President Joe Biden and senior White House officials said the administration was working closely with Colonial Pipeline to mitigate the effects of the ransomware attack and subsequent shutdown of the pipeline.
But both the President and officials leading the response repeatedly acknowledged their roles were limited because Colonial Pipeline is a private company, even though it controls the fuel supply to most of the East Coast.
“My administration is also committed to safeguarding our critical infrastructure, much of which is privately owned and managed like Colonial. Private entities are making their own determination on cybersecurity,” Biden said during remarks on the economy from the White House East Room.
The White House has already stood up an emergency working group to contend with potential energy supply issues and loosened rules on petroleum shipping on highways. Officials said Monday they were preparing for “multiple contingencies” should fuel supply be impacted by the shutdown of the pipeline, a precautionary decision meant to ensure its systems were not compromised.
Still, the broader issue of security gaps in the nation’s critical systems — components of which are decades old and are privately owned — remains a serious question for the White House, which is finalizing an executive order meant to better respond to cyberattacks.
“This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private sector companies,” said Elizabeth Sherwood-Randall, the White House homeland security adviser. “When those companies are attacked, they serve as the first line of defense and we depend on the effectiveness of their defenses.”
Anne Neuberger, the top official responsible for cybersecurity on the National Security Council, said Colonial Pipeline had not asked for “cyber-support” from the federal government but that federal officials were ready and “standing by” to provide assistance if asked.
“We remain available to meet their cybersecurity needs,” she said.
On Capitol Hill, lawmakers were seeking additional information about the incident. The House Intelligence Committee requested briefings from both law enforcement and the US intelligence community and “expect to receive further information in the coming days,” according to a committee official.
Biden, who was briefed on the matter over the weekend while at the presidential retreat Camp David, has instructed officials to act urgently to mitigate any supply problems, according to an official familiar with the matter. He has also tasked officials with prioritizing cyber matters, believing cracks in the nation’s cyber defense systems must be repaired quickly.
The FBI said Monday that Darkside ransomware, a criminal group originating from Russia, is responsible for the cyberattack. And Neuberger said the intelligence community was working to assess any possible ties to foreign actors.
“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the FBI said in a statement.
Biden said Monday he had not seen evidence that Moscow is directly behind the ransomware attack.
“So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this,” Biden said.
Pressed on how the US can protect its critical infrastructure against hacking by state actors if even criminal syndicates can breach those systems, Biden said: “We can do both, and we will.”
A major attack
The Colonial Pipeline system spans more than 5,500 miles and transports about 45% of all fuel consumed on the East Coast. It transports 2.5 million barrels per day of gasoline, diesel, jet fuel and home heating oil.
The company that operates it said last week it was the victim of a cybersecurity attack that involved ransomware. In an update on Monday, the company said “segments of our pipeline are being brought back online in a stepwise fashion.”
“Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time,” the company’s statement read.
Darkside, the alleged perpetrator of the Colonial Pipeline cyberattack, said on the dark web that their motivation was apolitical and financial only, according to a cyber counterintelligence firm.
“I can confirm that (the posting) came from the DarkSide victim data leak site on the dark web,” Randy Pargman, vice president of Threat Hunting & Counterintelligence at Binary Defense told CNN, adding that his firm has verified it.
A spokesperson for FireEye Mandiant, the cybersecurity firm retained by Colonial Pipeline, told CNN: “We have seen the purported statement from the group,” but declined to comment further on its authenticity.
He has spoken of cyber issues in dire terms, including in December when he accused then-President Donald Trump of ignoring vulnerabilities that led to the SolarWinds breach.
“Cyber-threats are among the greatest threats to our global security in the 21st century,” he said then. “And I believe we have to treat them with the same seriousness of purpose that we have treated threats of other unconventional weapons.”
A draft cybersecurity order being finalized by the Biden administration would seek to better respond and defend against major cyberattacks that have occurred with greater frequency in recent years.
The order, which remains in the draft stage, has been in the works for months. It would spell out new requirements for companies that do business with the government; Colonial Pipeline, the company targeted by this week’s hack, is a private company, leaving it outside the scope of the proposed executive order.
Still, officials said the hope among those involved in the order’s drafting is the new requirements would trickle into non-contractors who compete with other companies for business.
The order would lay out new parameters for investigations into cyber breaches and would create a specific investigatory board to investigate the aftermath of attacks, including looking into code and data logs to determine the root causes of a successful cyber breaches.
The order includes new standards for software development, including processes for including multifactor authentication into new products and separating out where the software is being developed from internet servers to protect access. It would also limit those who can access federal systems and require companies to be more transparent about cyberattacks, including a provision that companies must notify the federal government quickly if they suspect they’ve been hacked.
It would lay out consequences for companies that fail to adhere to the new standards, including a ban on sale to government agencies.
‘It is upon us’
Ahead of the Colonial Pipeline incident, Homeland Security Secretary Alejandro Mayorkas warned last week of the threat from ransomware, pointing to the “staggering” financial losses and acceleration of attacks over the past year.
“The threat is not tomorrow’s threat, but it is upon us,” he said at a US Chamber of Commerce event.
Mayorkas has been outspoken on the threat from ransomware in recent weeks, calling it an “existential threat” to businesses at Wednesday’s event. More than $350 million dollars in victim funds were paid as a result of ransomware in the past year, and the rate of ransomware attacks increased over the prior year by more than 300%, he said.
“In order to address ransomware, one must be educated and informed with respect to not only how to detect the threat, but also how to respond to it and how to remediate from it should, unfortunately, our efforts to prevent the attack from occurring in the first instance, do not succeed,” he said.
Mayorkas also said the department is exploring developing a grant program that can reach enterprises that otherwise are outside of existing grant programs, “to really raise the bar of cybersecurity throughout the country.”
CNN’s Natasha Bertrand and Josh Campbell contributed to this report.