House

Pelosi says firms should not pay ransoms to hackers

Speaker Nancy Pelosi (D-Calif.) warned Thursday that private firms should reject hackers’ demands for ransoms, just hours after reports emerged that a major energy company had paid almost $5 million to help restore service following a crippling ransomware attack.

Pelosi emphasized that she had no window into the internal management deliberations of the Colonial Pipeline Company, a private firm that runs a massive, 5,500-mile network of petroleum pipelines from the Gulf Coast to the major population centers on the East Coast.

But when asked if firms should pay out such ransoms, she didn’t hesitate.

“No,” Pelosi told reporters in the Capitol. “The point is that we don’t want people to think that there’s money in it for them to threaten the security of a critical infrastructure in our country.”

Launched last Friday, the cyberattack on Colonial Pipeline forced the company to shut down its entire network of pipelines, to prevent the malware from creeping deeper into the system. The shutdown sparked a panic among Southeastern consumers, whose fear of an imminent fuel shortage, or a spike in prices, created long gas lines in stations across the region.

In response, President Biden issued an executive order on Wednesday designed to force private companies to install tougher cybersecurity protections as a condition of doing business with the federal government.

In the days since the attack, Colonial had declined to say if it had — or intended to — pay the ransom. But Bloomberg News reported Thursday morning that the firm had paid roughly $5 million in cryptocurrency last Friday, the day of the initial attack.

Pelosi on Thursday praised Biden’s move as a first step, but suggested Congress has a role to play in shoring up the nation’s vital infrastructure against future attacks.

“This cannot be open season for hackers who can make money off of a threat, even if they don’t go as far as crippling the entity that — as with Colonial, they did not. So it has to be subject to review,” she said.

“I don’t know what the conversations were with the management of Colonial, but I do think that there is a governance role in how we protect our people and our economy from these hackers.”