Maloney grills Colonial Pipeline on decision to pay ransom to hackers

House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-N.Y.) on Thursday grilled Colonial Pipeline and insurance group CNA Financial Corporation for their recent decisions to pay hackers in order to regain access to their networks following ransomware attacks. 

Maloney requested documents from both companies on the payments, with Colonial choosing to pay likely Russian hackers the equivalent of $4.4 million in Bitcoin last month to restart their pipeline, which provides around 45 percent of the East Coast’s fuel.

Bloomberg also reported last month that CNA, one of the largest insurance providers in the nation, paid hackers $40 million in late March after being hit by a ransomware attack.

Maloney wrote to the leaders of both companies Thursday that she was “troubled” by the choice to pay the hackers, and that more information on the decisions was needed. 

“I am extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward,” Maloney wrote in separate letters to Colonial Pipeline CEO Joseph Blount and CNA CEO Dino Robusto. 

The FBI officially recommends that companies not pay ransoms, as it can encourage the cyber criminals to target other groups and there is no guarantee systems will be decrypted.

If companies do not choose to pay, it can take far longer and cost far more to recover from an attack. 

“Our guidance continues to be from the FBI that companies should not pay ransom because it incentivizes these attacks on other companies,” White House press secretary Jen Psaki told reporters Thursday of the Biden administration’s view on ransomware payments. 

Blount told The Wall Street Journal last month in confirming his company’s choice to pay the ransom that “it was the right thing to do for the country,” though he noted that he “wasn’t comfortable seeing money go out the door to people like this.”

Maloney cited these comments in her letter to Blount requesting more information on the ransomware payment decision, noting the company had declined to provide the committee with details on that decision last month. 

“Congress needs detailed information about the ransom payment that Colonial Pipeline made to international criminal actors to legislate effectively on ransomware and cybersecurity in the United States,” Maloney wrote. 

The letters were sent as ransomware attacks have remained in the spotlight this week, with major beef producer JBS USA forced to shut down all U.S. production facilities earlier this week due to a ransomware attack. 

Additionally, the Steamship Authority of Massachusetts, the largest ferry service to Martha’s Vineyard and Nantucket, announced Wednesday that its services had been impacted by a ransomware attack, and The New York Times reported this week that the New York subway system had been targeted by Chinese hackers in April. 

In light of the increasing attacks, Reuters reported Thursday that the Justice Department is planning to elevate ransomware attack investigations to the same priority level as terrorist attacks. The agency previously established a ransomware task force in April, and the Department of Homeland Security has also made addressing ransomware attacks a priority.

Capitol Hill will continue oversight of the issue as well, with Blount scheduled to testify on the Colonial Pipeline attack before both the Senate Homeland Security and Governmental Affairs Committee and House Homeland Security Committee next week.