White House, CISA react to pipeline ransomware attack

The FBI on Monday attributed the cyberattack against Colonial Pipeline to ransomware group Darkside. The attack, which was announced on Friday, led to the shutdown of fuel pipelines serving the East Coast of the United States as a precautionary measure.

At a White House briefing on Monday, officials provided details on the government response. Deputy National Security Advisor Anne Neuberger described Darkside as "ransomware as a service" operation in which the malware developers share proceeds from attacks with partners. Neuberger didn't say whether the government believes the breach may have progressed from Colonial's IT to operational technology that controls the pipelines, citing the ongoing criminal investigation but said that such spread was a "concern," and said that's why, "quickly and effectively negating the spread of the ransomware is always the first area of priority."

Neuberger added the FBI released a flash alert to industry with indicators of compromise and mitigation measures. Additionally, the Cybersecurity and Infrastructure Security Agency is preparing its own release information to critical infrastructure providers about the ransomware attack that shutdown a key natural gas pipeline for the East Coast on Friday, according to Homeland Security Advisor Elizabeth Sherwood-Randall, who joined Neuberger at the press briefing.

Sherwood said the administration on Friday convened an interagency team including DOE, CISA, the Defense Department, Treasury Department, and Transportation Department's Pipeline Safety and Hazardous Materials Safety Administration to manage the situation. The Transportation Security Administration is responsible for the cybersecurity of oil pipelines, the Energy Department is considered the sector specific agency and is leading the government's response.

The Energy Department has "also convened oil and natural gas and electric utility partners to share details about the ransomware attack and discuss recommended measures to mitigate further incidents across the industry," Sherwood-Randall said.

Eric Goldstein, CISA's executive assistant director of the cybersecurity division, said in an emailed statement that the attack "underscores the threat that ransomware poses to organizations regardless of size or sector."

As the administration confronts a rise in ransomware activities, cybersecurity experts and lawmakers continue to debate the pros and cons to paying ransoms. In general, the FBI has long discouraged the private sector from paying out of fear it will encourage future attacks.

Neuberger said that companies are often left in a "difficult position" if they have no other method of recovering stolen data.

"That is why given the rise in ransomware and given frankly the troubling trend we see of often targeting companies who have insurance and may be richer targets, that we need to look thoughtfully at this area … to determine what we do in addition to actively disrupting infrastructure and holding perpetrators accountable, to ensure that we're not encouraging the rise of ransomware," she said.

Rep. John Katko (R-N.Y.), who has previously introduced legislation to expand CISA's role in responding to cybersecurity breaches into industrial control systems, told FCW on Monday that, "You can expect substantial congressional oversight on this incident in the near future."

Speaking at the White House shortly after the press briefing, President Joe Biden said the intelligence community does not have evidence that "Russia is involved although there is evidence that the actor's ransomware is in Russia. They have some responsibility to deal with this."