[Senate Hearing 117-429]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 117-429
                  THREATS TO CRITICAL INFRASTRUCTURE:
              EXAMINING THE COLONIAL PIPELINE CYBERATTACK

=======================================================================



                                HEARING

                               before the

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             FIRST SESSION

                               __________

                              JUNE 8, 2021

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
	
	
		[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
	
	
		
		
	
	 	     U.S. GOVERNMENT PUBLISHING OFFICE
	
46-569 			    WASHINGTON : 2022
        
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              RAND PAUL, Kentucky
JACKY ROSEN, Nevada                  JAMES LANKFORD, Oklahoma
ALEX PADILLA, California             MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
                                     JOSH HAWLEY, Missouri

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
              Jeffrey Rothblum, Professional Staff Member
                Pamela Thiessen, Minority Staff Director
    Andrew Dockham, Minority Chief Counsel and Deputy Staff Director
            Cara Mumford, Minority Professional Staff Member
           Patrick T. Warren, Minority Investigative Counsel
           William H.W. McKenna, Minority Chief Investigator
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Portman..............................................     2
    Senator Carper...............................................    12
    Senator Johnson..............................................    14
    Senator Hassan...............................................    17
    Senator Lankford.............................................    19
    Senator Rosen................................................    22
    Senator Hawley...............................................    24
    Senator Ossoff...............................................    27
Prepared statements:
    Senator Peters...............................................    33
    Senator Portman..............................................    35

                               WITNESSES
                         Tuesday, June 8, 2021

Joseph Blount, President and Chief Executive Officer, Colonial 
  Pipeline Company
    Testimony....................................................     5
    Prepared statement...........................................    38

                                APPENDIX

Responses to post-hearing questions for the Record:
    Mr. Blount...................................................    43

 
                  THREATS TO CRITICAL INFRASTRUCTURE:



              EXAMINING THE COLONIAL PIPELINE CYBERATTACK

                              ----------                              


                         TUESDAY, JUNE 8, 2021

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:04 a.m., via 
Webex and in room SD-342, Dirksen Senate Office Building, Hon. 
Gary C. Peters, Chairman of the Committee, presiding.
    Present: Senators Peters, Carper, Hassan, Sinema, Rosen, 
Padilla, Ossoff, Portman, Johnson, Lankford, Romney, Scott, and 
Hawley.

            OPENING STATEMENT OF CHAIRMAN PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appear in the Appendix 
on page 33.
---------------------------------------------------------------------------
    Mr. Blount, welcome to the Committee, and thank you for 
joining us for this important discussion on the harmful cyber 
attack against your company, Colonial Pipeline, and how we can 
work together to strengthen our coordination and response to 
this very serious cybersecurity incident.
    When Colonial Pipeline was forced to shut down operations 
last month due to a ransomware attack, millions of Americans up 
and down the East Coast had their lives disrupted by gas 
shortages and price increases. In the weeks since your company 
was struck, we have seen a series of other attacks on 
everything from our transportation networks to meatpacking 
centers.
    Just today we learned of additional intrusions into 
Internet platforms. Those private sector strikes follow 
especially damaging attacks on our Federal Government, 
including the extensive SolarWinds hack earlier this year.
    While the objectives of these attacks differ, they all 
demonstrate that bad actors, whether criminal organizations or 
foreign governments, are always looking to exploit the weakest 
link, infiltrate networks, steal information, and disrupt 
American life.
    Mr. Blount, I am glad your company continues to recover 
from this malicious attack and that the Federal Bureau of 
Investigation (FBI) was able to recover millions of dollars in 
ransom paid. But I am alarmed that this breach ever occurred in 
the first place and that communities from Texas to New York 
suffered as a result.
    I appreciate that you have joined us today to provide 
answers to the Committee and the American people on how a group 
of criminals was able to infiltrate your networks, steal nearly 
100 gigabytes (GB) of data in two hours, and then lock your 
systems with ransomware to demand payment. I am also looking 
forward to hearing an update on your progress to recover from 
this serious breach.
    Private entities, especially those that are critical to our 
Nation's infrastructure, are responsible for assessing their 
individual risk and investing in the technology to prevent 
breaches and to ensure that they can continue to provide 
service to customers who rely on them for basic necessities 
like fuel.
    At the same time, the Federal Government must develop a 
comprehensive, all-of-government approach to not only defend 
against cyber attacks, but punish foreign adversaries who 
continue to perpetrate them or harbor criminal organizations 
that target American systems.
    This approach requires bolstering our defenses and using 
the full might of our diplomatic, military, and intelligence 
capabilities.
    We must also ensure private entities like Colonial are 
providing the Federal Government with timely and relevant 
information in the event of a major incident. We need Federal 
agencies charged with cybersecurity like the Department of 
Homeland Security (DHS) and the Cybersecurity and 
Infrastructure Security Agency (CISA)to understand the extent 
of these attacks and how best to support victims.
    Make no mistake. If we do not step up our cybersecurity 
readiness, the consequences will be severe. The ransomware 
attack on Colonial Pipeline affected millions of Americans. The 
next time an incident like this happens, unfortunately, it 
could be even worse.
    As Chairman of this Committee, I am committed to 
prioritizing policies that will help secure our critical 
infrastructure networks, including in the proposed 
infrastructure package Congress is now negotiating.
    Protecting the American people from these sophisticated, 
harmful, and growing attacks will not be easy. We must learn 
from our past mistakes, find out what went wrong, and work 
together to tackle this enormous challenge. Inaction, however, 
is simply not an option.
    With that, I will turn it over to Ranking Member Portman 
for your opening remarks.

            OPENING STATEMENT OF SENATOR PORTMAN\1\

    Senator Portman. Thank you, Mr. Chairman. Mr. Blount, thank 
you for being here today. We are going to get into some tough 
questioning, and, unfortunately, what happened to your company 
is not an isolated incident.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Portman appears in the 
Appendix on page 35.
---------------------------------------------------------------------------
    We have had some good bipartisan work over the years to 
improve cybersecurity on this Committee with you, Senator 
Peters, with you, Senator Johnson, and others. Let us face it, 
there is a lot more to do. What happened with regard to 
Colonial Pipeline is one example. This is about ransomware 
attacks on critical infrastructure, and that is the topic of 
the hearing broadly today. This paralyzes a company by locking 
its computer systems, holding its data and operations hostage 
until ransom paid.
    Interestingly, these ransoms are not on the company itself, 
typically. Increasingly, the hackers also pursue a two-pronged 
ransom approach where they download and threaten to release 
sensitive victim data so individuals, say your customers, may 
also have been subject to ransomware.
    There seems to be a new ransomware attack every week. We 
are going to hear today again about Colonial Pipeline and some 
of the details there, but no entity, public or private, is safe 
from these attacks. Last week, we learned that ransomware shut 
down the world's largest meat processor, JBS, including nine 
beef plants in the United States. Both the Colonial Pipeline 
attack and JBS attacks were attributed to a Russian criminal 
organization, by the way.
    Just this morning, news broke that a constituent outreach 
services platform that nearly 60 offices in the U.S. Congress, 
the House of Representatives, uses was hit with a ransomware 
attack. As I have said before, no one is safe from these 
attacks, including us.
    I hope that we will cover four specific areas here today. 
One is we have to understand that these attacks have real-world 
consequences. On May 7th, Colonial Pipeline learned they 
suffered a ransomware attack impacting their information 
technology (IT), systems by this Russian-based criminal group 
called ``DarkSide.'' Recent news reports indicate that hackers 
accessed the Colonial system through a compromised password of 
a virtual private network (VPN) account. This account did not 
use multifactor authentication (MAF), which is a very basic 
cybersecurity best practice. We will talk more about that and 
why they did not. This easily allowed the hackers to gain 
access.
    Colonial moved quickly to disconnect their operational 
system to prevent hackers from moving laterally and accessing 
those systems. That, of course, although an appropriate 
response to a cyber attack made Colonial's critical pipelines 
unusable, and that was a huge problem. So real-world 
consequences, 45 percent of the East Coast fuel was coming from 
Colonial. With operations shut down, people across the East 
Coast bought fuel in a panic, unsure how long the shortage 
would last. A lot of service stations ran out of fuel 
altogether, so people could not get gas, could not get to work. 
Of course, prices skyrocketed. Again, real-world consequences.
    Second, I hope today we will talk about how this shows the 
difficult decision ransomware victims face. Should they pay the 
ransom or not? The U.S. Government has a position on this. Both 
CISA at the Department of Homeland Security and the FBI 
strongly recommend organizations do not pay ransoms. Why? 
Because paying ransoms rewards ransomware hackers. If no one 
paid ransoms, criminals would have little incentive to engage 
in ransomware attacks. Even if an entity pays, there is no 
guarantee that the hackers will give them the decryption key or 
not strike again, and we will talk more about that, too, in 
terms of this incident.
    However, organizations obviously have to weigh these 
consequences against keeping the operations offline, in this 
case limiting 45 percent of the East Coast fuel supply. 
Colonial Pipeline paid DarkSide a ransom, we are told, of 75 
bitcoins worth over $4 million at the time. Yesterday the good 
news is the Department of Justice (DOJ) announced the recovery 
of 63.7 of those bitcoins, but DOJ will not be able to recover 
those ransom payments in other cases. We will talk more about 
that and how they did it and what that means.
    I appreciate Mr. Blount's transparency in acknowledging 
that his company paid the $4.4 million in ransom. I hope today 
we can explore the reasons for that decision.
    Third, this attack demonstrates the gaps in information 
sharing between these impacted organizations and the Federal 
Government. Last month, Brandon Wales was before us in that 
very seat. He is the Acting Director of CISA. He testified in 
response to one of my questions that he did not think Colonial 
Pipeline would have contacted CISA at all if the FBI did not 
bring it to them. CISA's authorities allow the agency to engage 
on a voluntary basis when requested by an affected 
organization, and CISA has the Federal Government's best 
practices as to how to deal with these cyber attacks, and it 
was set up at the Department of Homeland Security for that 
purpose.
    While I think that CISA being able to engage is the right 
approach, they must have relevant information to be able to 
share it among other critical infrastructure owners and 
operators who may be similarly targeted. We have to get them 
that information, and there is a gap now.
    Finally, we have to recognize these ransomware attacks for 
what they are. It is a serious national security threat. 
Attacks against critical infrastructure are not just attacks on 
companies. They are attacks on our country itself. When 
DarkSide attacked Colonial Pipeline, it was not a company that 
was affected. Americans across the East Coast felt the squeeze 
at fuel pumps when Colonial shut off nearly 50 percent of the 
fuel supply.
    The criminals conducting these attacks often operate with 
at least the tacit acceptance and approval of the foreign 
governments they operate out of. The U.S. Government needs to 
take stronger steps to hold these countries like Russia 
accountable. At the upcoming summit with President Putin and 
President Biden, one would hope that this is going to be at the 
top of the agenda.
    Ransomware attacks will continue to plague U.S. companies 
and critical infrastructure. As the Committee of jurisdiction 
over both cybersecurity and critical infrastructure security, 
we need to reevaluate how we defend against ransomware and 
identify solutions to mitigate the consequences of these 
attacks.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman.
    Mr. Blount, it is the practice of the Homeland Security and 
Governmental Affairs Committee (HSGAC) to swear in witnesses, 
so if you will stand and raise your right hand, please. Do you 
swear that the testimony you will give before this Committee 
will be the truth, the whole truth, and nothing but the truth, 
so help you, God?
    Mr. Blount. I do.
    Chairman Peters. Thank you. You may be seated.
    Mr. Joseph Blount is the president and Chief Executive 
Officer (CEO) of Colonial Pipeline. He joined Colonial in 
October 2017 with more than three decades of experience in the 
energy industry. Mr. Blount previously served as CEO of Century 
Midstream LLC, a company which he co-founded. Mr. Blount has 
also spent 10 years with Unocal Corporation and ultimately 
served as president and chief operating officer (COO) of Unocal 
Midstream and Trade.
    Mr. Blount, welcome to the Committee. We look forward to 
your testimony and appreciate your willingness to answer our 
questions. You are recognized for your seven-minute opening 
statement.

 TESTIMONY OF JOSEPH BLOUNT,\1\ PRESIDENT AND CHIEF EXECUTIVE 
                   OFFICER, COLONIAL PIPELINE

    Mr. Blount. Chairman Peters, Ranking Member Portman, and 
Members of the Committee, my name is Joe Blount, and since 2017 
I have served as the president and CEO of Colonial Pipeline 
Company. Thank you for the opportunity to testify before the 
Committee today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Blount appears in the Appendix on 
page 38.
---------------------------------------------------------------------------
    Since 1962, we have been shipping and transporting refined 
products to the market. Our pipeline system spans over 5,500 
miles and is one of the most complex pieces of energy 
infrastructure in America, if not the world. On any given day, 
we transport more than 100 million gallons of gasoline, diesel, 
jet fuel, and other refined products. Shipping that product 
safely and securely is what we do.
    The product we transport accounts for nearly half the fuel 
consumed on the East Coast, providing energy for more than 50 
million Americans. Americans rely on us to get fuel to the 
pump, but so do cities and local governments. We supply fuel 
for critical operations, such as airports, ambulances, and 
first responders.
    The safety and security of our pipeline system is something 
we take very seriously, and we always operate with the 
interests of our customers, shippers, and country first in 
mind.
    Just 1 month ago, we were the victims of a ransomware 
attack by a cyber criminal group, and that attack encrypted our 
IT systems. Although the investigation is still ongoing, we 
believe the attacker exploited the legacy VPN profile that was 
not intended to be in use.
    DarkSide demanded a financial payment in exchange for a key 
to unlock the impacted systems. We had cyber defenses in place, 
but the unfortunate reality is that those defenses were 
compromised.
    The attack forced us to make difficult choices in real time 
that no company ever wants to face, but I am proud of the way 
our people reacted quickly to isolate and contain the attack so 
that we could get the pipeline back up and running safely. I am 
also very grateful for the immediate and sustained support of 
law enforcement and Federal authorities, including the White 
House. We reached out to Federal authorities within hours of 
the attack, and they have continued to be true allies as we 
have worked to quickly and safely restore our operations. I 
especially want to thank the Department of Justice and the FBI 
for their leadership and the progress they announced earlier 
this week.
    I also want to express my gratitude to the employees at 
Colonial Pipeline and the American people for your actions and 
support as we responded to the attack and dealt with the 
disruption that it caused. We are deeply sorry for the impact 
that this attack had, but we are also heartened by the 
resilience of our country and of our company.
    Finally, I want to address two additional issues that I 
know are on your minds, and I am going to address them the only 
way I know how: directly and honestly.
    First, the ransom payment. I made the decision to pay, and 
I made the decision to keep the information about the payment 
as confidential as possible. It was the hardest decision I have 
made in my 39 years in the energy industry, and I know how 
critical our pipeline is to the country, and I put the 
interests of the country first.
    I kept the information closely held because we were 
concerned about operational safety and security, and we wanted 
to stay focused on getting the pipeline back up and running. I 
believe with all my heart it was the right choice to make, but 
I want to respect those who see this issue differently.
    I also now state publicly that we quietly and quickly 
worked with law enforcement in this matter from the start, 
which may have helped lead to the substantial recovery of funds 
announced by the DOJ this week.
    Second, we are further hardening our cyber defenses. We 
have rebuilt and restored our critical IT systems and are 
continuing to enhance our safeguards. But we are not where I 
want us to be. If our chief information officer (CIO) needs 
resources, she will get them.
    We have also brought in several of the world's leading 
experts to help us fully understand what happened and how we 
can continue, in partnership with you, to add defenses and 
resiliency to our networks. I especially want to thank 
Mandiant, Dragos, and Black Hills on the consultant side, in 
the White House, and all the government agencies who assisted 
us both with the criminal investigation and with the restart of 
the pipeline. We are already working to implement the recent 
guidance and directives on cybersecurity.
    Our forensic work continues, and we will learn more in the 
months ahead. I appreciate your support and look forward to our 
discussion today.
    Chairman Peters. Thank you, Mr. Blount.
    Mr. Blount, Colonial is one of hundreds of victims of 
ransomware attacks against our Nation's critical infrastructure 
this year. Would you think and would you agree with the 
statement that the Federal Government should be doing more to 
help companies like yours prevent cyber attacks?
    Mr. Blount. Thank you for that question, Mr. Chairman. 
First, I would like to state that as a private entity we know 
we have a responsibility as well. We are accountable for our 
defenses and our reaction to attacks like this. But I think if 
we look at the number of incidents that are taking place today 
throughout the world, let alone here in America, private 
industry alone cannot do everything, cannot solve the problem 
totally by themselves. The partnership between private and 
government is very important to fight this ongoing onslaught of 
cyber attacks around the world.
    Chairman Peters. CISA is the main Federal domestic 
cybersecurity agency, and it hosts the Pipeline Sector 
Coordinating Council (SCC) to help bring together the private 
sector and government in that partnership, as you mentioned, to 
identify and address security issues. Do you know if Colonial 
ever participated in these meetings or any other exercise or 
events that were hosted by CISA?
    Mr. Blount. Thank you for that question, Mr. Chairman. I 
know that CISA is a good organization, and I know that we 
maintain a lot of communication and contact with CISA and have 
historically between our CIO and representatives from CISA. 
Actually, I was somewhat disappointed when I heard that they 
felt like if we had not gone in and contacted them the first 
day with the FBI that we would not have contacted them 
separately. If you go back and look at the record and look at 
who we contacted throughout the event, we talked to every 
entity that could possibly help us get through the condition 
that we found ourselves in that day.
    Chairman Peters. Do you know if you participated in any of 
those meetings?
    Mr. Blount. Yes, Senator, we participate in every 
governmental opportunity that we have to do tabletop exercise, 
security screens, and things like that.
    Chairman Peters. You mentioned that you did not contact 
CISA directly. Why did Colonial Pipeline decide to forgo 
contacting or notifying CISA directly? What was the rationale 
for that?
    Mr. Blount. Thank you, Mr. Chairman. We contacted the FBI 
almost immediately that morning once we determined that we were 
under attack. In that conversation with the FBI that morning, 
they frankly said, ``We want to get on a phone call later 
today. We are going to bring CISA into the conversation.'' At 
that point we already knew the contact would be made there. We 
had a lot of governmental entities to respond to that day and 
call directly, and that was the most efficient means. We knew 
they would be in that meeting, and they were indeed in that 
meeting right after noon the day of the 7th.
    Chairman Peters. As you mentioned in your opening comments 
and you have reiterated here in answers to these questions, you 
have been working closely with the FBI, and I know you allowed 
Mandiant, the private security firm, which you also referenced 
in your opening, to share information with CISA, and that is 
happening now.
    Given those actions, I would suspect that you agree that 
you have a responsibility to protect other potential victims 
based on what you have learned. To what extent do you believe 
that responsibility extends?
    Mr. Blount. Thank you for that question, Mr. Chairman. We 
have been very transparent from the start. If you looked at who 
we contacted that day, we started with the FBI. Obviously, they 
included in the follow-up conversation. Then we started 
marching through all the ones that we normally would report to, 
whether it is the Federal Energy Regulatory Commission (FERC), 
Pipeline and Hazardous Materials Safety Administration (PHMSA), 
Department of Energy (DOE), et cetera, et cetera. What we found 
during that day was that we were allowed the conduit through 
DOE to talk to all these organizations on an ongoing basis, but 
through one central briefing.
    We found that the ability to have that conduit, to work on 
the supply side of the equation, and on the restoration side of 
the equation, with any number of governmental entities was 
extremely helpful to us. Then, of course, on the investigative 
side, we had the FBI and CISA working on that.
    For anybody that comes under an attack like this, what you 
cannot re-create is time and space and the ability to respond. 
The ability to have the conduit both on the investigative side 
as well as on the restoration and on the supply side was 
extremely helpful to Colonial Pipeline and our employees. It 
was an all-hands-on-deck situation that morning and throughout 
the event.
    Chairman Peters. Prior to the attack, I know you are not a 
technical expert, but it would have been helpful for you to get 
information about other potential attacks or other companies 
that may have been attacked with similar types of cyber 
incidents?
    Mr. Blount. Yes, Mr. Chairman. For example, we gave a lot 
of indications of compromise to the FBI and CISA during the 
days of the event, and I think what we saw as an industry is 
immediately that material was dispersed out, and in the case of 
the internet protocol (IP) addresses, I believe CISA actually 
posted those. And that was a means for us once again to 
efficiently communicate to our industry partners what was going 
on. In addition to that, go back to the first day when we were 
contacting people, we made initial contact with some of our 
industry trade groups to tell them what we could possibly tell 
them at that point in time. So we have been, once again, very 
open and transparent, hoping that everybody could not only be 
aware of the situation, but think about what they could do to 
help prevent that from occurring in their own company.
    Chairman Peters. That is all very encouraging to hear, and 
for the record, I am working on legislation right now to make 
sure that information is indeed being shared with CISA to get a 
better understanding of what is happening in ransomware, not 
just with your company but across the board.
    Reporting indicates and you have affirmed today that you 
made the decision to pay the ransom of $4.4 million. We are 
certainly happy to see that a portion of that is being 
recovered by the Department of Justice now. My question to you, 
though, is: Prior to making the decision to pay the ransom, had 
you consulted with anyone in the Federal Government on whether 
that would be an appropriate response?
    Mr. Blount. Thank you for that question, Mr. Chairman. It 
was our understanding that the decision was solely ours as a 
private company to make the decision about whether to pay or 
not to pay. Considering the consequences of potentially not 
bringing the pipeline back on as quickly as I possibly could, I 
chose the option to make the ransom payment in order to get all 
the tools necessary and the optionality of those tools to bring 
the pipeline on as quick as we possibly could, safely as well 
as securely.
    Chairman Peters. After you paid the ransom and received the 
key to unlock your systems, did that actually fix all of the 
problems? Where are you today? How long do you think it will 
take for you to be 100 percent?
    Mr. Blount. That is a great question, Mr. Chairman. Thank 
you for asking it. I think what a lot of people do not realize 
about cyber attacks and the repercussions of a cyber attack is 
it takes months and months and months, and in some cases, what 
we have heard from other companies that have been impacted, 
years to restore your systems. Our focus that first week was to 
restore the critical systems that we needed on the IT side in 
order to safely and securely bring our pipeline system back up. 
So that is what we focused on.
    An example would be this week we are bringing back online 
seven finance systems that we have not had since the morning of 
May 7th. Again, the remediation is ongoing, and, again, that is 
why you bring someone like a Mandiant in immediately, one, to 
help investigate the situation, but also to help restore what 
you have lost throughout the process.
    The keys are helpful, and we have used the keys, so they 
have been advantageous to us. But they are not perfect.
    Chairman Peters. I think that is important to remember. You 
get the keys, but you still have a problem for many months and 
a lot of work to do.
    Mr. Blount. Yes, sir, that is correct.
    Chairman Peters. It really illustrates the seriousness of 
what we are dealing with. Thank you for your answers.
    Ranking Member Portman, you are recognized for your 
questions.
    Senator Portman. Thank you, Mr. Chairman.
    Mr. Blount, you are a victim, and we understand that. And 
yet we are trying to provide oversight and even provide some 
new laws potentially to try to deal with this increasing and 
really dramatic issue of cyber attacks, and specifically today 
talking about ransomware. Let us clarify the record. You made 
your ransomware payment to the hackers on the day you 
discovered it. Is that correct?
    Mr. Blount. Ranking Member, thank you for that question. We 
did not. We made the decision that evening to negotiate with--
--
    Senator Portman. So that was the evening of May 7th?
    Mr. Blount. Yes, sir.
    Senator Portman. And so you did not make the payment until 
when?
    Mr. Blount. The payment was made the following day.
    Senator Portman. May 8th.
    Mr. Blount. Yes, sir.
    Senator Portman. And you indicated today that the FBI was 
in discussions with you on May 7th. Is that correct?
    Mr. Blount. Ranking Member Portman, that is correct. Yes, 
sir.
    Senator Portman. What did the FBI tell you? What did they 
advise you to do with regard to paying the ransom?
    Mr. Blount. Ranking Member Portman, I was not involved in 
those conversations with the FBI, but in discussions with my 
team, I do not believe the discussion about the ransom actually 
took place the first day, on May 7th. The focus more was on 
getting to the proper centers of expertise with the FBI. In 
this case, I believe it was the San Francisco office. We 
started with the Atlanta office in our notification. And then 
it was a function of starting--they already started to collect 
data from us, indications of compromise and----
    Senator Portman. So their official position is you should 
not pay ransoms, and yet they did not communicate that to you 
as far as you know?
    Mr. Blount. Ranking Member Portman, of course, I was not in 
that conversation. I cannot confirm or deny that. But I do 
agree that their position is they do not encourage the payment 
of ransom. It is a company decision to make.
    Senator Portman. Yes, and so you knew what their advice was 
going to be even if they did not provide it that day?
    Mr. Blount. Ranking Member Portman, yes, sir, we did.
    Senator Portman. OK. Did you talk to the Treasury 
Department's Office of Foreign Assets Control (OFAC)? This is 
the office that is charged with sanctions, and so if you are a 
sanctioned individual and you make a payment, as you know, 
there are potential violations of law. Did you contact Treasury 
Department's Office of Foreign Assets Control?
    Mr. Blount. Ranking Member Portman, the day that we decided 
to negotiate, we hired experts both on the legal side as well 
as on the negotiation side. We did not have any direct contact 
with DarkSide ourselves. I can assure you that everyone 
involved in that process continually went and fact-checked to 
make sure that this was not an OFAC-listed entity.
    Senator Portman. So you were in touch with OFAC to ensure 
you were not paying the ransom to a sanctioned entity or to a 
sanctioned individual?
    Mr. Blount. Ranking Member Portman, I was not involved in 
those conversations, and so I cannot attest to who actually 
talked to who. But I do know that repeatedly throughout the 
process the fact of whether DarkSide was on the sanctions list 
or not was fact-checked repeatedly.
    Senator Portman. OK. We may have some follow-up questions 
on that just to figure out what the relationship was there. 
Again, this is about looking forward, how do we avoid this 
situation where sanctioned individuals or entities are getting 
a ransom payment, which would be a violation of Federal law.
    The Wall Street Journal says that the decryption tool did 
not really work, so you paid the ransom, they give you the 
decryption tool to be able to undo the harm that they did. That 
is how it normally works. And yet the decryption tool was not 
effective. Is that correct?
    Mr. Blount. Ranking Member Portman, the encryption tool is 
an option that is made available to you, and when you are 
looking at bringing critical structure back up as quickly as 
you possibly can, you want to make every option available to 
you that you can. Mandiant can be the best one to answer about 
how important the encryption tool was restoring the critical 
options we needed within the first couple days.
    Senator Portman. Did the decryption tool work?
    Mr. Blount. It has worked, yes, sir.
    Senator Portman. The Wall Street Journal story was 
inaccurate, it was effective?
    Mr. Blount. Ranking Member Portman, I think that article 
came out pretty early on, so I would say that we know 
subsequently that the de-encryption tool actually does work to 
some degree. As I stated earlier, it is not a perfect tool.
    Senator Portman. OK. It was provided to you by the hackers, 
correct?
    Mr. Blount. Ranking Member Portman, yes, sir, that is 
correct.
    Senator Portman. OK. There are also news reports about how 
this happened. As I said in my opening statement, there was a 
compromised password of a virtual private network account. This 
account apparently did not use multifactor authentication, 
which, again, is kind of a basic cybersecurity hygiene item 
that, companies should have in place, making it harder for 
people to gain access. Prior to the attack, did your company 
require all employees to use multifactor authentication?
    Mr. Blount. Ranking Member Portman, in the case of this 
particular legacy VPN, it did only have single-factor 
authentication. It was a complicated password, so I want to be 
clear on that. It was not a ``Colonial 123'' type password. The 
investigation is ongoing by Mandiant to try to determine how 
that material was compromised. But in our normal operation, we 
use an RSA token allowance in order to create authentication 
difficulties for remote access.
    Senator Portman. Would your advice going forward be that 
multifactor authentication ought to be used?
    Mr. Blount. Ranking Member Portman, that is absolutely the 
correct advice.
    Senator Portman. The Transportation Security Administration 
(TSA) has given the industry a lot of leeway. Critical 
infrastructure and voluntary compliance has been the approach. 
They came out late last month, after your attack, with some new 
directives, and now there is a mandate that reporting cyber 
attacks must happen; they must go to CISA, which is, again, 
this group within the Department of Homeland Security, and then 
it will be shared with TSA. You have a designated cybersecurity 
coordinator within the company, and you have to review your 
current activities against their recommendations on cyber 
risks, identify gaps, and develop remediation measures. Do you 
support that?
    Mr. Blount. Ranking Member Portman, if you look at our 
actions starting on May 7th, we almost to the ``T'' duplicated 
what the new standards are, and we are in full compliance today 
as well.
    Senator Portman. I had mentioned earlier that, we have 
written legislation in this Committee over the years to try to 
deal with cybersecurity. Pretty much every member here today 
has been involved with that. As I said earlier, we obviously 
need to do more. The question is: With regard to critical 
infrastructure in particular, should there be more mandates? 
And now there is, and they have the authority to do this under 
a 2007 law, it appears. Now there is this mandate on reporting 
it, a mandate on having a coordinator. But, still, there is not 
a mandate saying that you have to do certain things in terms of 
best practices or good cyber hygiene. Do you think there should 
be additional requirements from TSA with regard to critical 
infrastructure?
    Mr. Blount. Ranking Member Portman, first I would like to 
thank you for your leadership on these issues in the past, but 
certainly on a go-forward basis, I think anything that can help 
industry have better security practices, standards to follow, 
would be extremely helpful, especially for the smaller 
companies that are in other industries as well as my industry, 
less sophisticated.
    Senator Portman. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Portman.
    Senator Carper, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman.
    Mr. Blount, thank you very much for joining us. The fact 
that you and your employees, your company, and those who have 
been certainly consumers that have been harmed by this, but we 
regret that. But if you had the opportunity to speak to other 
people, your counterparts in businesses around the country, 
maybe give them two or three words of advice to help them with 
this sort of thing, what would you say?
    Mr. Blount. Senator, that is a great question, and if I 
could boil it down to two or three words of advice, as you 
suggested, I would suggest that we certainly take a look at our 
defenses, and even though we felt comfortably historically that 
we are where we felt we needed to be to protect our assets, 
this threat grows every day. The sophistication of this threat 
grows every day. So let us make sure that we are keeping our 
eye on that.
    And then the other side of the equation is if you wind up 
in a situation like we found ourselves on May 7th, have an 
emergency response process that allows you to respond quickly 
and, most importantly, to be extremely transparent and to 
contact the authorities who indeed do have resources that 
potentially could help you through a very difficult process.
    Senator Carper. Thank you. Abraham Lincoln was once asked, 
``What is the role of government?'' And he responded, ``The 
role of government is to do for the people what they cannot do 
for themselves.'' With respect to one of the things--I have 
been on this Committee for about 20 years, and we have spent a 
lot of time trying to figure out what is the role of 
government, especially with respect to cybersecurity, but my 
question is: What do you believe the appropriate role for 
government is, should be, should have been? How do we measure 
up? What did we do well or what could we have done better?
    Mr. Blount. Senator, thank you for that question. 
Obviously, with the threat that we have in this country and 
around the world today, I think the private-public partnership 
is extremely important. We can do things as private industry to 
protect our facilities and assets and be safe cybersecurity-
wise. But there are things around the world that we obviously 
have no ability to participate, and that is pressure on foreign 
governments that harbor criminals and people like this, and 
that is where government comes into play.
    As a company that has been regulated for over 57 years, 
regulation is not foreign to us, and we think regulation can be 
healthy. And so we support anything that helps further protect 
these critical assets that we all rely upon for our daily life.
    Senator Carper. As I am sure you know, there are numerous 
government agencies that are involved in trying to secure 
critical infrastructure, all kinds of infrastructure, 
specifically pipelines. The Transportation Security 
Administration is in charge of Federal programs for pipeline 
security, but most people think of TSA as they are going to the 
airport, going through airport security, but they do a lot of 
other things, for the most part doing them, I think, very well. 
But the TSA works closely with the Department of 
Transportation's Pipeline and Hazardous Materials Safety 
Administration as well as folks at the Department of Energy and 
the Federal Energy Regulatory Commission. That is just a 
handful of government agencies that are working to secure our 
Nation's pipelines, and that type of coordination among 
agencies requires continued collaboration and communication.
    I have a two-part question for you, if I could. First, how 
frequently are you or your counterparts, your team members, how 
frequently are you in contact with these government agencies I 
mentioned above? Second, how has interagency coordination among 
these agencies strengthened or weakened pipeline security?
    Mr. Blount. Thank you for that question, Senator. We are in 
contact quite often with all the agencies that you mentioned. 
Again, as I noted, we are a regulated entity, and we know it is 
important to communicate what is going on across our pipeline 
system and with our operations, with all our governmental 
partners. And then there are a lot of entities within the 
government that do not regulate us, like CISA, up to May 7th, 
that we also have had constant communications going on.
    I know from my CIO's perspective, she does spend a lot of 
time with CISA, she does spend a lot of time with the TSA 
talking about what is going on in cyberspace and defenses and 
things like that. I will go back to May 7th, and what I saw as 
being most helpful for an operator that has been, subject to an 
attack is, again, that was critical for us to be able to have 
that one central conduit in the government, and in this case it 
was DOE, who allowed us to communicate everything that was 
going on at the time through one central conduit, although all 
the parties that you mentioned were sitting at that table--
virtually, of course, because of Coronavirus Disease (COVID)--
hearing material real time that could help them go about doing 
their job or potentially could go about helping the market 
resolve the issue that we saw. So we saw a lot of permitting 
changes allowing truck drivers to drive longer hours or 
allowing trucks to carry more fuel. That was the kind of 
coordination that we go through that central conduit that the 
White House gave us.
    Again, I am not saying one entity over the other. I am 
saying that the combination of all of them through that central 
conduit was extremely valuable to our response, extremely 
valuable to the American public to get as much fuel back into 
the system as we possibly could, and whether that is through 
deviations in regulations or things that allowed us to bring 
our pipeline on much sooner than perhaps it would have been.
    Senator Carper. Good. Maybe one other question. How quickly 
did your company reach out to the FBI?
    Mr. Blount. Senator, great question. We reached out to the 
FBI within hours.
    Senator Carper. What was the response?
    Mr. Blount. The response, Senator, was, ``We want to get 
you back on a phone call. We are going to bring CISA into the 
conversation, and we are going to start going through it.'' I 
think part of that was we called the Atlanta office, and in 
this particular case, they felt it was DarkSide, and the FBI 
has an office specifically dedicated--they call it a ``Center 
of Excellence''--for DarkSide, so their DarkSide experts, which 
are California based.
    Again, as early as we called in the morning--I mean, I know 
the FBI probably responds regardless of the hour of the day. It 
was pretty early in California when we made our call to the 
Atlanta office. But great response on the part of the FBI.
    Senator Carper. Good. How about the response from CISA? 
That will be my last question. How about the response from 
CISA?
    Mr. Blount. Senator, of course, I was not involved in those 
conversations, but what I saw as a result of CISA being 
involved in those conversations was the ability to take some of 
the forensic evidence that the FBI was comfortable seeing 
released to the public wind up in CISA notifications that would 
then help like companies and certainly a lot of pipeline 
companies take a look at IPS addresses and things like that 
that we had shared during that phone call and get that out in 
memo form to other operators. So great sharing of information 
on the part of CISA.
    Senator Carper. Good. Thanks very much for joining us. Good 
luck.
    Mr. Blount. Thank you, sir.
    Chairman Peters. Thank you, Senator Carper.
    Senator Johnson, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR JOHNSON

    Senator Johnson. Thank you, Mr. Chairman.
    I want to start out by again emphasizing and pointing out 
that you were the victim of a crime. You are not the bad guy 
here, and I appreciate my colleagues pretty well acknowledged 
that as well. I think that has been reflected in the line of 
questioning.
    I want to, because a lot of people do Monday morning 
quarterbacking and it is easy for Federal agencies to say, 
``No, do not pay ransoms because it just encourages more.'' But 
I just kind of want you to for the record lay out how much 
worse could it have been had you not made that very difficult 
decision to kind of bite the bullet so that you could get your 
pipelines back up and operational?
    Mr. Blount. Senator, first, thank you for your kind words, 
and thank you for your question as well. That is an unknown we 
probably do not want to know, and it may be an unknown that we 
do not want to play out in a public forum. But if you start to 
look at the fact that it took us from Friday all the way to 
Wednesday afternoon the following, and we already started to 
see pandemonium going on in the markets, people doing unsafe 
things, like filling garbage bags full of gasoline or people 
fist-fighting in line at the fuel pump. The second would be 
what would happen if it had stretched on beyond that amount of 
time, right? What would happen at the airports where we supply 
a lot of jet fuel, let alone what might happen at the gas pump?
    My concern the first day was more to the first responders 
and the ambulances and the things that we count on in 
emergencies beyond our own current energy. That was my concern 
that first day. Again, our focus and our team's focus, 
regardless of what type of threat we see, is to identify the 
threat, contain the threat, remediate, and restore. And that 
goes beyond just an incident like that. That is about anything 
that we see is unsafe, and that is why the call that morning by 
that controller, the supervisor of the control room, to shut 
the pipeline down was so critical.
    Senator Johnson. I think that is an appropriate response, 
and I will leave it to people's imagination, but I want people 
thinking about that as well.
    Mr. Blount. Yes, sir.
    Senator Johnson. Cyberattacks are an ongoing problem. There 
is no easy solution. As you say in your testimony, the 
criminals are on the offense, and they have a huge advantage. 
And it does not take much in terms of vulnerability--no matter 
how strong your IT systems are, your cybersecurity systems are, 
there are vulnerabilities, and they get exploited, and they are 
becoming more and more susceptible to this.
    In terms of government versus private sector, from my 
standpoint I think CISA is very valuable from the standpoint of 
sharing information preemptively, trying to stop some of these 
things. We have heard in testimony that 90 percent of these 
attacks can be prevented just by basic cyber hygiene. It 
certainly sounds like you had pretty sophisticated cyber 
hygiene, although obviously vulnerabilities.
    The Federal Government can hold nation-states accountable 
that are allowing these cyber attackers to operate on their 
foreign soil and then, of course, hold them accountable when 
something happens, but also help in recovery and law 
enforcement.
    I am not convinced that the Federal Government is going to 
be particularly effective at issuing standards and keeping them 
up-to-date. I really look to the private sector being far more 
nimble at that.
    One of the processes I proposed is using a private sector 
model like an International Organization for Standardization 
(ISO) certification. I imagine you go through something like 
that. I did. You have six-month surveillance audits. You tie 
that to the insurance system as well where your rates are based 
on how good you achieve the standards. That is a system that 
will be as nimble as the private sector can be, as up-to-date, 
be able to employ the absolute best cybersecurity experts, 
which is one of the problems with the government. I am not--
again, it is just a problem. Government cannot pay to retain 
the absolute best talent across the board.
    I just kind of want your thoughts on that type of 
framework, public versus private.
    Mr. Blount. Senator, thank you, and I think those are all 
very good thoughts. I think, again, we have an obligation as a 
private entity to make sure that our systems are as capable as 
they possibly can be, and we have a responsibility to continue 
to look at those systems because, as we all know, the threat 
continues to evolve. The sophistication of the players 
continues to evolve. Their ability to compromise systems 
continually evolves. I think in combination with the 
government, together combined we have a much better ability as 
Americans to thwart the threat of cyber attacks, and I think 
that, again, we both have a responsibility. You shared the 
concept of private industry cannot do things to foreign 
governments, cannot put pressure on foreign governments. That 
is extremely important here if we look at where these criminals 
are housed, right? Something needs to be done there.
    Again, I think that private-public partnership is very 
valuable, but we certainly know we have responsibilities and 
accountability as well.
    Senator Johnson. Again, I am concerned about the 
government's, A, capability of establishing the standards, 
then, again, penalizing businesses for being victims of crime, 
if you do not meet their probably in many cases out-of-date 
standards. I would proceed down that line with caution.
    Just real quick, were you a member of an Information 
Sharing and Analysis Center (ISAC), for your industry?
    Mr. Blount. Senator, I do not actually know the answer to 
that. If I can get back to you on----
    Senator Johnson. OK. I would appreciate it.
    Then the final question I have is: In our briefing and news 
reports, it was not just the shutdown, the ransomware. But 
prior to them shutting you down, they extracted all kinds of 
data that apparently they tend to reveal or not reveal. Can you 
describe that if possible? Because I am--``intrigued'' is maybe 
the wrong word, but I thought that was quite interesting. Do 
you have any assurances--did you get that data back? Was that 
part of the ransom deal that that will not be disclosed? And 
can you tell us what kind of data they are talking about, why 
that would even be valuable for them or hurtful for that to be 
disclosed?
    Mr. Blount. Senator, very important question. As part of 
the ransomware note, they tell you that they have encrypted 
information, that they have exfiltrated information, so we knew 
that they had exfiltrated information. We worked very closely 
with the FBI on that, and the FBI is probably the best entity 
to respond to that since they are still, investigating the 
situation and getting closer, apparently, at least we hope, to 
the perpetrators themselves.
    Senator Johnson. Would that be personal information from 
your employees that would be valuable or just trade secrets? I 
mean, you are a public company so the financial information is 
available. I am just kind of wondering what threat that 
represents to your entity or to your employees?
    Mr. Blount. Senator, what we know about that material right 
now is it was exfiltrated off the share drive, so it contains a 
lot of different type of material. The good news is it was 
retrieved very quickly. It was brought back in. Again, I think 
the FBI can talk a little bit more about that than I feel 
comfortable right now because of their investigation.
    Senator Johnson. OK.
    Mr. Blount. But, again, the fact that it was retrieved very 
quickly is helpful. We do not fully understand everything that 
is in it because of where it has been held since it was 
retrieved. But we have people obviously involved in the 
combined process who have been looking very closely at that 
data.
    Senator Johnson. OK. Listen, I appreciate you coming in 
here and being as forthright as you have become, so thank you.
    Mr. Blount. Thank you, Senator.
    Chairman Peters. Thank you, Senator Johnson.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you, Chair Peters, and thank you, 
Ranking Member Portman, for this hearing today. Thank you, Mr. 
Blount, for being willing to come before the Committee today.
    Cybersecurity is a collaborative effort, to be sure, and we 
need to work together to strengthen public and private cyber 
defenses.
    Mr. Blount, I was glad to see that U.S. authorities were 
able to deprive hackers of millions of dollars in expected 
ransom. However, I want to better understand your decision to 
pay the ransom, and I understand it was a difficult decision.
    As you have already discussed, the FBI and other Federal 
agencies strongly discourage paying ransom because it 
incentivizes more people to become cyber criminals and to 
develop better ransomware tools.
    When you decided to pay the ransom, did you know how much 
of your network was affected at the time?
    Mr. Blount. Thank you for that question and good morning 
again.
    Senator Hassan. Good morning.
    Mr. Blount. No, we did not, and I think that is what a lot 
of people do not understand in these incidents, these attacks. 
It takes you days, basically, to see into your system that has 
been corrupted as to what you have, what has potentially been 
exfiltrated. In the case of Colonial, we had really good 
backups, is what I have been told by Mandiant. But it still 
took them days to get through those backups. When we look at 
our response time and ability to bring the system back up, it 
was fairly good in reality. My concern was you do not have that 
view at all for days, and when you have a critical asset like 
this, you have to focus on what is the best opportunity of 
options you have in front of you to take avail of, and in that 
case it was to get the encryption tool and to get our 
information back.
    Senator Hassan. OK. I wanted to follow up. You mentioned 
the Federal agencies that you reached out to, but what, if any, 
outside of those agencies, non-Federal entities did you consult 
with? Were there private firms that you consulted with?
    Mr. Blount. Yes, Senator, great question. Obviously, we 
talked to Mandiant.
    Senator Hassan. Yes.
    Mr. Blount. We talked to Mandiant about that. We talked to 
our legal resources that have been involved in any number of 
cyber cases in the United States over the last couple years, 
people that have had real-time experience with these criminals 
as well as the specific science of cyber attacks and 
compromise. So, yes, a lot of conversation went into that 
decision that I made to negotiate.
    Senator Hassan. OK. Did you have a cybersecurity response 
plan in place prior to the attack? If so, did it include any 
guidance about paying a ransom?
    Mr. Blount. Senator, great question. What we have as a 
pipeline operator--and it would not be unique necessarily to us 
at Colonial--is we have an emergency response process.
    Senator Hassan. Right.
    Mr. Blount. Again, I said earlier this morning, see the 
threat, contain the threat, remediate the threat, and restore. 
So in this case, you use the same process, but you use a 
different set of experts. So in this case, we reached out 
immediately to the FBI because it was criminal.
    Senator Hassan. Right.
    Mr. Blount. We immediately reached out to legal resources 
that have dealt with this. We immediately reached out to 
Mandiant.
    Senator Hassan. Right, but my question is: In your 
planning, did you have a plan for cybersecurity response that 
included guidance about ransomware?
    Mr. Blount. Senator, specifically no discussion about 
ransom and action to ransom.
    Senator Hassan. Did your team do tabletop drills, for 
instance, to go through an actual simulated cyber attack before 
this happened?
    Mr. Blount. Senator, yes, we do participate in those with 
various groups, as well as do them on our own at Colonial.
    Senator Hassan. OK. Some private sector companies can focus 
strictly on economics and perform traditional cost-benefit 
analyses without having to consider national security concerns. 
However, owners and operators of critical infrastructure--and I 
appreciate your comments this morning acknowledging that 
Colonial oversees critical infrastructure. That carries a 
heightened obligation and duty to be capable of delivering 
goods and services to citizens in this case all up and down the 
East Coast.
    Mr. Blount, Colonial Pipeline surely performed some number 
of cost-benefit analyses regarding the operation of its 
pipeline to determine how much to spend on pipeline hardware, 
personnel, and even cybersecurity. Did any of your analyses 
incorporate any public responsibility factors, such as the 
impact of a potential cyber attack on consumers or on the U.S. 
economy?
    Mr. Blount. Senator, that is a great question. I would not 
say that we approached it that way. We know our No. 1 goal at 
Colonial is to safely and securely operate that pipeline, 
because we have known for 57 years the importance of that 
pipeline to the well-being of the American citizen. So that has 
always been our focus. Our investment, whether it is in 
pipeline integrity or whether it is in cyberware and IT, is all 
derived around keeping safe and protecting the asset because of 
what its main benefit is to the United States.
    Senator Hassan. OK. I understand that, and I appreciate 
that answer. But, as you have had conversations with other 
Senators this morning, you have mentioned that you did not have 
two-step authentication in place. You have mentioned a legacy 
VPN which, in my understanding, means it was a pretty old VPN. 
I do not think it is acceptable to understand the critical 
nature of your product, but then not really have the 
preparation and the system in place to protect it as if it is 
critical infrastructure. You really do have an obligation to 
U.S. communities that you serve and to consumers and to our 
national security, so I am concerned that it does not seem to 
have been a formal factor in your analysis of how much to 
strengthen your systems.
    Mr. Blount. Senator, we take cybersecurity very seriously. 
I did reference earlier that the VPN was a legacy VPN----
    Senator Hassan. Yes.
    Mr. Blount [continuing]. That we could not see and it did 
not show up in any pen testing, that is unfortunate. But, 
again, the safety and the security of the system is highly 
critical. We have never had our board deny us any funds 
associated with safety and security, whether it is on the IT 
side or the physical side of the pipe. If my CIO wants funds, 
she gets them.
    Senator Hassan. OK. I would just--and this is an issue that 
I think we are seeing across the board on cyber. We need to 
start imagining what can happen and respond accordingly as 
opposed to always be looking at what the last problem was and 
really investing, and for critical infrastructure, I think it 
is absolutely important that we have standards that really make 
sure that companies are investing in the kind of infrastructure 
they need.
    I have another question. I am running out of time, so I 
will submit it for the record.\1\ But I really would like to 
get your thoughts about what kind of public-private information 
sharing needs to happen, between and among whom, and at what 
level, because I think that is another important piece to this 
whole issue.
---------------------------------------------------------------------------
    \1\ The question of Senator Hassan appears in the Appendix on page 
43.
---------------------------------------------------------------------------
    Thank you very much for being here this morning.
    Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Hassan, for your 
questions.
    The Chair recognizes Senator Lankford for your questions.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you, Mr. Chairman.
    Mr. Blount, thanks for being here. There is no CEO in 
America that wants to be sitting in the same chair you are 
sitting in right now, to be able to go through all this. You 
are a month past a major attack. Obviously, there is a lot of 
work that you are going through.
    Can I back up for Colonial? When is the last time that the 
Colonial Pipeline was down and not providing fuel to the East 
Coast?
    Mr. Blount. Senator, that is a great question. That 
pipeline has never been down completely with the exception of--
and I learned that just this week--over the couple hours of 
Y2K, and we can all appreciate going back in time that we were 
all concerned about the clock back then. Periodically from time 
to time we will have a portion of the system down during a 
hurricane event or something like that, but never the entire 
system at one time, and never for, obviously, that duration of 
time.
    Senator Lankford. I think we as Americans get so used to 
going to the gas pump and filling up with refined products. 
Every one of us has landed at Charlotte airport and Jet A has 
been added to our plane as we change planes there. We get so 
used to that, we lost track of some of these things.
    I want to ask a couple of things here. You had to do a 
physical inspection and a cyber inspection of this pipeline or 
just going through the digital portion of it, or physical 
inspection as well?
    Mr. Blount. Great question. So in the early hours of May 
7th, we did not know exactly what we had. We had the 
ransomware. But, again, we are always concerned about the 
security of the pipeline, and you may have read in the press--
and it is a factual statement. We drove over 29,000 miles of 
the pipeline, and, again, remember it is only a 5,500-mile 
pipeline. So we had constant ground surveillance. In addition, 
we also fly the pipeline--it is a PHMSA regulation that we fly 
the pipeline. We fly in excess of that regulation on a normal 
basis, and on top of that even doubled up our efforts during 
this point in time. Again, we did not know that it was just a 
cyber attack. We had to make sure that it was not potentially 
an attack on our physical structure as well.
    Senator Lankford. So that was completed? There was no other 
physical damage that you could identify?
    Mr. Blount. That is correct, Senator. We did not see 
anything. We did keep an eye, obviously, on the pipeline. Just 
so you are aware, we kept the pipeline under pressure, and that 
would allow us to bring the pipeline up much quicker. So we had 
people manually in the field looking at gauges, the old-school 
way of watching pipeline pressures, to make sure that we were 
in compliance with all the regulations, regardless of the 
attack and what happened in the shutdown.
    Senator Lankford. I said to several people that I have 
talked to in the last month, when we saw suddenly gas lines 
appearing and a pipeline go down at this point, that everyone 
learned the importance of pipelines. If I rewind two months 
before that, all the conversation was about, slowing down 
permitting new pipelines, maybe we are not going to do 
pipelines at all, make it harder to be able to do maintenance 
on Federal lands on pipelines. Two months ago, the conversation 
was, well, maybe we need fewer pipelines, and maybe we need to 
make this harder to be able to develop new pipelines--
obviously, Keystone Pipeline was in the news--to say we are 
just not going to do that at all. And so products coming out of 
Canada and out of Montana are just going to have to find trucks 
and trains to be able to get there.
    I am not going to ask you this same question because that 
is not going to be fair to you, but I have told a lot of folks 
what we watched happen with a sudden shutdown of a pipeline is 
the ghost of Christmas Future for the entire country if we do 
not continue to maintain our pipelines, increase capacity of 
pipelines, if we do not continue to expand and have duplication 
of pipelines in spots, to be able to make sure we have 
redundancy for this. Pipelines are essential to America. The 
2.5 million miles of pipelines that we have scattered around 
the country, we lost track of how incredibly important they 
are.
    I am grateful that your company has had such a good 
reputation. This is terrible to be a victim of a ransomware 
attack. There is something that you have that every CEO in 
America would like to hear, and that is, what are the lessons 
learned on cyber issues that you have already identified, 
obviously your team has taken on? The No. 1 has already come 
out, looking for legacy entries into your system that do not 
have two-factor authentication on it. What else has been 
identified that you need to be able to take and pass on to 
others?
    Mr. Blount. Thank you for your question. Again, I think the 
most important thing is to not be complacent about what you 
have because of the pace of change on the outside, from the 
criminal side. And then secondary to that, but equally as 
important, is the ability to have an emergency response process 
in place. If we had not been trained for the last 57 years to 
respond to any threat, whatever that threat is--it is an 
extension cord on the ground that has not been taped down that 
someone might trip over and hurt themselves--if we had not been 
trained like that and our employees had not been trained like 
that, who knows how many days it potentially could have taken 
to bring the asset back online? We know the importance of the 
asset. We are dedicated to the American public as a result of 
all the training and everything that we have done through the 
years to make sure that we have the fuel that we need.
    Senator Lankford. Backing up systems, clearing unused 
accountable, guarding data in other ways. Are there other 
things that you would mention to say these are lessons that are 
going to be important for the future? Obviously, there was a 
gap, a single area, a single vulnerability. Other lessons you 
would mention?
    Mr. Blount. Thank you, Senator. I think from a proactive 
standpoint, you have seen now where we brought Mandiant in to 
investigate as well as to restore and start to harden our 
systems. But we have talked a lot about standards in this room 
today, and so we have also brought Dragos in and Black Hills 
in, and people may ask why, is that overkill? I would say I do 
not think so because what we want to make sure is we get the 
best out of each one of those experts. They all have a specific 
skill. Dragos is very good at operational technology (OT) 
systems. We want to make sure that we have the best hardening 
and the best segmentation we can possibly have on our OT side.
    So I think, again, it is that investment in resources to 
get the best in class, because, again, even the best in class 
is still susceptible. We have heard that from each one of those 
experts.
    Senator Lankford. All right. So this is not a ransomware 
attack. This is actually somebody that is getting into the 
system. Have you been able to determine going through it 
whether they would be able to get your operating system to be 
able to change pressure, to be able to change volume, to be 
able to change flow through the structure that actually came 
through?
    Mr. Blount. Senator, that is a great question. Obviously, 
that factored in largely to my decision and the employees' 
decision to shut the pipeline down that day. We did not know, 
and we probably did not know the answer to that for days. The 
investigation is ongoing. But up to this point, Mandiant has 
not confirmed any evidence that they were in the OT system, and 
typically that is not what DarkSide does.
    Senator Lankford. Right, it is a different animal, but it 
is a vulnerability that sits out there for someone else that 
does mean to be able to do our Nation harm, not just your 
company harm, at this point, and they are not just going out 
for money, but they are actually going out for physical damage. 
Thanks for being here. Thanks for being so frank in your 
testimony.
    Mr. Blount. Thank you, Senator.
    Chairman Peters. Thank you, Senator Lankford.
    Senator Rosen, you are now recognized for your questions.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Chairman Peters, Ranking Member 
Portman. This hearing, of course, is so timely, so important. 
Mr. Blount, thank you so much for spending your time with us 
today to bring some clarity to these extremely important issues 
to our Nation, because you know what? It is a challenge for 
business owners across a variety of industries to commit the 
resources necessary and critical to preventing and combating 
cyber threats. It requires a team of dedicated staff with cyber 
expertise and the technologies needed actually to defend 
against an attack.
    Mr. Blount, it would be helpful to understand the resources 
you have at Colonial Pipeline devoted to cybersecurity 
technology personnel and trainings. So can you tell us just a 
bit about your cyber guidelines and best practices your company 
follows? Do you collaborate with Federal agencies like National 
Institute of Standards and Technology (NIST), DOE, and CISA? If 
you do not, why not? And just talk about your plans, either 
current collaboration or collaboration going forward, if you 
plan to do that.
    Mr. Blount. Thank you, Senator, for that very important 
question. We are highly collaborative organization. We are 
highly transparent organization. We spent a lot of time in 
Washington, at least up until COVID, and now we spend a lot of 
time on the phone and in Zoom calls with all our regulators as 
well as other entities like CISA, like the DOE, and other 
people that we feel accountable to for what we do for the 
Nation.
    Again, very communicative, very present in Washington with 
all the Federal agencies that we have access to, and we 
certainly appreciate all the collaboration that we are able to 
do with them. From a Colonial perspective, we have over 100 
people dedicated to IT. Our CIO, when she asks for funds 
related to anything associated with cyber, she gets it. Our 
board is highly supportive of anything that protects the 
pipeline and protects our data. So we have never had any issue 
from the standpoint of getting the funding that we need in 
order to protect the asset and to protect our information and 
protect the American public.
    Senator Rosen. Thank you. I want to kind of build on this a 
little bit because, according to recent news reports, you have 
discussed scheduling a voluntary cybersecurity review with TSA. 
A lot of people have touched on this. But that review never 
took place, and so how often does your company conduct internal 
cybersecurity reviews or self-assessments? Do you do this on a 
regular schedule? And what do you do with the results? Who do 
you share them with, or do you share them?
    Mr. Blount. Senator, thank you for that question. With 
regard to the Validated Architecture Design Review (VADR) 
voluntary program that TSA has, I had also heard in the press 
that we had refused to participate in that, and that was quite 
a shock to me and quite a shock to our CIO. We maintain a lot 
of conversation with the TSA and specifically the Director of 
Security level there. We have participated in any number of 
things with the TSA in the past, including physical screening 
of our facilities. We have actually had the head of TSA in our 
office meeting with me and my management team.
    Senator Rosen. Do you do your own internal reviews? Do you 
share them with others? Do you do those on a regular basis? I 
guess that is also the point of my question as well.
    Mr. Blount. Senator, we do participate in periodic 
penetration tests. We do auditing, outside auditing of our 
cyber procedures and our IT department. And like all audits, 
you expect you are going to find something with the pace of 
change outside from the threat, and you rank the things that 
come back, and then you go about the business of tackling those 
things that are deemed deficient or weak in order to improve 
your defenses. So, yes, we do.
    Senator Rosen. I want to build on that because you have 
repeatedly said during this hearing that you were not part of 
conversations in the wake of the cyber attack, including the 
discussion with the FBI about paying a ransom. In hindsight, if 
you are doing this analysis, you are ranking things, doing all 
this, do you think you should have been part of those 
conversations?
    Mr. Blount. Senator, that is a very good question. This was 
an all-hands-on-deck day and week. My responsibility that week 
was to communicate to my board, make sure that my team was 
communicating where they needed to communicate. I directly 
handled all the discussions at the DOE level, including the 
daily briefings that we did with the DOE. I participated in the 
briefing with the Governor's offices throughout the States that 
were impacted. So while it would be nice to be involved in 
every conversation, the reality of it is I cannot be every 
place at once, but it was well taken care of by any number of 
my management team members, the people that report directly to 
me.
    Senator Rosen. Thank you. I appreciate that.
    I want to talk a little bit about my Cyber Sense Act 
because we know, of course, cyber attacks, that is what has 
happened to you. So last Congress I introduced the Cyber Sense 
Act. It is bipartisan legislation that would create a voluntary 
cyber sense program at the Department of Energy that is going 
to test the cybersecurity of products and technologies intended 
for use in our bulk power system. This bill also directs the 
Energy Secretary to consider incentives to encourage the use of 
analysis and testing results when designing products and 
technologies, although I think the incentive would actually be 
not to be hacked.
    But, Mr. Blount, while the program my bill would establish 
is solely for electric utilities, do you think a similar 
program for pipelines would be helpful for gas companies like 
yours across the board to collaborate and communicate and have 
some sense of what is going on in the industry?
    Mr. Blount. Senator, thank you for that question. I think 
that is a great program for the electric utilities, and I think 
anything that would help our side of the business be more 
secure and less susceptible to any threats is a great idea.
    Senator Rosen. Thank you. I think the last question--I have 
about a minute left--I just want to ask a quick question about 
why Colonial Pipeline did not notify CISA immediately following 
the ransomware attack. Mr. Wales told this Committee ``there is 
benefit when CISA is brought in quickly, because of the 
information we glean, we work to share it in a broader fashion 
to protect other critical infrastructure.''
    So what is your response to Mr. Wales' statement and you 
not sharing your ransomware attack?
    Mr. Blount. I am glad you asked that question, Senator. One 
of the first phone calls we made that morning within hours of 
noticing the compromise was to the FBI office, and during that 
conversation with the FBI, the FBI said, ``We will call you 
back later. We want to bring in our Center of Excellence from 
California into the conversation, and we will call CISA and 
bring them into the conversation.'' So at that point, based 
upon the number of phone calls that we had to make that day to 
any number of governmental entities, we knew that CISA would be 
notified and brought into the conversation. We had a 
conversation with CISA the first day as a result of that 
connection with the FBI. If the FBI had not called them, we 
would have. We called every other governmental agency we were 
required to and then some that day.
    Again, I do not know why he made that statement, but I can 
tell you we would have called him. There is no reason not to. 
We were extremely transparent, and we wanted all the help that 
we could get that morning.
    Senator Rosen. Thank you very much for your testimony 
today. My time has expired, Mr. Chairman.
    Chairman Peters. Thank you, Senator Rosen.
    Senator Hawley, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you, Mr. Chairman. Thank you, Mr. 
Blount, for being here.
    I think you mentioned this in your written testimony, but I 
would just like to start here. What percentage approximately of 
all fuel on the East Coast of the United States is transported 
by your company's pipeline?
    Mr. Blount. Thank you for that question, Senator. It is 
approximately 45 percent.
    Senator Hawley. How many gallons of fuel does your 
company's pipeline transport on a daily basis?
    Mr. Blount. Normally we would move approximately 100 
million gallons of fuel a day, Senator.
    Senator Hawley. That is a lot. Is it fair to say that tens 
of millions of Americans do not really have any choice but to 
rely on your pipeline for fuel? You have enormous market power, 
is what I am driving at. Is that a fair statement?
    Mr. Blount. Senator, over time we have evolved as a big 
player in the fuel business, and it is because of our 
reliability record and, quite frankly, we are the cheapest cost 
of transportation for the fuel to those customers.
    Senator Hawley. Yes, I think that the amount of fuel 
running through the pipeline exceeds the fuel consumption of 
Germany. If I am not mistaken, the closure of your pipeline 
facilitated nearly--or led to nearly 16,000 gas stations 
without fuel across the country, which is huge. You are huge, 
and consumers really rely on your, is my point.
    I am curious as to, given this, given your market power, 
given the reliance of consumers, given the sheer number of 
consumers you serve, why didn't you take up the Transportation 
Security Administration's offer to do a comprehensive 
cybersecurity review of the pipeline?
    Mr. Blount. Senator, thank you for asking that question. We 
indeed were in contact with them about setting that up. 
Obviously, COVID got in the way in the early days of that. We 
were getting ready to move at the end of the year into a new 
facility, so I think the conversation was that we want to do 
it, the VADR program is a good program, but we will schedule 
that later on. We do have that scheduled at the end of July.
    Senator Hawley. So it was a COVID issue, basically? Or it 
was a moving issue, you were moving to a new headquarters? I am 
looking at the Washington Post article here that reports that 
the TSA had tried to schedule a voluntary in-depth 
cybersecurity review but that Colonial just could not get it 
done. Any regret not doing that in retrospect?
    Mr. Blount. Senator, anything that you could do is always 
helpful. If we look at that test, it is a great test, but it is 
not dissimilar to a lot of the tests that we already do in our 
system. Again, we have a good working relationship with TSA. I 
am a little surprised by the statement that I heard about 
refusal, actually investigated it on my end from my CIO and 
their contacts on the TSA side. No one really understood why 
the word ``refused'' was used.
    Senator Hawley. So just let me understand your last 
statement. Are you saying you think that the TSA review would 
have been redundant, not particularly helpful? You said it is 
duplicative of things you do on your own end internally.
    Mr. Blount. Senator, I think in this case it probably would 
not have resulted in finding that legacy VPN. Again, they do 
not actually go into the system. It is a questionnaire format 
type thing. I am not saying it would not be valuable. It very 
much could be. I think each one of these tests are slightly 
different, so if there is that one little piece that can make 
the difference in seeing something, that is helpful. Again, 
never any issue with us actually getting to the point of doing 
that. It was a timing issue.
    Senator Hawley. Got you. Who owns Colonial Pipeline?
    Mr. Blount. Colonial Pipeline is owned by several entities.
    Senator Hawley. Including?
    Mr. Blount. Including a division of Shell, Midstream 
actually, Caisse du Quebec, KKR, IFM, and Koch Industries.
    Senator Hawley. Got it. I am asking that because it has 
been reported that over the last decade Colonial has 
distributed--I am looking at the article here from Bloomberg. 
Colonial has distributed almost all of your profits, sometimes 
more, actually, in the form of dividends to your investors. In 
2018, for instance, Colonial Pipeline paid $670 million to its 
owners, which actually exceeded your net income for that year. 
That is a pretty good return. What do you invest in 
cybersecurity every year?
    Mr. Blount. That is a great question, Senator. We invested 
over $200 million over the last five years in our IT systems.
    Senator Hawley. And that is cybersecurity? How about on an 
annual basis for cybersecurity? $670 million distributed in 
dividends in 2018 alone, give me a sense of--you are operating 
not unlike a public utility, right? I mean, we covered the fact 
you serve 45, 50 percent of customers on the East Coast; you 
transport 100 million gallons a day. The attack on you led to 
16,000 gas stations being shut down. So just give me a sense 
of--given the importance of your company, the size of it, the 
reliance, what are you doing in terms of your investment for 
cybersecurity? I know you are paying your investors well.
    Mr. Blount. Yes, Senator, great question. Our dividend 
policy is not much different than any other Midstream company, 
so I want to state that first. Our owners have never denied us 
any opportunity to spend what we need to spend in order to keep 
the pipeline safe and secure.
    Senator Hawley. Which is about what a year?
    Mr. Blount. Take the average, over $200 million in the last 
five years.
    Senator Hawley. OK, I tell you what----
    Mr. Blount. Over $1.5 billion in system integrity every 
five years.
    Senator Hawley. Got it. We will give you this as a question 
for the record so that we can get the actual--I know you do not 
have the number right in front of you, but we will give you the 
question for the record,\1\ and you can give us the exact 
number on an annual basis. I think that would be interesting to 
know.
---------------------------------------------------------------------------
    \1\ The information requested by Senator Hawley appears in the 
Appendix on page 49.
---------------------------------------------------------------------------
    You talk about Federal regulations in your testimony, and 
you say Congress should consider designating an official point 
of contact at a Federal agency to better facilitate 
communications. That is an interesting idea. What rules do you 
think Congress ought to consider requiring of you and your 
company? So your suggestion is what the Federal Government 
should do itself, but given, again, your status, given the 
reliance on you, what do you think Congress ought to require of 
your company and companies like it going forward?
    Mr. Blount. Senator, great question. I think what Congress 
should require is that we have a focus on safety and security 
of this critical asset, and I think we have demonstrated that 
over the last 57 years of responsible ownership and operations.
    Senator Hawley. Let me ask you a little bit about the 
attack in the IT system. I understand that the attack occurred 
or was first detected only in the IT network, not in the OT 
network. Is that right? Do I have that correct?
    Mr. Blount. Senator, that is correct.
    Senator Hawley. OK.
    Mr. Blount. That is what the investigation shows up to this 
point.
    Senator Hawley. Got it. OK. So, to your knowledge, the OT 
network, the operational technology network, would not have 
been compromised by the attack if you had not shut down--you 
shut that down as a precaution, security measure?
    Mr. Blount. Senator, if there was one percent chance that 
that OT system was compromised, it was worth shutting the 
pipeline system down.
    Senator Hawley. Got it. I am just trying to establish that, 
to your knowledge, at this time you think it was concentrated 
in the IT system?
    Mr. Blount. Senator, based upon the investigation by me----
    Senator Hawley. Got it.
    Mr. Blount [continuing]. Up to this point, that would be a 
correct statement.
    Senator Hawley. Yes, OK. This leads me to ask this. The 
pipeline is seven years old, roughly, right? There was a time, 
I assume--and you correct me if I am wrong, but there was a 
time, I assume, where you operated the pipeline without today's 
computer systems. What I am driving toward here is do you have 
the capability to manually operate the pipeline in the future 
in the event of an IT attack like this one? If you do not have 
that capability, should you, do you think, going forward?
    Mr. Blount. Senator, that is a great question. We actually 
did operate small portions of the pipeline manually in order to 
alleviate some of the fuel shortage, and the discussion took 
place with the operations team about the ability to do that 
systemwide. And the response to that was it would be quicker to 
get back up on our feet by correcting the corruption of the 
critical IT systems that we needed in order to get the pipeline 
system up and operate it manually. But I think on a go-forward 
basis, there is no question that we will look at that 
capability, and it is a really interesting question because if 
you look at the aging workforce now, a lot of those people that 
did operate Colonial Pipeline and other infrastructure in 
America historically manually, they are retiring or they are 
gone. Fortunately, we still have that last bit of that 
generation which allowed us to do what we did during this 
particular event. It is a great question.
    Senator Hawley. Very good. Thank you for being here.
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Hawley.
    Senator Ossoff, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR OSSOFF

    Senator Ossoff. Thank you, Mr. Chairman. Thank you as well 
to Ranking Member Portman. Mr. Blount, thank you for being here 
today. Thank you for your candid testimony. I want to express 
my appreciation to your team based in Georgia for their 
diligent efforts to restore service swiftly and offer you the 
opportunity before the Committee now to state any lessons 
learned as well as reflections on potential improvements to 
Federal policy that we have not had a chance yet to explore on 
the record.
    I also want to thank you for your team's continual updates 
of my team as you sought to restore service, as you have 
investigated the nature of the threat, and for the conversation 
that you and I have had about the matter as well. But lessons 
learned, recommendations for Congress.
    Mr. Blount. Good morning, Senator.
    Senator Ossoff. Good morning.
    Mr. Blount. Thank you for your kind words, too. Yes, I 
think there are several really important lessons learned. I 
think, the most important lesson learned is to respond 
immediately, right? We have talked about stop-work authority at 
Colonial, the ability to identify the threat, contain the 
threat, remediate the threat, and restart the system. Again, 
that goes toward any type of threat that we see, not just 
particularly a cyber threat. I think that is an important thing 
for any operator to remember, is contain that threat.
    The other side that I would like to share with you that I 
think is extremely important is communication, and there has 
been a lot of conversation in this room about who did you talk 
to and who did you communicate with and at what time did you do 
that. I will stress again I think that what we learned was that 
being transparent and responding quickly and not being afraid 
to come forward was probably one of the most important things 
that we did in this particular case, not foreign to us but 
perhaps foreign to others.
    Finally, I would add I think the ability to communicate 
with the Federal Government through one conduit, regardless of 
who it is, was extremely valuable to us because, again, as I 
looked at this all-hands-on-deck effort that we had to do, the 
ability to communicate everything that we were seeing, whether 
it was the market response or the things that we were trying to 
get done on the IT side to do the restart all the way to the 
investigative side of the equation, extremely helpful for a 
management team already stretched to be able to communicate 
quickly and efficiently, and then allow our government partners 
to do what they could do to help us, which indeed they did. 
They were very helpful in the process.
    Senator Ossoff. Thank you, Mr. Blount. As you and I 
discussed last week, your team, I believe in collaboration with 
Mandiant, is conducting a comprehensive review of the threat, 
the nature of the attack, what might have been done to mitigate 
the risk, the efforts to thwart the attack once it was 
discovered. Is that correct?
    Mr. Blount. Yes, Senator, that is correct.
    Senator Ossoff. What impediment would there be, if any, to 
sharing the results of that review and the conclusions of that 
investigation, including at the technical level with this 
Committee once it is completed?
    Mr. Blount. Senator, I do not think there are any issues 
with that. What we have been trying to do all along the way is 
share the information as we learn it. We have been very 
straightforward about the legacy VPN. Hopefully that will help 
out other operators who have similar type legacy assets.
    We know from working with Mandiant that is not an unusual 
issue for companies. I think we will continue to communicate as 
we go through the process with Mandiant, but our ability and 
desire to sit down with you is ready and available when you 
would like that.
    Senator Ossoff. Great. So we can expect that once that 
review and investigation are complete, you would voluntarily 
share with this Committee the results of Mandiant's 
investigation?
    Mr. Blount. Yes, Senator, we will be very transparent.
    Senator Ossoff. I appreciate that. When you and I spoke 
last week, I believe you stated that you had not refused any 
requests for information from the Department of Homeland 
Security, the FBI, or other Federal entities. You have 
discussed the importance of the free flow of information 
between the target of an attack like this and the Federal 
Government.
    Having now had the experience of your company being 
subjected to an attack such as this and the communication that 
you had to engage in swiftly with Federal entities, what do you 
think can be done to improve and make more efficient and direct 
the flow of information between the victim of a cyber attack 
and Federal law enforcement, Federal cybersecurity authorities? 
I want to drill down a little bit on the following: You and I 
also discussed last week that the criminal enforcement side of 
the investigation and the cybersecurity side of the 
investigation overlap but are also distinct. Have you found any 
difference in the quality of the Federal response, the nature 
of the communication with Federal authorities between the 
criminal prosecutorial investigation and the cybersecurity 
investigation?
    Mr. Blount. Senator, from my perspective, I would say the 
answer is no. Again, as we discussed, we had FBI, CISA, and, of 
course, Mandiant helping in the process. We told Mandiant from 
the very beginning if the FBI had questions or CISA had 
questions, please share information with them. Of course, as 
structured by the White House, we had the ability to 
communicate with everybody else on the restoration side and on 
the supply concern side through the DOE. Again, that worked 
wonderfully for us. Again, our time was stretched during the 
day when we were trying to respond to the situation and get 
things remediated so that we could bring the pipeline back up. 
From my perspective as the CEO, to sit down at least at 5 p.m. 
every day and sometimes more often phone calls would come, but 
at least have the ability to communicate, the restoration side, 
what we were doing to restore the IT systems, share market 
intelligence because we have a unique perspective as Colonial 
as well. That was very helpful.
    So regardless of who that conduit is, the ability to 
communicate on the investigative side with all those parties at 
once and on the restoration and the market side, extremely 
valuable to us. As you can imagine, there is a lot going on as 
you head toward bringing an asset like this back up, and you 
have a lot of people that want to know a lot of things, and you 
do not have all the answers yet. But what I found is by having 
them all in the same room, the expert on this one particular 
area would say, ``They would not know that yet,'' and that 
would alleviate a lot of concern that the less knowledgeable 
person might have, even though they were very strong in what 
their particular discipline or science was.
    Senator Ossoff. Thank you, Mr. Blount. Finally, circling 
back to the ongoing Mandiant investigation, can you commit that 
the product that you share with this Committee of that 
investigation will be the same product that you and your 
executive team and your board review and that it will not be a 
different set of conclusions that are produced for the 
consumption of Congress but it will be the same assessment that 
you receive?
    Mr. Blount. Senator, as I have stated previously, we will 
be very transparent. I think the one thing that we need to be 
careful about as a Nation is how do we share that information. 
Obviously, it would be very difficult in a public forum like 
this because a lot of what we will share about our 
strengthening and hardening of our systems will be critical to 
keeping those strong and defensive against attacks.
    But, yes, we need to talk and figure out what is the best 
way to talk about what happened as well as what best practice 
on a go-forward basis is for an operator like ours that 
operates such sensitive infrastructure.
    Senator Ossoff. So recognizing that some of those 
conclusions, information, and plans may be sensitive and 
confidential, nevertheless the appropriate forum for those 
confidences being provided, we will be able to exchange that 
information freely and review in full the Mandiant report?
    Mr. Blount. Senator, we will gladly cooperate with you.
    Senator Ossoff. Thank you, Mr. Blount.
    I yield back, Mr. Chairman.
    Chairman Peters. Thank you, Senator Ossoff.
    Mr. Blount, I would like to thank you for joining us here 
this morning on this incredibly important matter. We are 
clearly experiencing relentless and unprecedented assaults 
against both our private and public sector information systems, 
and we are getting those assaults by both criminal organization 
as well as foreign adversaries, and this is a grave national 
security concern. Certainly from the questions that were posed 
today by all of my colleagues, I think it is clear that my 
colleagues believe this is something that we need to address 
immediately and in a comprehensive fashion.
    It is clear to me that the cyber attack against Colonial 
highlights the need for increased cooperation and coordination 
between both the Federal Government and our critical 
infrastructure partners. We must ensure that the American 
people are capable of not only defending our critical 
infrastructure partners from attack, but also maintaining a 
secure information system environment to prevent those cyber 
attacks from occurring in the first place.
    The interference that American lives depend on is 
increasingly connected, connected to each other and connected 
to the Internet. This brings a whole new meaning to the phrase 
``You are only as strong as your weakest link,'' and these weak 
links can be hacked accounts, inadequate passwords, or unknown 
vulnerabilities to the system.
    More must be done in this space, and I am committed to 
certainly focusing my attention. I think every Member on this 
Committee agrees that this Committee will focus our collective 
attention and resources on dealing with this problem. 
Cyberattacks used to be merely an inconvenience. We now know 
that they are becoming attacks on our very way of life.
    Once again, thank you for appearing here today. I look 
forward to your continued engagement on this important issue.
    The record for this hearing will remain open for 15 days, 
until June 23rd at 5 p.m., for submission of statements and 
questions for the record.
    With that, this hearing is now adjourned.
    [Whereupon, at 11:33 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

	
	[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

        
        			
        			
        			[all]