The White House said Monday there are no issues with fuel supply as officials worked urgently to ascertain the scope and fallout of a ransomware attack on the Colonial Pipeline, which supplies much of the eastern United States its gasoline – an incident that laid bare vulnerabilities in the country’s aging energy infrastructure.
President Joe Biden and senior White House officials said the administration was working closely with Colonial Pipeline to mitigate the effects of the ransomware attack and subsequent shutdown of the pipeline.
But both the President and officials leading the response repeatedly acknowledged their roles were limited because Colonial Pipeline is a private company, even though it controls the fuel supply to most of the East Coast.
“My administration takes this very seriously. We have efforts under way with the FBI and Department of Justice to disrupt and prosecute ransomware criminals,” Biden said during remarks on the economy from the White House East Room.
“My administration is also committed to safeguarding our critical infrastructure, much of which is privately owned and managed, like Colonial,” the President continued. “Private entities are making their own determination on cybersecurity.”
Over the weekend, the White House stood up an emergency working group to contend with potential energy supply issues and loosened rules on petroleum shipping on highways. Officials said Monday they were preparing for “multiple contingencies” should fuel supply be impacted by the shutdown of the pipeline, a precautionary decision meant to ensure its systems were not compromised. Colonial Pipeline said Monday evening that one of its fuel lines has restored service under manual control.
Still, the broader issue of security gaps in the nation’s critical systems – components of which are decades old and are privately owned – remains a serious question for the White House, which is finalizing an executive order meant to better respond to cyberattacks.
The order was written and circulated primarily as a response to the earlier SolarWinds attack, which allowed Russian hackers to access systems across federal government agencies. Yet the draft order applies only to federal contractors, meaning it would not have applied to Colonial Pipeline, the latest company to be targeted.
“This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private sector companies,” said Elizabeth Sherwood-Randall, the White House homeland security adviser. “When those companies are attacked, they serve as the first line of defense and we depend on the effectiveness of their defenses.”
Anne Neuberger, the top official responsible for cybersecurity on the National Security Council, said Colonial Pipeline had not asked for “cyber-support” from the federal government but that federal officials were ready and “standing by” to provide assistance if asked.
“We remain available to meet their cybersecurity needs,” she said.
On Capitol Hill, lawmakers were seeking additional information about the incident. The House Intelligence Committee requested briefings from both law enforcement and the US intelligence community and “expect to receive further information in the coming days,” according to a committee official.
Biden, who was briefed on the matter over the weekend while at the presidential retreat Camp David, has instructed officials to act urgently to mitigate any supply problems, according to an official familiar with the matter. He has also tasked officials with prioritizing cyber matters, believing cracks in the nation’s cyber defense systems must be repaired quickly.
The FBI said Monday that Darkside ransomware, a criminal group originating from Russia, is responsible for the cyberattack. Neuberger said the intelligence community was working to assess any possible ties to foreign state actors.
Administration officials could not say whether Colonial Pipeline had paid any ransom to the group – a step the US government officially discourages – though Neuberger said she recognized “victims of cyberattacks often face a very difficult situation” in weighing whether to cede to attackers’ demands.
Biden said he had not seen evidence that Moscow was directly behind the ransomware attack.
“So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this,” Biden said.
The Russian government denied any involvement in the attack, the Kremlin’s spokesman told CNN on Monday evening.
“Russia is not and was not involved in any cyber attacks,” Dmitry Peskov told CNN.
Pressed on how the US can protect its critical infrastructure against hacking by state actors if even criminal syndicates can breach those systems, Biden said: “We can do both, and we will.”
A major attack
The Colonial Pipeline system spans more than 5,500 miles and transports about 45% of all fuel consumed on the East Coast. It transports 2.5 million barrels per day of gasoline, diesel, jet fuel and home heating oil.
The company that operates it said last week it was the victim of a cybersecurity attack that involved ransomware. In an update on Monday, the company said “segments of our pipeline are being brought back online in a stepwise fashion.”
“Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time,” the company’s statement read.
Darkside, the alleged perpetrator of the Colonial Pipeline cyberattack, said on the dark web that their motivation was apolitical and financial only, according to a cyber counterintelligence firm.
“I can confirm that (the posting) came from the DarkSide victim data leak site on the dark web,” Randy Pargman, vice president of Threat Hunting & Counterintelligence at Binary Defense told CNN, adding that his firm has verified it.
A spokesperson for FireEye Mandiant, the cybersecurity firm retained by Colonial Pipeline, told CNN: “We have seen the purported statement from the group,” but declined to comment further on its authenticity.
The US has officially blamed the earlier SolarWinds attack on the Russian Foreign Intelligence Service. Biden, who is finalizing plans to meet Russian President Vladimir Putin next month in Europe, has raised cyber issues with Putin in phone calls over the course of the last several months.
Biden mentioned his meeting with Putin on Monday even as he downplayed Russia’s official role in the pipeline hack.
Chris Krebs, who until last November was director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, called the distinction between a Russian state actor and a crime network operating inside Russia “increasingly irrelevant.”
“Ransomware crews have been operating out of Russia for years, with great effect on our schools, on our state and local government agencies, on our health care facilities,” he said. “They have effectively the tacit approval of the Russian government, and it has to end.”
Private-sector companies worked with US agencies to take a key server offline as recently as Saturday, disrupting cyberattacks against the pipeline and other ransomware victims, according to two sources familiar with the matter.
The move to intervene, which allowed Colonial to recover some of its stolen data, was taken in response to the Darkside attack against the fuel pipeline company, one source told CNN, confirming the action first reported by Bloomberg.
Federal agencies and private companies that control the US-based servers were able to cut off key infrastructure used by the hackers to store stolen data – before that information could be relayed back to Russia, both sources said.
“This is exactly the playbook for how it’s supposed to happen in cases like this,” one source said.
‘Among the greatest threats’
Biden has spoken of cyber issues in dire terms, including in December when he accused then-President Donald Trump of ignoring vulnerabilities that led to the SolarWinds breach.
“Cyber-threats are among the greatest threats to our global security in the 21st century,” he said then. “And I believe we have to treat them with the same seriousness of purpose that we have treated threats of other unconventional weapons.”
A draft cybersecurity order being finalized by the Biden administration would seek to better respond and defend against major cyberattacks that have occurred with greater frequency in recent years.
The order, which remains in the draft stage, has been in the works for months. It would spell out new requirements for companies that do business with the government; Colonial Pipeline, the company targeted by this week’s hack, is a private company, leaving it outside the scope of the proposed executive order.
Still, officials said the hope among those involved in the order’s drafting is the new requirements would trickle into non-contractors who compete with other companies for business.
The order would lay out new parameters for investigations into cyber breaches and would create a specific investigatory board to investigate the aftermath of attacks, including looking into code and data logs to determine the root causes of a successful cyber breaches.
The order includes new standards for software development, including processes for including multifactor authentication into new products and separating out where the software is being developed from internet servers to protect access. It would also limit those who can access federal systems and require companies to be more transparent about cyberattacks, including a provision that companies must notify the federal government quickly if they suspect they’ve been hacked.
It would lay out consequences for companies that fail to adhere to the new standards, including a ban on sale to government agencies.
‘It is upon us’
Ahead of the Colonial Pipeline incident, Homeland Security Secretary Alejandro Mayorkas warned last week of the threat from ransomware, pointing to the “staggering” financial losses and acceleration of attacks over the past year.
“The threat is not tomorrow’s threat, but it is upon us,” he said at a US Chamber of Commerce event.
Mayorkas has been outspoken on the threat from ransomware in recent weeks, calling it an “existential threat” to businesses at Wednesday’s event. More than $350 million dollars in victim funds were paid as a result of ransomware in the past year, and the rate of ransomware attacks increased over the prior year by more than 300%, he said.
“In order to address ransomware, one must be educated and informed with respect to not only how to detect the threat, but also how to respond to it and how to remediate from it should, unfortunately, our efforts to prevent the attack from occurring in the first instance, do not succeed,” he said.
Mayorkas also said the department is exploring developing a grant program that can reach enterprises that otherwise are outside of existing grant programs, “to really raise the bar of cybersecurity throughout the country.”
CNN’s Natasha Bertrand, Josh Campbell, Zachary Cohen and Geneva Sands contributed to this report.