Jun 212021

Federal Government Interest in Cyber Continues: Congressional Hearings on the Colonial Pipeline Cyberattack

Lorrie M. Marcil, Tyler Wood, Alan Charles Raul and Stephen W. McInerney
, , ,

On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.

On June 8th and 9th, the Senate Committee on Homeland Security and Governmental Affairs and the House Homeland Security Committee heard testimony from Joseph Blount, President and CEO of Colonial Pipeline, about the company’s cybersecurity practices and its response to the DarkSide cyberattack. The House also questioned Charles Carmakal, Senior Vice President for Strategic Services and CTO of the cybersecurity firm FireEye, about the firm’s role in assisting Colonial Pipeline’s incident response.

Some key takeaways from these hearings include the fact that members of Congress expect companies will have plans in place anticipating possible ransomware attacks; companies should consult with the FBI on ransom payments; and companies should participate in government cybersecurity initiatives that are relevant to their business. These and other points are discussed below:

  • Lawmakers on both sides of the aisle are keenly aware of the growing risk of cyberattacks on critical infrastructure. In both the Senate and the House Committee hearings, committee members proposed a litany of legislative strategies to respond to this risk. Some legislators were inclined to directly regulate cybersecurity practices—particularly for critical infrastructure companies—while others were focused on greater disclosure requirements or mandatory participation in cybersecurity training.
  • At the forefront of many legislators’ minds was Colonial Pipeline’s decision to pay the ransom demanded by the cybercriminals. In both hearings, Republican and Democratic lawmakers alike were critical of Colonial Pipeline’s ransom payment, and the fact that the company did not consult the FBI about that decision. Moreover, multiple legislators inquired into the company’s emergency response plan, showing concern over the fact that the company did not have a specific strategy in place for responding to ransomware attacks.
  • On the point of ransom payments, many lawmakers voiced concerns about companies paying ransoms and stated that companies should not pay ransom to cybercriminals. Members cited two primary reasons for this position. First, paying ransom provides the financial incentive for future ransomware attacks. Second, there is no guarantee that a company that does pay ransom will in fact receive a working encryption key to reclaim control over the affected data. For the Colonial Pipeline attack, both witnesses stated that the encryption key was functional, though imperfect, and explained that the company was ultimately able to restore its systems using data backups.
  • Regardless of the specific policy objectives of the committee members, a key point of agreement between the legislators and the witnesses was the importance of communicating cybersecurity information between and among private entities and the federal government. In particular, members stressed the relationship between private companies and federal entities, such as the TSA (given its recent security directive in the pipeline industry – for more information, please see here), the Department of Energy, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (“CISA”).
  • Finally, many lawmakers made a point to stress the national security issues raised by the recent uptick in cyberattacks. These legislators argued that the federal government must take strong action against foreign nations that engage in cyberattacks or shelter cybercriminals. They suggest a combination of diplomatic efforts, stronger enforcement measures, and greater offensive capacity to disrupt cybercriminal networks.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Lorrie M. Marcil

Tyler Wood

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.