2 Bills Introduced in Wake of Colonial Pipeline AttackRansomware Incident Prompts Critical Infrastructure Measures
The ransomware attack that targeted Colonial Pipeline Co. earlier this month, which continued to cause gas shortages in several states Monday, has prompted lawmakers in both parties to introduce measures designed to address cybersecurity shortcomings in the nation's critical infrastructure - especially gas and oil pipelines.
For example, the bipartisan Pipeline Security Act in the House would codify into law the roles the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency play in securing gas and oil pipelines.
Another bipartisan proposal in the House, the CISA Cyber Exercise Act, would require CISA to create a "national cyber exercise program" in which the government and companies would test their IT infrastructures against cyberthreats, including ransomware.
Meanwhile, some members of Congress are again calling for consideration of a federal law mandating breach notifications. Others have asked CISA and other federal agencies to take on additional responsibility to secure the nation's critical infrastructure (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).
Plus, President Joe Biden signed an executive order Wednesday mandating a number of cybersecurity improvements at federal agencies (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
Despite the legislative push, some lawmakers have expressed their frustration with Colonial Pipeline and how forthcoming that company has been about the attack and whether the company paid the gang that attacked it. On Monday, Rep. Carolyn Maloney, D-N.Y., the chairwoman of the Committee on Oversight and Reform, and Rep. Bennie Thompson D-Miss., the chairman of the Homeland Security Committee blasted Colonial Pipeline following a closed-door briefing.
"It is deeply troubling that cybercriminals were able to use a ransomware attack to disrupt gas supply on the East Coast and reportedly extort millions of dollars," Maloney and Thompson noted. "We’re disappointed that the company refused to share any specific information regarding the reported payment of ransom during today’s briefing. In order for Congress to legislate effectively on ransomware, we need this information."
The Pipeline Security Act, sponsored by Rep. Emanuel Cleaver, D-Mo., is backed by 13 other House members from both parties. It failed to advance in 2019 when it was originally introduced.
"The recent ransomware attack on the Colonial Pipeline, which caused the shutdown of thousands of miles of gas pipeline along the East Coast, was just the latest example of why Congress must act swiftly to harden our critical infrastructure and bolster our cybersecurity capabilities," Cleaver said.
In addition to codifying the role federal agencies play in securing pipeline, the bill would require the TSA to update pipeline security guidelines within a year and expand congressional oversight over the agency's role, especially when it comes to cybersecurity.
While the TSA, which is part of the Department of Homeland Security, has jurisdiction over interstate pipelines, the agency has come under criticism for its cybersecurity practices and a lack of oversight of companies that control pipelines.
"Right now, we need to focus on building existing capabilities and resources while ensuring federal roles and responsibilities are clear," said John Katko, R-N.Y., who is co-sponsoring the measure. "DHS and the [Department of Transportation] are co-sector risk management agencies for transportation systems, including pipelines, and should continue to run point, with TSA, CISA and the U.S. Coast Guard continuing to play important roles."
The other bill, the CISA Cyber Exercise Act, would - in addition to creating the national cyber exercise program - require CISA to help state and local agencies evaluate the safety and cybersecurity resilience of critical infrastructure within their jurisdictions.
"This week’s events have clearly shown that cybersecurity is no longer just a 'tech' issue - it's at the very heart of protecting the systems that power our daily lives as Americans," said Rep. Elissa Slotkin, D-Mich., who introduced the bill Friday. "We have to make sure the federal government is working hand in glove with state and local authorities and private industry to deter these attacks and minimize their impact."
Meanwhile, the ransomware attack against Colonial Pipeline Co. remains under investigation. The Biden administration has blamed the attack on a Russian-speaking group that used the DarkSide ransomware variant to target the company on May 7, which led the company to temporarily shut down the 5,500-mile pipeline serving much of the East Coast. President Biden, however, says the Russian government was not involved.
On Saturday, Colonial Pipeline announced that it had returned to normal operations.
The DarkSide ransomware gang on Friday claimed that it had closed down its ransomware-as-a-service operation, saying it has lost access to certain parts of its infrastructure.
Research firm Elliptic claims it confirmed Colonial Pipeline paid a $5 million ransom by identifying the bitcoin wallet the DarkSide criminal group used. But the company has not commented on whether it paid its attackers (see: Paying a Ransom: Does It Really Encourage More Attacks?).
Editor's Note: This article was updated with a statement from Reps. Carolyn Maloney and Bennie Thompson.