morning revolve around a lot of topics. So, with the 
entire team, they can last anywhere from 1 hour to upwards of 3 
hours. Then, as I said, I, you know, in the COVID environment, 
I have to kind-of do a virtual walkaround. I don't have the 
ability to knock on doors in the office anymore, but it is not 
unusual for me to talk to any of the executives that work for 
me once or twice a day, in addition to the morning meeting. 
Then, if we have things that we want to talk about in-depth, we 
make appointments and we spend whatever time we need to on 
those critical matters.
    Mr. Gabarino. OK. So, following the breach, how many 
meetings have you had with your CIO specifically about the 
breach and what you are going to do to better protect your--the 
pipeline?
    Mr. Blount. Well, thank you for that question. That is a 
really good question. We, again, we meet every day as a 
management team. My CIO has been very engaged in the 
restoration process with Mandiant, and certainly, if you go 
back to the first week of it, fully engaged 24/7, every day, 
until we got the pipeline system back up. So, there might have 
been a few touch-bases during that week, but for the most part, 
we let her run with the Mandiant team to make sure that we 
brought this critical infrastructure up.
    Since that time, both her time and my time has been used in 
forums like this, which are helpful to get the word out about 
what happened to us, so that it might prevent this from 
happening to other people. I still talk to her every day, but 
the length of those discussions varies, depending upon both our 
schedules. But, again, we are both focused on this particular 
issue and, quite frankly, that is all we have been focused on 
for the last month.
    Mr. Gabarino. I appreciate that. Now, you just answered the 
previous Member's question about, you know, you--when he asked 
about allowing CISA in to help with your systems, it sounded 
like that was not something you were interested in. TSA had 
offered its assistance prior to attack, I believe once last 
year during COVID, then again back in March, and you turned 
them down last year. I don't believe there was an answer yet as 
to allowing them in in March. Do you intend on allowing them to 
come in and do a diagnostic check or at least run a program on 
your system, like they had offered twice before the attack?
    Mr. Blount. Representative, let me address that question. 
The word ``turn down'' I have heard as well. I have also heard 
the word ``refusal''. Neither one of those is the case. We have 
worked with TSA for a long time. They have done a lot of 
physical security audits with us, worked collaboratively with 
them. In fact, they actually filled in for PHMSA last year on a 
virtual audit that took place on one of our facilities.
    With regard to the VADR program, we never denied wanting to 
do it. It is a voluntary program, as you know. It was a 
function of scheduling. We were getting ready and still getting 
ready to move into a new facility as our lease expired, and so, 
I think the conversation, again, between my CIO and the 
director of security over there was a function of when it would 
be best to do it. I do know that that has been scheduled at the 
end of July.
    Mr. Gabarino. Thank you very much. My time has expired. I 
yield back. Thank you, Mr. Blount.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentleman from New Jersey, Mr. Payne, for 5 
minutes.
    Mr. Payne. Thank you, Mr. Chairman, and thank you for, once 
again, having this timely hearing. See, Mr. Blount, since March 
2020, your company has been contacted at least 9 times by TSA 
to schedule, you know, the CFSR. On at least 3 occasions, 
including April 16, 2020, this was for a ransomware attack. 
Colonial did not bother to respond to TSA's request for a 
security assessment. To this date, even after the attack, I 
guess we are going over the same--hashing over the same thing. 
Could you just clarify for me why you opt not to participate in 
TSA's CFSR security assessment?
    Mr. Blount. Representative, I would be glad to answer your 
question on that. Again, we think the VADR program is a good 
program. We have a good working relationship with TSA. It has 
been a function of timing, and, again, we have never refused or 
denied the part of wanting to participate in that program as a 
volunteer, and that is why it is scheduled here at the end of 
July.
    Mr. Payne. OK. I understand the typical TSA pipeline 
security assessment involves 3 to 4 TSA employees. Given your 
company's COVID-19 concerns, were any small groups of 
individuals not employed by Colonial Pipeline allowed into your 
facility since the beginning of the pandemic? If so, for what 
purpose?
    Mr. Blount. Representative, you can appreciate that we have 
essential employees in our operation, just like all pipeline 
companies do, just like all utilities do. So, in our Alpharetta 
office, our headquarters in Georgia, we have a rotating shift 
of controllers in a control room, and our concern and all 
operators' concerns that the outbreak of COVID was how do we 
protect these essential workers? They are not people that can 
be replaced by just anybody. They are kind-of like air traffic 
controllers. They are highly trained. They are certified. So, 
we almost immediately, with the breakout of COVID, went to 
remote work for all our employees and all our vendors in order 
to protect those essential workers that work in that office. 
So, there has been no one in that office that I am aware of 
other than some, potentially, critical repair that needed to be 
done on something, and I am not even sure about that, highly 
protected workspace.
    Mr. Payne. Yes. Well, I appreciate that, sir. You know, we 
are, you know, just concerned with respect to what has happened 
to you, to make sure that, you know, TSA is able to help with 
respect to these issues. You know, we just want to know will 
you commit to participating in TSA's CFSR inspection as soon as 
TSA can conduct one or as soon as you can work it out?
    Mr. Blount. Yes. Representative, we have already committed 
to a date. Again, I think it is the last--one of the last days 
in July.
    Mr. Payne. OK. Thank you. Mr. Chairman, with that, I will 
yield back.
    Mr. Blount. Mr. Chairman, could I take a minute to make a 
statement, please?
    Chairman Thompson. The gentleman is recognized.
    Mr. Blount. Thank you, sir. Mr. Chairman, I would like to 
make a clarification on a statement that I made to 
Representative Jackson Lee. We shared information with the FBI 
about the digital wallet on Sunday and discussed the specific 
ransom payment on Wednesday. The Justice Department, in its 
announcement a few days ago, commended us for the quick 
communication with authorities. Thank you, sir.
    Chairman Thompson. Thank you. The Chair recognizes Mr. Van 
Drew for 5 minutes.
    Mr. Van Drew. Hi, Chairman, and thank you, Chairman 
Thompson, for having this meeting. I want to thank you and, of 
course, Member Katko and Members of the committee. You know 
that we have a serious problem on our hands. Hackers, who are 
primarily located in Russia, have developed sophisticated 
methods of infiltrating the Federal Government, State and local 
governments, and private-sector entities in the United States. 
As we saw just about a month ago, with the ransomware attack on 
Colonial Pipeline, America is very vulnerable, frankly, too 
vulnerable to these attacks. They can have crippling 
ramifications, like gas shortages throughout the entire 
country.
    The attack on Colonial demonstrates the need to shore up 
our cyber defenses through initiatives such as public-private 
partnerships and more communication and more accountability in 
both the public and the private sector. It is of extreme 
importance. I find it deeply concerning that Russian hackers, 
through a compromised password on a virtual proxy network, were 
able to essentially shut down a 5,500-mile pipeline that 
supplied roughly 45 percent of the fuel consumed by the East 
Coast of the United States of America.
    Shortly after the attack on Colonial, meatpacker JBS was 
the victim of ransomware attack that caused major disruptions 
in the United States meat supply, and it also expected that the 
perpetration of this attack are Russian-based, as well. The FBI 
Director Christopher Wray recently said that the current levels 
of ransomware attacks can be compared to the challenges 
proposed by the September 11, 2001 attacks, that they could be 
compared to that, and that there are a lot of parallels.
    Obviously, if the FBI director is comparing anything to the 
level of September 11, Congress and the Federal Government need 
to pay attention. I commend the Biden administration for its 
recent Executive Order on improving the Nation's cybersecurity 
and encouraging the administration to work with the Members of 
the committee on practical, effective solutions on protecting 
America and our critical infrastructure.
    So, I have a few questions. Mr. Joseph Blount, I understand 
the Transportation Secretary--I am sorry, the Transportation 
Security Administration contacted Colonial multiple times to 
conduct a Validated Architecture Design Review, VADR, to 
evaluate your company's cyber posture, but you refused to move 
forward with the evaluation. Can you help me and my colleagues 
on the committee understand why you declined?
    Chairman Thompson. The gentleman is muted. Unmute yourself.
    Mr. Blount. Sorry, Mr. Chairman. Representative, I will be 
glad to address that. I have heard that word ``refusal'' over 
the course of the past month. I don't know where it emanates 
from. We have had an on-going discussion with TSA about that 
VADR program. We think the VADR program is a good program. We 
have a historically good working relationship with TSA. We have 
participated in any number of security audits with them 
throughout the years. They have been in our headquarters in 
Alpharetta, Texas. I have met the administrator on multiple 
occasions. It has been simply a function of timing on when to 
do the assessment. There has never been a refusal, and we have 
that planned at the end of July to have that assessment done. 
It is a good program.
    Mr. Van Drew. Thank you. I am glad it is a good program. 
Didn't it seem to you that it could be done in a more timely 
way rather than, you know, this period of time, and we are 
still waiting until the end of July, and here we are in the 
beginning of June?
    Mr. Blount. Representative, I think the issue has been we 
have been getting ready to move into a new facility. Our lease 
has expired. The discussion between my CIO and the director of 
the security group of the TSA has been more around what is the 
best date for them, as well as the best date for us. Again, I 
don't know where the word ``refusal'' comes from. We have never 
refused anything like that with the TSA.
    Mr. Van Drew. You state that categorically, OK, there is no 
time that you absolutely----
    Mr. Blount. I mean, no question about that, Representative, 
no, sir.
    Mr. Van Drew. OK, thank you. You state that you paid the 
ransom demanded by the DarkSide, but also admitted, too, that 
the decryption tool that they provided you did not entirely 
work. What made you decide to pay the ransom? Did you agree 
that paying ransom is, in one important sense, is rewarding bad 
behavior?
    Mr. Blount. Representative, I would love to address that. 
If I go back to May 7, 6 a.m. in morning, when I found out 
about the attack, I automatically started focusing on how do we 
contain the threat, how do we restart our systems now that we 
are taking them down? Like all good operators, I have to avail 
myself of every available option that I have, and the--paying 
the ransom allowed me access not only to the de-encryption 
tool, but also additional services that DarkSide offers those 
to systems they have corrupted. When you are moving 100 million 
gallons of fuel to the American public every day, 50 million 
Americans, and you think you can potentially get there quicker, 
bring that system on quicker, by having that tool, then you 
avail yourself with that tool. A tough decision to make. I did 
not like handing that money over to criminals, but it was a 
decision that I made in order to support the country.
    Mr. Van Drew. OK, and I----
    Chairman Thompson. The gentleman from New Jersey's time has 
expired.
    Mr. Van Drew. All right, I yield.
    Chairman Thompson. The Chair recognizes the gentlelady from 
Michigan, Ms. Slotkin, for 5 minutes.
    Ms. Slotkin. Thank you, Mr. Chairman, and welcome to our 
guests. I appreciate your professionalism in showing up and 
answering what I cannot imagine to be fun questions about what 
I am sure will be a dark day in your professional experience. I 
can't imagine that this is easy.
    After the attack, I wrote a letter to a bunch of the 
pipeline companies that go through the State of Michigan, just 
to ask, you know, what were they doing, what were they 
learning? I am more interested, at this point, in trying to 
understand how we learn from your experience because I can't 
imagine any company in the world wants to go through what you 
are going through.
    If the attack wasn't bad enough, then the hearing, I am 
sure, will prove to them that they should not want this to 
happen to them. But, you know, I am concerned, we have the 
deputy attorney general calling it a clear and present danger. 
Are these cyber attacks? We have a former Secretary of Defense 
saying he is just waiting for our cyber 9/11 to happen. If it 
hasn't happened, then this incident, I think, with your 
company, is the USS Cole attack before 
9/11. It is the warning that we should all see before an attack 
that really debilitates us in a much more profound way.
    So, I guess you have answered lots of questions about what 
you are doing differently. You know, you mentioned a bunch of 
tabletop exercises and things that you did, but, obviously, 
they did not work, right? I guess my question is, are you 
allowing researchers, kind-of the white hat hackers, to try and 
get into your system? Are you using kind-of that approach where 
you are allowing people to try and attack you, not just doing a 
tabletop exercise on what you would do, but actually trying to 
let them into your system? Have you done that before?
    Mr. Blount. Representative, first let me thank you for your 
kind words. I appreciate those. Very nice of you to do that.
    Yes, we participate in penetration tests. We participate in 
audits and that is by design, to try to find weaknesses. If you 
find weaknesses, then determine how you best remedy them. Of 
course, if you consider how fast the criminal element is 
growing and their skills are growing, you have to continually 
stress test your system in order to stay ahead of the curve. It 
is like all technology, it changes constantly. That is why you 
are continually hardening your systems and making those 
investments.
    So I appreciate----
    Ms. Slotkin. You have invited outsiders to do this, not 
just folks inside your own system, but outside organizations, 
outside groups that do this for a living?
    Mr. Blount. Representative, absolutely, because you run the 
risk of being myopic if you were to do it yourself. You have to 
have outside experts. You know, similar to the reason we 
brought Mandiant in to help us restore our systems and to 
determine what happened to us and run an investigation. That is 
the absolute right thing to do and I think all responsible 
operators are doing that.
    Ms. Slotkin. Yes. I think, you know, beyond the pipeline 
companies that go through Michigan and through our Great Lakes, 
you know, the average company doesn't have nearly the resources 
that you have, doesn't have nearly the staff that you have. I 
think a lot of us are looking at, you know, if you can't and 
other companies like you can't protect against these attacks, 
what are the little guys supposed to do who are even less in 
touch with some of the latest and greatest in cybersecurity?
    I have tried to get at this problem by requiring DHS to 
help State and locals figure this out and do more tabletop 
exercises. But if you could give a message to the CEOs of those 
companies and what you wish you would have done differently 
ahead of time, what would that message be?
    Mr. Blount. Well, I think the message is that I would like 
to share, Representative, is we need to be aware of what is 
going on. We have gotten a lot more press about it here in the 
last month as a result of this particular incident, but we 
can't be complacent in our defenses.
    Just as importantly to preventing the attack is we really 
need to work hard, and most operators are capable of doing it, 
and we certainly have demonstrated that, we must respond 
immediately to contain that threat, recognize the threat, 
contain that threat, remediate, and then be able to restore our 
systems. I think a lot of pipeline operators, for the most 
part, know how to do that. It is inherent. We all have those 
emergency response processes.
    Then the other thing that is most important, and we talked 
about it earlier today in this forum, is the willingness to be 
very transparent and come forward extremely quickly. I think we 
have seen in the United States over the course of the last 
month a lot of companies admitting that they were hacked and 
paid ransom 3 or 4 months ago. That is not helping defend any 
of the other companies that are being attacked let alone 
critical infrastructure.
    Ms. Slotkin. I couldn't agree more. Being able to be 
transparent with the public has to be the first step.
    I also just want to associate myself with the comments of a 
peer who talked about the absolute lack of deterrence, the 
absolute lack of punishment and consequences for the people who 
conduct these attacks. Until we get at that, we are going to 
have more CEOs in front of our committee.
    Thank you. With that, I yield back.
    Chairman Thompson. The gentlelady yields back. The Chair 
recognizes Mr. Norman for 5 minutes.
    Mr. Norman. Thank you. Mr. Carmakal, the DarkSide, the 
Russian hackers that caused the Colonial Pipeline attack, 
really seemed to enjoy the approval of the Russian government 
and Putin. Is this one of the roles, I think Congressman McCaul 
asked this, that Government can use to prevent Russia from 
approving this? Do you agree with this? Mr. Carmakal.
    Chairman Thompson. The gentleman needs to unmute himself.
    Mr. Carmakal. Can you hear me now? OK, thank you. So, the 
DarkSide group is----
    Mr. Norman. I can hear you now.
    Mr. Carmakal [continuing]. A network of different operators 
that conduct intrusions on behalf of the DarkSide name. So, 
while there is a requirement to be affiliated with the DarkSide 
Group that you have to speak the Russian language, it doesn't 
mean that every single operator is located within Russia. We 
assess that the majority of the operators are Eastern European 
criminals, and so, you know, we certainly would request the 
U.S. Government to help with encouraging the Russian government 
and other governments that harbor these criminals to try and 
apprehend them and discourage them and stop them from 
conducting these operations.
    Mr. Norman. Would you not think it would make sense, this 
administration has removed the sanctions for the Nord Stream 2 
pipeline, would you not think this would play into putting the 
sanctions back on to have leverage against Russia? Just asking 
them, I don't think that is going to get the job done, but we 
need leverage. Wouldn't that be one of the tools that Mr. Biden 
could suggest when he meets with Putin this week?
    Mr. Carmakal. Congressman, I would certainly defer to the 
Government to make decisions like that. You know, I want to 
focus on cybersecurity and, you know, that would be outside of 
my expertise.
    Mr. Norman. OK. Mr. Blount, yesterday in the hearing you 
said that the decryption tool that you purchased from the 
DarkSide was not a perfect tool. Can you elaborate on that?
    Mr. Blount. Yes, Mr. Representative. I will do that and 
then----
    Mr. Norman. Mr. Blount.
    Mr. Blount. Are we on mute again?
    Chairman Thompson. You are unmuted.
    Mr. Blount. Am I on? Mr. Representative----
    Chairman Thompson. Yes, you are.
    Mr. Blount. Can you hear me now?
    Chairman Thompson. Yes, we can.
    Mr. Blount. Sorry. To respond to your question, Mr. 
Representative, I did make the statement yesterday that the 
tool is not perfect and I heard that is often the case. The 
tool has been used, and Mandiant probably could speak further 
to that. But, again, for me, not knowing in those critical 
hours in the morning what I had and my capability to bring that 
pipeline system back on as soon as possible, I had to run the 
risk that the tool perhaps wasn't perfect, but, indeed, it was 
a tool that was advertised as being able to de-encrypt a 
massive amount of material on my system that had been 
encrypted.
    Mr. Norman. So if you rewound the clock, knowing what you 
know now, Mr. Blount, what is your opinion of the type of 
things Colonial needs to do moving forward to prevent this from 
happening again?
    Mr. Blount. Yes, if I rewound the clock I would say that, 
you know, we need to continue to do what we have been doing, 
which is continue to invest in defense. But, you know, granted, 
we have talked today in this forum today that nobody is immune 
to an attack. We, like any operator, get hit millions of times 
a day by people trying to do the same thing that we saw 
DarkSide do. Fortunately, we have the defenses to stop that.
    Certainly, if we started to pull all these reports that the 
operators have been filing every 12 hours, you are going to see 
that that is not unique to us. That goes on at every operator 
in every State in this country right now. It is a maximum 
amount of volume of attacks that we are dealing with.
    So, again----
    Mr. Norman. I was just going to say I agree with you. You 
have got 4,000 ransomware attacks every day. So, a lot of 
companies, because of their name and don't want it out, how 
would you incentivize other companies to come forward, share 
what they have learned, and work with you to prevent this from 
happening?
    Mr. Blount. I encourage it. I think----
    Mr. Norman. Mr. Blount, can you hear me?
    Mr. Blount. Yes, sir. Mr. Chairman, can you hear me?
    Chairman Thompson. Yes, I can. We are hearing you.
    Mr. Blount. Very good. I encourage all CEOs who have been 
hacked and subject to a cyber attack could be very transparent 
about it. It is the only we are going to learn that these 
attacks continue to change. There is variance to these attacks. 
Any information we can get in a timely basis is helpful to 
everybody in this country to help avoid and help deal with 
after the fact responding to these types of hacks.
    I am sure there is any number of reasons why people are 
hesitant to it, perhaps they are embarrassed, perhaps they have 
a brand name they are trying to protect. But I think in the 
long run transparency and honesty with regard to this 
particular topic is extremely important to all American 
citizens in our effort to try to stop what we are seeing become 
more and more a daily event.
    Chairman Thompson. The gentleman's time has expired. The 
Chair recognizes the gentlelady from New York for 5 minutes.
    Ms. Clarke. I thank you very much, Mr. Chairman, and thank 
the Ranking Member. This is a very important hearing and I am 
so glad that we have the witnesses before us today.
    Mr. Blount, I just wanted to circle back to a question that 
was raised by my colleague, Mr. Langevin. We know that you 
hired Mandiant through our outside counsel. My question to you 
is, did you or your legal team have any discussions about 
retaining Mandiant through counsel in order to place any of the 
findings that you have been able to obtain under attorney-
client privilege?
    Mr. Blount. Representative, I wasn't involved in the hiring 
of Mandiant. We would have to talk to my general counsel about 
why we went about taking that route.
    Ms. Clarke. Very well. Would you get back to us after you 
speak with them? That would be very interesting for us to know.
    Over the past several years, ransomware attacks have become 
more frequent and consequential. Did Colonial Pipeline have a 
ransomware continuity of operations plan to ensure that 
operations could continue in the event of a network disruption?
    Mr. Blount. Representative, thank you for asking that 
question. We have what we call an emergency response process. 
We use it for every threat that we identify throughout our 
pipeline system. So, in this particular case, it was a cyber 
threat, came through our control room in the form of a 
ransomware note. We identified it. We continued it by shutting 
down the pipeline system. Then, obviously, we went on to the 
process of remediating and restoring our operation back into 
service as quickly and safely as we possibly could.
    We also----
    Ms. Clarke. But that was part of your planning. My next 
question is, with that consideration in mind, is ransom part of 
that planning that you do?
    Mr. Blount. Well, thank you for that question. Of course, 
ransom is part of the threat, so the answer to that question 
would be yes. Each threat is unique, right? Not all of them, 
obviously, come from the standpoint of a criminal element. It 
could be something that we see in one of our yards that is not 
a safe event that we want to identify and contain and figure 
out how to remediate. So ransomware is part of our emergency 
response process. It is just another variable that we would 
deal with.
    Ms. Clarke. Very well. Last week, Deputy National Security 
Advisor Anne Neuberger circulated a memo to corporate leaders 
urging them to take immediate action to defend against 
ransomware, mitigating the impacts of an attack. It recommends 
practices like backing up data, patch management, developing 
and testing incident response plans, working with penetration 
testers, and network segmentation, among other things. Before 
this incident, to what degree had Colonial backed up this 
critical data and systems? Did you keep back-ups off-line?
    Mr. Blount. Great question, Representative. In fact, if you 
look how quickly we brought our system back on and our 
response, a good portion of that was the result of the fact 
that we wound up having very quality back-up systems. As I 
understand and as I have learned a lot over the course of the 
last month, that is not always the case, which is why you want 
to make as many options available to you. When you see that 
threat, you contain that threat, and you start to remediate.
    But in our case, we apparently had some very quality back-
up systems that allowed us to bring the pipeline on sooner than 
later.
    Ms. Clarke. So, my next question is, before this incident, 
when was the last time you tested your incident response plan 
and what corrective actions did you take afterward?
    Mr. Blount. The incident response process is part of our 
DNA. We do tabletop exercises. If you talk about it from a 
physical standpoint, we work with local law enforcement in 
regions throughout the United States on an annual basis to 
prepare for emergencies that might take place across our 
pipeline system.
    Ms. Clarke. Also, do you recall when the last time was or 
is that something your CIO would have the answer?
    Mr. Blount. Representative, again, ours is an emergency 
response process, so it might not even have been a cyber issue 
tabletop-type exercise. It could have been any number of 
things, like a pipeline physical attack and things like that. I 
will be glad to share those dates with you. We do it 
continually. Again, it is part of our DNA as a safe 
organization.
    Ms. Clarke. I am sure having experienced this incident 
there will be a closer look at the cybersecurity concerns of 
your organization. Let me just say that I think this is 
certainly a case study for cyber hygiene because it was through 
an unsecure password that the Nation's largest pipeline was 
disrupted. I want that to be a lesson to everyone who is 
listening to this hearing that we must, must do better with our 
cyber hygiene.
    With that, Mr. Chairman, I yield back. I thank you, Mr. 
Blount, for your candor and your participation today.
    Chairman Thompson. The lady's time has expired. The Chair 
recognizes Mrs. Miller-Meeks for 5 minutes.
    Mrs. Miller-Meeks. Thank you, Chair Thompson, and thank 
you, Ranking Member Katko and our witnesses today.
    Cyber attacks are certainly becoming more and more 
commonplace in the ever-evolving digital age. In fact, we have 
had those to our local governments here in Iowa, and I have a 
JBS meat processing plant in my Congressional district, as we 
know, was recently involved. From public schools and local 
libraries to critical infrastructure companies, like Colonial 
Pipeline, no one is immune and all require prevention tools. 
Systemically important companies, such as Colonial, should be 
particular wary of attack, as you indicated that you were, due 
to the unique source of the risk that you represent.
    You mentioned yesterday, Mr. Blount, that ransomware was 
not mentioned in your cyber incident response plan and so I 
have 2 questions. Due to the high risk of attack, have you 
given consideration to the risk of ransomware affecting your 
company? What resiliency do you have in place to digitally 
communicate with the internet of things, devices, and OT, or 
operational technology, industrial controls that would protect 
your enterprise from future attacks knowing that they are 
coming? This is also to help other companies as well.
    Mr. Blount. Well, thank you for your question and let me 
try to address them because I think you had a couple of those--
a couple questions embedded in there. You know, certainly, as 
the investigation goes on and we continue to allow Mandiant to 
do what they have been brought in to do, we see no indications 
of compromise in the OT system. I was asked that question 
earlier as to, well, then why did you shut down the system? The 
response to that would be if you even think there is a 1 
percent chance that that criminal got into your OT system, it 
could potentially take over control of a 5,500-mile pipeline 
moving 100 million gallons a day, then you shut that pipeline 
down.
    That is what we did that morning. We used our stop-work 
authority. That control room employee made the right decision 
and shut the pipeline down. I am very proud of what he did 
there because it helped protect all of us not only as United 
States citizens, but also potentially protecting the 
environment and the communities in which we serve.
    Now, I think you had 1 other question embedded in there.
    Mrs. Miller-Meeks. It was had you given consideration to 
ransomware?
    Mr. Blount. You know, when we look at, you know, our 
response, I am very pleased with our response. When we look at 
our emergency response process, certainly there won't be a 
definitive way to handle ransom in the future because I think 
each case is unique. In this case, obviously, it was the 
concern that we really had no vision into our IT or OT systems 
to understand the degree of corruption and encryption. It 
really took us days, even with the help of a world-class expert 
by Mandiant to get there. So, again, that is why that decision 
was made.
    So, again, I think for operators it is probably better not 
to have a strict policy because you may need that option. There 
are a lot of entities. In some cases, like hospitals, that 
would be their only option potentially, to pay the ransom. 
Again, I am not saying that is a morally right or wrong 
decision, but it may be a decision you have to make like I did 
that day, which was extremely difficult.
    Mrs. Miller-Meeks. So, thank you. Certainly we know I don't 
disagree with Representatives McCaul or Slotkin that, you know, 
we need to punish bad actors. In this case, there could be 
State or country entities involved. Even though the OT system 
was not involved in this instance, we know that OT systems with 
access to the internet and emerging 5G technology bring further 
digital problems and opportunities for bad actors.
    Mr. Carmakal, are there other technologies, i.e., mobile 
high-frequency technologies, that are safer, not on the 
internet, and more cost-effective that perhaps we should be 
recommending to companies that are critical points of our 
infrastructure?
    Mr. Carmakal. This has to do with the interaction between 
the IT environments and the OT environments. So we would, you 
know, continue to encourage organizations to not only segment 
their operational technology environments, but continue to get 
better visibility and to the assets that exist within the 
operational technology environment and mitigate some of the 
risks associated with vulnerabilities that exist out there.
    Mrs. Miller-Meeks. Thank you so much. Certainly, I think 
both of you have emphasized the need to have a single source 
point for reference to interact with the Federal Government, 
some things we need to work on. Is there a regulation that 
either of you think that Congress should enact for companies 
for transparency, for immediate reporting, and, you know, 
before negotiating to pay ransom?
    I am running out of time, so thank you, Chair Thompson, if 
they could answer the question. I will yield back.
    Chairman Thompson. Either one of the witnesses can answer 
the question.
    Mr. Blount. Representative, I would say that I think the 
new TSA standards are a great start on the part of the 
Government. You know, the timely reporting, the 12-hour 
reporting, I think that is extremely valuable.
    Chairman Thompson. The gentlelady's time has expired. The 
gentleman recognizes Mr. Correa for 5 minutes.
    Mr. Correa. Thank you, Mr. Chairman, again for this most 
important hearing. I can't think of any issue that is more 
important to our country and to our Nation throughout society 
than cybersecurity. Gentlemen, thank you for being here today 
with us.
    As I listened to your testimony, Mr. Blount, I am reminded 
of a case I had here in my district about a year ago. Just a 
local tax preparer with about 4,000 clients one day calls me 
and says I have got a problem, Lou. I said, what is it? It 
sounded just like a Colonial Pipeline, you know, the good old 
days, which is small-scale. This guy had his 4,000 customers 
essentially held hostage and he was in trouble. Now we have 
Colonial that shows that this is not random and it is going to 
continue to get worse.
    So, my question is really to Mr. Carmakal. If you can go 
back and envision a situation that we have had [inaudible].
    Chairman Thompson. I believe the gentleman is having some 
technical difficulties. While Mr. Correa is getting corrected, 
Mrs. Harshbarger, we will recognize you for 5 minutes.
    Mrs. Harshbarger. Thank you, Mr. Chairman and Ranking 
Member Katko and the witnesses. Mr. Blount, you know, I feel 
for you being in front of Congress, going in front of the 
Senate, now in front of us. Private companies, a lot of them, 
don't even report that they have been ransomed in a lot of 
ways. I have talked to my companies in my district, the First 
District of Tennessee, and they don't do it because they don't 
want their customer base to feel that they are vulnerable or 
that they can't protect their information, the stock value goes 
down, or the fact that they might be hauled in front of 
Congress. Those things would prohibit a lot of companies from 
even telling us that they have been hacked, basically.
    Let me ask you a simple question. Did you have confidence 
that the Government, if you reported a cyber breach, that the 
Government could help you with that breach before this ever 
happened?
    Mr. Blount. Thank you for that question. That is an 
interesting question. I haven't heard that one in the last few 
days, so thank you.
    Mrs. Harshbarger. Well, that is just a straight-up yes or 
no.
    Mr. Blount. Well, you know, we have a 57-year history----
    Mrs. Harshbarger. Listen, I came from the private sector to 
the public sector, so I understand exactly how you feel right 
now.
    Mr. Blount. Yes, ma'am. Well, we have a 57-year history of 
dealing with the American Government, both on a regulated side 
as well as the other entities that we have relationships with. 
So, never in my mind did I think that, No. 1, I would have to 
make those calls, but when I was making them or my team was 
making them, because it was an all-hands effort that day, we 
knew that if there was things that we needed done that they 
would get done. We saw that and I will just give you one 
example because I don't want to eat up your time.
    We knew that trucks would have to be able to move fuel and 
we knew that drivers have limited number of hours and we know 
currently in our COVID environment there aren't as many truck 
drivers. So, again, reaching out early allowed some regulation 
to be waived, which helped, you know, to some degree, get fuel 
into the market.
    Mrs. Harshbarger. Absolutely. You put in your testimony 
that you would recommend designating a single point of contact 
to coordinate these Federal responses to types of events just 
like this. In other words, you are recommending establishing 
reciprocity across these Federal agencies. Who did you--when 
all this happened within that first 24, 48 hours, what agency 
did you primarily work with?
    Mr. Blount. Just to give you some context, Representative, 
I want to give you a list because you weren't on the call 
earlier, but we contacted within 24 hours the White House, the 
NSC, the DOE, PHMSA, FERC, DHS, CISA with the FBI, EIA.
    Mrs. Harshbarger. Yes, good.
    Mr. Blount. If you think about that, if we had to make 
daily calls or intraday calls with each one of those throughout 
the restoration process, we probably would have come on a whole 
lot later.
    So, we were fortunate in that in this particular case, the 
White House designated the DOE as our conduit for everybody but 
the FBI. The FBI and CISA kind of handled the investigative 
side and then DOE was our conduit to all the other entities 
that I named. That was extremely valuable to us. I am not 
stating that one entity over the other should have that role, 
but I think if you look at the 24/7 effort that my team had to 
make, we needed that ability communicate, in this case through 
DOE, about what was going on in the market, what we were doing 
to restore our IT systems, while we also had the same 
conversations with the FBI, giving them data and evidence and 
things like that that we were finding as Mandiant went about 
doing what they needed to do throughout the course of the 
beginning of the event.
    Mrs. Harshbarger. Fantastic. I see where you recommended, 
too, to be adequately staffed, have adequate resources, and I 
totally agree with every bit of that.
    Mr. Carmakal, you explained in your testimony the 
definition of ``operational technology'' and ``industrial 
control systems''. You state that there are relatively fewer 
disclosed intrusions of OT environments as compared to the IT 
environments. My question is, why do you think that is?
    Mr. Carmakal. Congresswoman, I think one of the reasons for 
that is because there are probably fewer intrusions into 
operational technology environments given the general 
segmentation that exists between IT environments and 
operational technology environments.
    I also think that many of the threat actors out there that 
conduct intrusions, while they might be very skilled from an IT 
intrusion perspective, many of them don't actually know and 
they are not familiar with the operational technology vendors 
and other infrastructure that exists within those environments. 
So, they may not actually even know how to conduct substantial 
intrusions.
    But with that said, although there are fewer publicly 
reported incidents, the incidents that have been reported are 
quite substantial. When you think about a power outage in a 
certain part of a country or potentially the modification of 
software that controls safety control systems at a 
petrochemical facility in the Middle East, obviously the 
consequences are quite substantial.
    Mrs. Harshbarger. OK. Thank you so much and I yield back.
    Chairman Thompson. The gentlelady's time has expired. The 
Chair recognizes again the gentleman from California, Mr. 
Correa. The gentleman needs to unmute.
    Mr. Correa. Can you hear me now?
    Chairman Thompson. We got you now.
    Mr. Correa. Mr. Chairman, thank you very much. Just to 
expose these bad guys when I got cut off. I guess that is the 
way technology works.
    Mr. Carmakal, my question to you, sir, if you had a moment 
to pull back and look at the big picture, what should we be 
doing now to prepare for the next 5 years in terms of defending 
our system? Defense, offense, what is it--what would your top 2 
or 3 things that you would ask us to do on your wish list to 
make sure that we are better prepared for these attacks moving 
forward?
    Mr. Carmakal. Congressman, unfortunately, we are dealing 
with cyber intrusions every single day and what occurred over 
the past few months, it has been happening for the past several 
years. So I think we all need to come together from both a 
Government perspective, commercial organizations, as well as 
the security community to not only help organizations better 
defend themselves, but we would certainly look for help from 
the Government to create some repercussions to the threat 
actors that are conducting these intrusions.
    So we would certainly like to see individuals become 
identified that are conducting intrusions. We would love to see 
arrests to the extent that is possible. We would love to see 
sanctions. We would love to see indictments where it is 
possible. We certainly would like Government support to come in 
more from an offence perspective and help disrupt some of the 
operations that these criminals continue to conduct in.
    So I do believe that we all need to come together and not 
only defend----
    Mr. Correa. Let me ask you, Mr. Carmakal, if I may 
interrupt you in the couple of minutes that I have left.
    Mr. Carmakal. Please.
    Mr. Correa. What about us here? You are talking about the 
offense, but what about us here at home? What can we do to 
better coordinate the private and public sector? We keep 
hearing this issue of, you know, hygiene, cyber hygiene, and 
the fact that not everybody seems to buy into the threats that 
are out there, and people are just not doing the right thing. 
How do we get the private sector to better coordinate with us 
and make sure they do the right thing?
    Mr. Carmakal. Yes. Maybe 2 things. No. 1, I would certainly 
encourage organizations to conduct Red Team Exercises or 
ethical hacks against their environment to test their defenses, 
to test their controls. I think a lot of organizations are 
under the assumption that they have all these security hygiene 
things in place, but unless you actually test your defenses, it 
is sometimes hard to identify when those defenses and those 
controls don't exist.
    We also want to continue to encourage organizations to 
share information about active threats. Again, we talked about 
this before, but we would certainly love for CISA to get more 
information about active intrusions and we would love for them 
to be able to disseminate that information as quickly as they 
can.
    Mr. Correa. Do you think the private sector right now on a 
voluntary basis is doing enough in terms of sharing their 
information with CISA when it comes to intrusions?
    Mr. Carmakal. I think it depends on the organization. Some 
certainly are; others may not be. But, you know, one thing I 
would love to commend Colonial Pipeline on is very shortly 
after their incident we had talked to them about publishing 
information about the DarkSide network and some of the 
indicators of compromise that they use and a description of the 
techniques that they use to not just help the Government, but 
also help other organizations that are trying to defend 
themselves. So, you know, we are trying to do our part as well 
to get information out to help the community to defend 
themselves.
    Mr. Correa. Thank you very much. I also want to thank 
Colonial Pipeline for their work and their cooperation with the 
Federal Government. I just hope there are some lessons learned 
here and that we can apply them and distribute them on a 
National to make sure we are all working, Mr. Carmakal, your 
words, sharing and working together in a coordinated fashion. 
Thank you very much.
    Mr. Chairman, I yield.
    Chairman Thompson. The gentleman yields back. The Chair 
recognizes the gentlelady from Nevada, Ms. Titus, for 5 
minutes.
    Ms. Titus. Thank you, Mr. Chairman. Many of my questions 
have been asked and answered and asked again, but I would like 
to expand on what was just discussed about better coordination 
here between public and private and among the different 
agencies throughout the country.
    We have to realize that this is an international problem. 
Not only is the enemy international, but some of our friends 
are subject to the same kind of attacks. That is especially 
true among our NATO allies. They are probably experiencing some 
similar kinds of things, being hacked from people in Russia. 
So, I wonder what we are doing or what we could be doing to 
better develop best practices or share information with our 
international allies and companies abroad. Anybody?
    Mr. Carmakal. Congresswoman, that is a great point. I 
certainly want to recognize that there are cyber threats that 
occur all over the world. In fact, when you look at, you know, 
the geopolitical climate and you look at certain countries that 
are considered to be hot zones for cyber attacks, Ukraine is 
certainly one of them, the Kingdom of Saudi Arabia is another 
one of them. A lot of time we see intrusion activity occurring 
in that part of the world sometimes before that occur in the 
United States, possibly for--you know, for a number of 
different reasons. I think it certainly helps to share 
information with the community, the broader community, to apply 
some of the learnings that have occurred with respect to some 
of the intrusions in Ukraine and Saudi Arabia.
    For example, I mentioned that there were operational 
technology security incidents in both Ukraine and Saudi Arabia. 
There are learnings that we have all been able to gather from 
that and make--you know, and apply them within the United 
States. Again, we certainly welcome collaboration.
    Ms. Titus. Well, OK. Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you very much. The gentlelady 
yields back. The Chair recognizes Mr. Clyde for 5 minutes.
    Mr. Clyde. Thank you, Mr. Chairman and Ranking Member 
Katko, for holding this very important hearing.
    You know, Mr. Blount, my district, Georgia 9, certainly 
felt the impact of the pipeline shutdown and I saw many gas 
stations with no fuel. But I certainly commend you and the 
Colonial Pipeline workers for how quickly they worked with both 
private assets and Federal agencies to get the pipeline back up 
and running in as reasonably short time as possible. I know the 
decisions that you made were very difficult, especially the 
decision about the ransom, and that you made them in the best 
interests of your customers and our country in mind, and 
personally, I appreciate that.
    I also commend the Department of Justice and the FBI for 
recovering the $2.3 million in ransom that was paid. By the 
way, Mr. Blount, have they given you that money back yet?
    Mr. Blount. Thank you for your kind words. I don't know the 
answer to that. I suspect we haven't seen those bitcoins back 
yet, but that is the first question I have heard along those 
lines in the last 2 days as well, so thank you.
    Mr. Clyde. Well, I just want to make sure you get it back, 
OK?
    Mr. Blount. Sounds good to me. Thank you, sir.
    Mr. Clyde. All right. In your testimony, you mentioned your 
desire that our Government put pressure on host countries. Now 
having gone through this very difficult experience do you have 
any thoughts on how we could do that and how our President 
could send a strong message to our adversaries?
    Mr. Blount. Well, thank you for that question. You know, 
from our standpoint as a private operator, you know, we don't 
play in the geopolitical scene, of course. The President has a 
lot of capability in that regard and certainly that is what we 
ask that he consider, the Government consider, putting pressure 
on these host countries that are allowing this to happen behind 
their boundaries. But as far as our recommendations, it is 
really not our backyard. We just think it is necessary in order 
to, you know, thwart as many of these attempts and to eliminate 
as many of these criminals as we possibly can so that no one 
does have to make the critical decision that I made on May 7 
and to work 24/7 like my employees did in the great State of 
Georgia to bring that pipeline system back on.
    Mr. Clyde. OK. So, you just want to hear that he is doing 
it?
    Mr. Blount. I have got no problem with hearing that, yes, 
sir.
    Mr. Clyde. All right, great. For Mr. Carmakal, I have a 
couple questions for you. I have always believed that the best 
defense is a good offense, and I am a big proponent of making 
the bad actors pay, especially those who extort others. In all 
of your work, do you have any information that would lead you 
to believe the ransomware attacks on Colonial Pipeline and JBS 
Foods were foreign state-sponsored? If----
    Mr. Carmakal. Sorry. Congressman, we do not have any 
information indicating that the attacks against both those 
organizations were directed by the Russian government.
    Mr. Clyde. Well, not just the Russian government, but any 
other state.
    Mr. Carmakal. Congressman, we do not have any direct 
evidence suggesting that.
    Mr. Clyde. OK, all right. Well, the same question that I 
had for Mr. Blount. How do you think our Government could do a 
better job with putting pressure on host countries, I think, to 
basically root out and eliminate these criminals like DarkSide? 
How could we do that? I think you are on mute, sir.
    Mr. Carmakal. Congressman, I certainly welcome a number of 
things. From a diplomacy perspective and foreign policy 
perspective, I would welcome any support that our President and 
Government can apply to Russia and other neighboring countries 
that host criminals. We certainly don't want that, you know, 
ransomware and destructive attacks to continue.
    We would certainly also welcome more of an offensive 
capability to disrupt some of the criminal operations. We have 
seen successes over the past few weeks and certainly the past 
few months. We would love to see continued support to make it 
more difficult for these criminals to conduct these operations.
    Mr. Clyde. OK. I am sure the people in your company are 
very talented. Would your company have the ability or desire to 
assist the Government if offered the right rules of engagement?
    Mr. Carmakal. Congressman, it is a great question. It is 
something that I would need to talk to my team about.
    Mr. Clyde. OK, all right. Thank you. I have one more and 
this is for Mr. Blount. Between CISA, the FBI, TSA, and other 
agencies, there is a wealth of information and helpful guidance 
that is pushed to all companies across all sectors. Has any of 
that ever made it to your desk or to that of your CIOs? If it 
did, were there any that you found specifically helpful?
    Mr. Blount. During the the event, we found all the 
resources available to us to be extremely helpful. You know, 
those phone calls that we had every day with DOE, everybody on 
those phone calls was expressing support and offering to help 
to the extent that they could. Again, we saw a lot of that. We 
saw, you know, regulatory things waived in order to move fuel 
quicker, move more fuel on the same truck and things like that.
    So, again, as I have said previously, I have got nothing 
but good things to say about the response from the Federal 
Government and all those entities that we dealt with over the 
course of those days and continue to deal with, as you can 
expect.
    Mr. Clyde. OK. Well, thank you very much. With that, Mr. 
Chairman, I yield back.
    Chairman Thompson. The gentleman yields back. The Chair 
recognizes the gentlelady from New Jersey, Mrs. Watson Coleman, 
for 5 minutes.
    Mrs. Watson Coleman. Thank you, Chairman. There has been 
some confusion on the topic of TSA assessments. There are 2 
types of TSA assessments: The Critical Facility Security 
Review, CFSR, which looks at the physical security; and the 
Validated Architectural Design Review, which looks at 
cybersecurity.
    Mr. Blount, you said that Colonial never declined these 
assessments. But according to TSA, Colonial has repeatedly 
postponed participating in a CFSR since March 2020 and has 
repeatedly postponed participating in a VADR assessment since 
October 2020. Delaying these assessments for so long amounts to 
declining them, sir.
    I understand a VADR assessment is now planned for late 
July, but that a CFSR assessment still has not been scheduled. 
Given Colonial's recent track record of stonewalling TSA's 
requests for 2 separate types of pipeline security assessment, 
it raises serious questions about your company's perspective on 
regulation.
    Does Colonial have a policy regarding requests for its 
regulators? Who decides whether Colonial cooperates or does not 
cooperate with a TSA security assessment? To your knowledge, 
did any of those requests that have been declined by your 
company to TSA ever get to your desk?
    Mr. Blount. Thank you for the question because I appreciate 
the opportunity to clarify that. I am not aware that we have 
ever denied TSA or refused the TSA to do any assessments. We 
have had a long-standing, great relationship with TSA. I will 
share with you that my CIO is extremely frustrated with this 
continual question that we have refused. Her contacts at TSA 
don't understand why the word ``refusal'' has been used.
    We have asked for some exceptions as related to COVID-19. 
We are not going to expose our control room personnel to 
outside people prior to the large majority of the United States 
being vaccinated. As far as----
    Mrs. Watson Coleman. Mr. Blount.
    Mr. Blount [continuing]. VADR----
    Mrs. Watson Coleman. I am sorry. Thank you. I understand 
that TSA offered to do one of the assessments virtually and 
even that was declined. So, I am going to say that I think that 
your perspective on your relationship with TSA is one thing. 
Their perspective on the relationship from the information we 
are getting is something other than that. So, do you think 
there is a value in having a written policy that says that 
Colonial will respond to requests coming from a regulator such 
as TSA and that that policy could be forthcoming as early as 
July 1?
    Mr. Blount. Representative, with all due respect, we always 
respond to any regulatory agency where we are responsible to. 
Again, we have had a good working relationship with TSA. Next 
week, when I get back to the office, I will be calling the head 
of TSA to have a discussion regarding this word ``refusal''. It 
is not consistent with the relationship that this company has 
had.
    Mrs. Watson Coleman. Thank you. Let me ask you a totally 
different--I look forward to hearing from you as to the 
advances moving forward with regard to your relationship and 
the mutual understanding between TSA and Colonial. I think TSA 
has a very important role in this space.
    I have a real quick question, I think. You paid $4 million 
for an encryption key and then you said that it was 
insufficient. Can you tell us where the insufficiencies 
existed? What was problematic, how you overcame those 
deficiencies to get things up on-line?
    Mr. Blount. Representative, great question. I am not a 
technical person, so I couldn't explain deficiency as far as 
the tool. I know that all these tools are not perfect, but they 
have--I have been told that Mandiant has used the tool. So, 
whether they have had to manipulate it in order to make it 
perfect, so to speak, that would be a great question for them. 
I don't have the technical expertise to define that further for 
you.
    Mrs. Watson Coleman. Then in the little bit of time I have 
left could I ask Mandiant to respond to that question? Because 
I want to reiterate, you spent $4 million to get it. Other 
folks who have a malware hacking, they need to understand that 
they could go on and pay the ransom and still not get what they 
need to get up and running again.
    So, can I have Mr. Carmakal respond to that for the 
remainder of my time?
    Mr. Carmakal. Congresswoman, the decrypter that was 
provided by the threat actor, it did work. It was effective. 
There were bugs in it, certainly, but it didn't actually--it 
wasn't actually needed to be able to recover systems and data 
within the Colonial Pipeline environment. They leveraged their 
back-up processes and their restoration processes to be able to 
effectively come back on-line. So while the tool did work, it 
just wasn't needed at the time.
    Mrs. Watson Coleman. Thank you. That begs the question 
then, since they already had the capacity to get back up on-
line: (A) Should they have ever paid the ransom; and (B) should 
they have ever cut the supply of resources off to those who 
were waiting for it along the Northeast corridor? Thank you and 
I yield back.
    Chairman Thompson. The gentlelady yields back. The Chair 
recognizes the gentleman from Michigan, Mr. Meijer, for 5 
minutes.
    Mr. Meijer. Thank you, Mr. Chairman. Thank you to those who 
are here today, our experts, Mr. Blount and Mr. Carmakal.
    You know, Mr. Blount, I really appreciate you coming before 
this committee. I know this has obviously been challenging and 
Colonial Pipeline has been the focus just given the wide-spread 
economic impact that has been felt throughout the region. But 
part of our committee's role here is to determine how we can 
make this Federal engagement and critical infrastructure 
stakeholder relationship as efficient and effective as possible 
to prevent and also mitigate any other future attacks.
    So I just wanted to say I appreciate your willingness to 
talk to us on this end. I do not want this to be viewed or felt 
as too much of an inquisition. But we obviously need to make 
sure that we are learning the right lessons from what happened.
    You mentioned in your testimony that you were in contact 
with the FBI and CISA within hours of discovering the attack 
and that you have stayed in contact throughout the process. You 
went through in prior questioning of what that time line was 
like. Just as a brief yes or no from that experience, is it 
clear to you how the U.S. Government shares information 
internally on cybersecurity?
    Mr. Blount. I would say the answer to that, Congressman, is 
no.
    Mr. Meijer. OK. That is certainly an area where I think our 
Federal Government needs to clarify that given the vast array 
of actors on the Governmental side at play here. Then you 
offered the recommendation of creating that single point of 
contact. You know, with the Colonial Pipeline attack we had DOE 
leading the Federal Government's response, we had entities like 
CISA and TSA that had more explicit responsibilities that were 
obviously involved in that, and then obviously the FBI as well. 
So, within the internal processes we obviously need to work to 
streamline as best as we can.
    I guess another yes or no, would you support a mandatory 
reporting requirement to CISA and the FBI in the event of a 
cyber attack on an institution?
    Mr. Blount. Representative, I guess the way I look at that 
is, you know, that is exactly what we did, so that is the right 
choice for Colonial. You know, I would hate to say that I think 
that is the right choice for another party, but for us that 
transparency is extremely important and we would do it again 
just like we did it last time. No issues with that at all.
    Mr. Meijer. Then, again, I think we have seen with the 
naming of former attacks, and I am thinking Solar Winds comes 
to mind, the stigma that is associated can create a set of 
incentives that cause companies to hide that, to not report it 
or to just stay in the shadows, and how that can have a 
compounding effect in terms of being able to identify, deal 
with the risks, and then root it out.
    Mr. Carmakal, we have spoken about this earlier and I want 
to strongly associate myself with the remarks of Mr. McCaul, 
Mrs. Miller-Meeks, and Ms. Slotkin on this front. The 
asymmetric nature of this threat and dealing with asymmetric 
threats as a nation-state, as a superpower is perennially 
challenging.
    I am frustrated to no end that lawmakers and corporate 
executives and others in Government and in the private sector 
in the United States are staying awake at night concerned about 
the cybersecurity threat. Meanwhile, the DarkSides, the 
advanced persistent threat actors overseas, especially those 
who are not officially supported by a nation-state, but 
certainly offered safe harbor or otherwise not being--not 
upholding any sort of rule of law, those actors are not staying 
awake at night. They don't have the same fear that we have.
    I firmly believe that the U.S. Government needs to engage 
in this in a serious way. We need to have those actors 
understand the consequences before we have an incident that 
takes American lives. We certainly saw wide-spread economic 
disruption with the Colonial Pipeline, but the asymmetry here 
is palpable and it is something that we need to work strongly 
to address. We need to be able to put that fear into those who 
seek to attack the United States, but they cannot operate with 
impunity. We will be the ones who knock and that there will be 
consequences.
    So, I know that you have addressed that prior, but I just 
wanted to give you a brief moment to address any further 
thoughts you have on that offensive capability. Thank you.
    Mr. Carmakal. Congressman, I certainly agree that we need 
to make it more difficult for these threat actors to conduct 
their operations. I am really proud of some of the successes 
that we have had over the past few weeks and the past few 
months, and Government coming together with commercial 
organizations to disrupt some of the capabilities of threat 
actors.
    When we look back at what occurred back in October 2020 
with respect to the acute threat to health care organizations, 
a lot of folks came together to help curb the ransomware 
problem that was occurring that was directly impacting health 
care organizations. When you look at the disruption of the 
TrickBot network and the Emotet botnet, you know, there has 
been a number of successes, but I think there is a lot of 
opportunity for us to do more, to go more offensive. But I 
think we need to define what the rules of engagement are and 
what is accepted and what is acceptable.
    Mr. Meijer. Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you. The Chair recognizes the 
gentleman from Missouri for 5 minutes, Mr. Cleaver.
    Mr. Cleaver. Let me, first of all, thank you, Mr. Chairman, 
for giving me the opportunity to introduce and the committee 
passed the Pipeline Security Act, which codifies TSA's Pipeline 
Security Division and it increases engagements between the 
pipeline operators, TSA, and CISA. As I said, it came out of 
the committee last month.
    But, Mr. Carmakal, based on your experience working with 
critical infrastructure owners and operators who have 
experienced and even suffered from this ransomware or other 
types of cyber attacks, do you have any observation about how 
the Federal Government can improve its response and better 
coordinate its efforts, particularly for private-sector 
critical infrastructure such as pipelines? Give us what you 
think we ought to be doing.
    Mr. Carmakal. Congressman, I certainly think that we need 
to take the learnings from these attacks, these other 
intrusions, and perhaps some of the things that organizations 
thought they were doing well from a security perspective and 
share that with other organizations out there. I think it is a 
missed opportunity if we don't take these learnings from both 
an intrusion perspective and, you know, security control 
failures perspective, and share that with other organizations. 
I certainly welcome other--more Red Team Exercises or 
penetration testing for organizations, again, to test the 
defenses and to maybe test some of their assumptions with 
respect to controls that they believe that they have.
    Mr. Cleaver. Do you feel vulnerable? I mean, do you still 
feel like you are vulnerable?
    Mr. Carmakal. Congressman, unfortunately, we deal with 
cybersecurity incidents every single day. As the days progress, 
I feel more direct impact by some of these intrusions. I do 
feel unless we actually come together and do something, we will 
continue to feel this on a day-to-day basis from a personal 
perspective.
    Mr. Cleaver. Now, the Colonial attack, you know, actually 
has brought cybersecurity to the front of the line in terms of 
international issues and security issues. But this impacts the 
pipeline sector into, you know, trying to figure out, you know, 
what we can--what you can do and other people in your same 
business are trying to figure out what challenges they have and 
what they can do.
    Given FireEye Mandiant's role as a leading cybersecurity 
provider, you surely have a front row seat into the 
vulnerabilities. Does FireEye have other clients in the 
pipeline space? In your experience how would you generally 
describe cybersecurity preparedness in your sector, the 
pipeline sector?
    Mr. Carmakal. Congressman, we have got clients across all 
sectors. I will tell you, the skills and sophistication and 
security maturity of those organizations certainly vary. It is 
sometimes hard to summarize a certain capability for a 
particular sector. What I will say is that any time there is a 
major security incident and it becomes public, organizations 
within the same sector, they try to take learnings from those 
organizations and they try to apply some of the best practices 
and, you know, some of the learnings from those organizations.
    I will certainly say that there are a number of 
organizations that are taking note right now and they are 
trying to do whatever they can to improve their security 
defenses. I think, unfortunately, a lot of our organizations 
are in a similar position.
    Mr. Cleaver. I should have added I am extremely concerned 
about the transportation sector, you know, compared to other 
forms of critical infrastructure. I mean, how would you, you 
know, generally assess the vulnerability of the transportation 
sector?
    Mr. Carmakal. Congressman, I think that there are 
opportunities for transportation sector organizations to 
continue to improve their security posture and apply the 
learnings from this.
    Mr. Cleaver. Yes, OK. I yield, Madam Chair--Mr. Chairman.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the gentleman from Texas for 5 minutes, Mr. Pfluger.
    Mr. Pfluger. Mr. Chairman, thank you, Ranking Member Katko. 
What an opportunity to talk about something that is so 
important. Mr. Blount and Mr. Carmakal, thank you for your 
expertise here. I have got one question for each of you. I will 
start with Mr. Blount.
    The district I represent includes the Permian Basin. We 
produce 40 percent of the country's oil. Energy security is 
National security. I am very worried about making sure that we 
ensure that we protect this industry that keeps our homes, runs 
our businesses, obviously lets our economy continue to 
flourish. So, you know, beyond the ones and the zeroes, Mr. 
Blount, what do you see as another aspect of resiliency? 
Because it is obvious that the Colonial Pipeline is a very 
significant piece of critical infrastructure for our country. I 
hope that we can take these lessons and truly learn them and 
apply them. So what other types of resiliency can we look to in 
this sector, in this industry?
    Mr. Blount. As you know, I have spent 35 years of my career 
in Houston, Texas, and I can tell you that though I haven't 
really had the opportunity to return a lot of phone calls here 
in the last month, that is a major concern on the part of all 
the energy sector right now.
    I think a lot of what we talked about today with regard to 
the private-public partnership is extremely important. I think 
Mandiant added a really valuable equation today, which is the 
security sector has a lot to add in that conversation so it is 
a 3-way partnership.
    We need to find a way to communicate all the learnings that 
we take away from the Colonial incident and combine that with 
the just the amazing amount of other incidents that have 
happened that, No. 1, we aren't aware of, that Mandiant might 
be, and learn from those to create the resiliency we need to 
compete against a very sophisticated criminal element that 
continues to get more sophisticated. That is a great question.
    Mr. Pfluger. Well, thank you for what you do, for what 
Colonial does to provide the energy that the, specifically, 
East Coast needs, such an important piece of our 
infrastructure. I think we all need to look at it and continue 
to diversify in this country when it comes to providing those 
sources of gasoline and natural gas and other fuels to the 
coast lines.
    For Mr. Carmakal, I also represent Angelo State University, 
a minority-serving institution, an Hispanic-serving institution 
in the middle of rural America. It is a cyber center of 
excellence. I am very interested in understanding what we can 
do at the university level to ensure that we are building the 
next generation of cyber experts that can come to your company, 
FireEye, appreciate what you do, and can go throughout the rest 
of the United States, quite frankly, to bolster against the 
threat that we are talking about today. Can you specifically 
talk about at the university level what we should be doing to 
help that effort?
    Mr. Carmakal. There is a need for educating more university 
students and individuals at a much younger level about 
cybersecurity. There is a desperate need for more cybersecurity 
professionals out there. Really, anything that we could do to 
create more cybersecurity curriculum within universities and 
encourage more young individuals to take on careers in 
cybersecurity would certainly help us improve and the defense 
and overall security posture of the Nation.
    At FireEye and Mandiant we do a number of things with 
respect to recruiting talent from universities. We do a lot of 
presentations at universities. We try to inspire young 
professionals and students to become cybersecurity 
professionals once they graduate from college. So, I really do 
appreciate the question.
    Mr. Pfluger. Well, thank you for that. We are going to 
continue to push on this because in rural America we need to 
make sure that our folks understand this is an option for them, 
this is a job that they can do. You know, whether it is 
farming, ranching, or the oil and gas sector, or any other 
sector in the United States, we need people who understand this 
and it needs to start earlier and earlier. I think a whole-of-
Government approach is called for.
    Again, I am going to reiterate in my last 45 seconds here 
that energy security is National security. Our country exports 
more than we import. We are dominant in the world. In countries 
that are buffered up against Russia--Latvia, Lithuania, 
Estonia, the Ukraine, Poland, and others--their leaders wake up 
every single day and they are trying to figure out how to 
deliver energy to their citizens. We in the United States are 
blessed with a bountiful source of energy. The winter storm in 
Texas is another example of just how fragile our infrastructure 
can be.
    So as part of the Homeland Security Committee I think it is 
incumbent upon all of us to look at the cyber aspects of 
defense and to make sure that any other vulnerability is 
considered, that we can continue to provide affordable, 
reliable energy for the country.
    With that, Mr. Chairman, thank you for this and I yield 
back.
    Chairman Thompson. The gentleman yields back. The Chair 
recognizes the gentlelady from Florida, Mrs. Demings, for 5 
minutes.
    Mrs. Demings. Well, thank you so much, Mr. Chairman, and 
thank you as well to our Ranking Member and also to our 
witnesses. Thank you for your testimony today. We certainly 
cannot get to the point where we need to without you and your 
participation.
    You know, this hearing is extremely timely for a lot of 
reasons, but we have known for decades now that the new weapon 
of choice certainly for the criminal element is a cyber attack. 
I think the question is, what are we willing to do about it to 
certainly prevent further attacks in the future?
    Mr. Blount, I want to thank you so much for your candor 
earlier as we were talking about, you know, the time line; the 
Chairman started out with that. I was particularly interested 
in the time line of notification and decision to pay the 
ransom. You very clearly said that, you know, you made that 
decision to pay the ransom and keep it confidential, you know, 
because of operational security concerns. So while we certainly 
appreciate that, I just want to make sure I understand.
    In terms of you notified the FBI, which certainly I am glad 
you did that in a timely manner because you were a victim 
certainly of an attack, but I don't believe you consulted with 
the FBI before you made the decision to pay the ransom. If that 
is correct, since it is an investigation and certainly getting 
direction from law enforcement is so very important, if that is 
correct why didn't you make the decision to consult with the 
FBI, the lead investigatory agency, if you will, in a sense, 
before agreeing to pay the ransom?
    Mr. Blount. Representative, thank you so much for asking 
that particular question. That is true that I made the decision 
to pay the ransom. It is true that we called the FBI 
immediately on May 7 to report what we saw as an intrusion into 
our system. We have been extremely cooperative with the FBI 
throughout the process and including on Sunday, that Sunday, 
sharing with them information about the digital wallet.
    As far as actually going to them and having a conversation 
about we are going to pay the ransom, it is very clearly if you 
go to their website, as you probably know, that they don't 
encourage that. So, unfortunately, the decision winds up on the 
part of the private industry player to make that decision, 
which, of course, I have taken all of the accountability for 
doing that. But, again, extremely cooperative with them.
    Then from an operational security standpoint we needed to 
keep the conversation with the perpetrator going in order to 
preserve that optionality of getting the de-encryption tool and 
anything else we might need in those early days before we even 
understood whether our back-up systems could be de-encrypted on 
our own and actually help us bring that pipeline back on by 
Wednesday, starting Wednesday of that following week.
    Mrs. Demings. Mr. Blount, thank you so much for that. You 
are absolutely correct, the FBI does not encourage that and 
there certainly is a reason for that. It, obviously, has turned 
out better than it could have, but still--I am still just 
trying to understand because I am thinking about, you know, one 
of the questions that was asked earlier is, you know, how are 
you working with other organizations, other corporations to 
make sure that they aren't attacked? You know, lessons learned 
from your attack. I am just a little curious about why you 
chose to not take the recommendation of the FBI in this 
particular case.
    You ultimately made the decision anyway and I think you 
knew you could always do that. But why did you decide not to 
take the recommendation of the FBI in the first place in this 
particular attack?
    Mr. Blount. Thank you, again, for asking that question. The 
FBI never recommended that we not pay. We know that their 
guidelines suggest that they don't encourage you to pay. Again, 
when you are responsible for moving 100 million gallons of fuel 
into the market every day and suddenly that stops, and you 
consider the potential dire consequences that I prefer not to 
get into publicly of not bringing--able to bring that pipeline 
on as quickly and safely as we did, think about what we would 
look like if we had not brought that pipeline on until the 
following weekend. Right? We serve a lot of airports. 
Obviously, we serve a lot of critical services like ambulances 
and things like that with those fuels.
    So, in those early hours of the morning, not knowing how 
quickly we could de-encrypt our own servers and things like 
that on our own, that was an option I had to avail myself of. 
Again, I----
    Mrs. Demings. Mr. Blount, thank you so much. Thank you so 
much for that. I just need to get this last question in and 
then you can answer.
    You know, it has been said, and I am a former law 
enforcement officer, and I have heard it said and kind-of 
witnessed it, that the private sector is not the partners in 
terms of cooperating with investigations involving law 
enforcement in situations like this. What role would you say 
Colonial played in the attack that occurred? How do you learn 
from that moving forward? In other words, what could you have 
done better to prevent this attack?
    Mr. Blount. Again, thank you for that question, 
Congresswoman. I think that, you know, if you look in hindsight 
we responded extremely well to what happened to us. You know, 
we heard the word out of the DOJ this week that we were an 
innocent victim. We continue to invest in IT, in cyber, and 
have and taken that seriously because we do understand the 
importance of our pipeline system when it comes to the American 
security and lifestyle and growth of the country. Right?
    In hindsight, I am extremely pleased with the transparency 
we have exhibited as a corporation, but, of course, it is not a 
surprise to me because that is the way I am and that is the way 
this company has been. We are very straightforward. We are 
going to tell you what is going on. We are going to share 
information along the way and you have seen a lot of press 
releases by me in the last month. Not anything I really like to 
do, but I want to share the information as it becomes 
available, including, you know, the statement we made about the 
VPN and the issue that we had with the VPN. A lot of companies 
wouldn't have admitted to that. Right? They would have just 
moved on, especially private companies.
    But, again, our role here is critical to the Nation and we 
are going to be very clear about what happened to us, so that 
it doesn't happen to someone else in the future.
    Mrs. Demings. Thank you, Mr. Blount. So, Chairman, I yield 
back. Thank you.
    Chairman Thompson. Thank you very much. The Chair 
recognizes the Vice Chair of the full committee, the gentleman 
from New York, Mr. Torres.
    Mr. Torres. Thank you, Mr. Chair. My first question is 
directed toward Mr. Carmakal. How would you rate the 
cybersecurity preparedness of the pipeline sector? Give me a 
letter grade.
    Mr. Carmakal. Congressman, again, sir, it is hard to make 
an assessment right now, but I would say, you know, there are 
certainly opportunities for improvement.
    Mr. Torres. Do you feel like it is satisfactory?
    Mr. Carmakal. I do believe that [inaudible] for the 
security of the sector.
    Mr. Torres. Do you advise your clients to pay a ransom?
    Mr. Carmakal. Look, Congressman, we don't tell our clients 
to pay or not to pay, but we do encourage them to have a very 
robust conversation about whether or not a payment should be 
made. We look at a number of different criteria, such as does 
the threat actor still have access to the environment? Could 
they potentially escalate their attacks? Have they stolen data 
from the organization? What is the actual impact to perhaps 
human lives or environmental conditions? Things like that.
    So, we encourage our clients to have a robust conversation, 
but we don't tell them one way or the other. It is up to them 
to make the decision to do it.
    Mr. Torres. Mr. Blount, what was the overall cost of the 
ransomware attack? By cost I am referring not only to the 
ransomware cost of disrupted service, the loss of revenue----
    Mr. Blount. Representative, we haven't been focused on the 
cost of the incident. We have been focused on the remediation 
of what took place. We were very focused on bringing the 
pipeline back as quickly as we could to help support the 
economy of the United States. Cost doesn't play into this. It 
is the reaction, the containing the threat, remediating, and 
restoring the pipeline system. The cost will play out over the 
next couple of years.
    Mr. Torres. You have no cost estimate?
    Mr. Blount. Excuse me, I didn't hear that. There was some 
interference.
    Mr. Torres. You have no cost estimate at all?
    Mr. Blount. Hasn't been our focus, Representative, no, sir.
    Mr. Torres. The decision to shut down the pipeline, the 
decision to pay the ransom, was that your decision or was it 
made pursuant to a company policy?
    Mr. Blount. Representative, at Colonial we have what is 
called stop work authority. It exists in a lot of companies 
around the world, certainly pipeline companies. Any employee 
that sees a risk and a threat has the ability to shut down the 
pipeline system. That is what occurred that morning. A 
controller saw the threat come in the form of the ransomware, 
communicated it to his supervisor, and the supervisor made a 
call to shut the pipeline down. It was the absolute right move 
to make. If the OT system had been compromised you potentially 
had a foreign actor having access to critical infrastructure. 
Absolutely right decision to make.
    Mr. Torres. So, my question is, if your operational systems 
were compromised, what are the nightmare scenarios that keep 
you up at night?
    Mr. Blount. Representative, that is every operator's worst-
case nightmare is having a third-party criminal element come 
into their system and take over their operation. We have seen 
that in some recent events, some waterworks that I heard, where 
they had the ability to change the chemical content of the 
water and things like that.
    Mr. Torres. I am asking in your opinion what is the 
nightmare scenario that keeps you up at night?
    Mr. Blount. Representative, I can't hear you. There is some 
glitch in the system.
    Mr. Torres. I am asking if your system had been 
compromised, your operational system, what would happen in the 
worst-case scenario that keeps you up at night?
    Mr. Blount. Representative, with all due respect, I don't 
think you want to play that out in the [inaudible] right now. 
Right? I think you could have some very dire consequences.
    Mr. Cleaver. Mr. Chairman? Mr. Chairman, I hate to 
interrupt, but at some point someone has to have a microphone 
on.
    Chairman Thompson. Yes. I think they heard you and perhaps 
they muted themselves.
    Mr. Torres. Should I proceed or----
    Chairman Thompson. Excuse me, Mr. Torres. Excuse me.
    Mr. Torres. Can I--OK, thank you. What sorts of issues 
should TSA consider with respect to [inaudible] you believe 
would help improve critical infrastructure [inaudible]?
    Chairman Thompson. The gentleman--excuse me for just a 
minute. We are really having some interference and I am not 
certain exactly what it is. Let me try one more time, Mr. 
Torres. OK, it might have been the gentleman from New York.
    Mr. Torres, we are going to let you try one more time.
    Mr. Torres. Can you hear me clearly or----
    Chairman Thompson. Much clearer.
    Mr. Torres. OK. Mr. Blount, did Colonial make the ransom 
payment or did an insurance provider do so on your behalf?
    Mr. Blount. A third-party negotiator made that payment.
    Mr. Torres. My understanding is that a company can seek a 
tax deduction for a ransom payment. Does your company intend to 
seek a tax deduction for the ransom payment?
    Mr. Blount. Senator, great question. I have no idea about 
that. I am not aware of that at all.
    Mr. Torres. What sorts of issues should TSA consider 
addressing in follow-on requirements beyond the security 
directive? Are there specific statutory or regulatory reforms 
you believe would help prevent a shutdown of critical 
infrastructure from occurring in the future?
    Mr. Blount. Representative, I think anything any 
Governmental entity can do in the form of communication and 
what they have available and how they can collaborate with 
private industry, including critical infrastructure, would be 
extremely important.
    Mr. Torres. Mr. Chair, if I can ask one more question or--
--
    Chairman Thompson. One more question. The gentleman is 
recognized.
    Mr. Torres. TSA's new security directive does require 
pipeline operators to assess their own compliance with TSA 
guidance and report back to TSA and CISA. However, it does not 
require pipeline operators to submit to inspections conducted 
by TSA itself. Would you support such a requirement? That will 
be my final question.
    Mr. Blount. Great question, Representative. We have 
cooperated with TSA in the past and there is no reason why we 
wouldn't cooperate with them now or in the future.
    Chairman Thompson. The gentleman's time has expired. Let me 
thank the witnesses for their testimony today. There are 2 
items I would like to make sure we get additional clarification 
on.
    Mr. Blount, a number of Members have questioned how much 
the FBI actually knew about the ransom payment. Could you 
indicate whether or not they have any involvement with the 
company on advising them one way or the other on the payment?
    Mr. Blount. Mr. Chairman, I would be glad to clarify that. 
No, they were not involved in that decision nor were they 
consulted about that decision. As far as how much they knew, 
they are the FBI. They could have known a lot more than they 
learned from us, but we did not have those conversations.
    Chairman Thompson. Well, no question about it. All right. 
Thank you very much.
    Second, Mr. Carmakal said that you did not need the 
decryption tool to reopen the pipeline, but you said you paid 
the ransom so you could get the pipeline back on-line. So, 
which is it?
    Mr. Blount. Mr. Chairman, it is actually both. I would 
suggest that Mr. Carmakal chime in on this after I finish.
    When you are there in the early hours of having your system 
and your servers and computers encrypted, you don't know what 
you have in front of you. You don't know how good your back-up 
systems are. What I have learned over the course of the last 
month is a lot of companies have back-up systems that don't 
help them at the end of the day.
    So, again, not knowing what the answer to that was for 
days, whether we could use our back-up systems to restore the 
Colonial Pipeline system back to service or not, we had to 
avail ourselves of any and every option that we had, one of 
which was the de-encryption tool. So, therefore, the ransom 
payment was made in order to get the tool.
    The tool was then brought in-house; Mandiant had the tool. 
While Mandiant was also working with the tool, they were 
working with our back-up systems, which, in this case, allowed 
us to bring the pipeline system back on.
    If our back-up systems had been corrupted and were never 
capable of being used, there was the potential that we would 
have to rebuild the entire system, which could have taken us a 
lot longer to bringing the pipeline back on before Wednesday of 
the following week. Again, critical, critical dire consequences 
could have come out of that.
    So, again, I availed myself of an option that in hindsight 
we didn't necessary need, but we wouldn't have known it for 
days, which would have just delayed our ability to start the 
system back up and bring 100 million gallons of fuel back into 
our country.
    Chairman Thompson. Thank you very much. Mr. Carmakal, is 
there anything you would like to add to that?
    Mr. Carmakal. Mr. Chairman, I agree with Mr. Blount that, 
you know, in the early days there were a lot that was unknown. 
You know, Mr. Blount wanted to have any option available to 
recover and to be able to turn the pipeline back on. So, I do 
believe that there were a number of options and, you know, 
having those options available certainly helped with the more 
expedited recovery of the pipeline.
    Chairman Thompson. Thank you very much. Let me thank the 
witnesses for their testimony and the Members for their 
questions.
    Members of the committee may have additional questions for 
the witnesses and we ask that you respond expeditiously in 
writing to those questions. The Chair reminds Members that the 
committee record will remain open for 10 business days.
    Without objection, the committee stands adjourned.
    [Whereupon, at 2:36 p.m., the committee was adjourned.]

                                 [all]