The ransomware attack on the Colonial pipeline spurred bipartisan calls on Capitol Hill yesterday to pass legislation hardening energy infrastructure against cyberthreats.
"It’s been clear for years that our nation’s cybersecurity hasn’t kept pace with our ever-increasing reliance on digital systems and internet connectivity across all sectors," Senate Intelligence Chair Mark Warner (D-Va.) wrote on Twitter. "The result has left us vulnerable to foreign adversaries & cyber-criminals, alike."
A fellow committee member, Sen. Susan Collins (R-Maine), said in her own post that the incident had given "added urgency" to a cybersecurity bill she is currently drafting with Warner and Florida Sen. Marco Rubio, the top Republican on the committee. The bill would reportedly require companies to disclose cyberattacks.
"Our critical infrastructure is vulnerable to cyber attacks from transnational criminals, Russia, China, and other adversaries," she wrote. The U.S. has blamed the Russian government for last year’s massive SolarWinds cyberattack and officials have long warned of China’s malign efforts.
After announcing the discovery of a breach in its cybersecurity on Friday evening, Colonial Pipeline Co. shuttered more than 5,500 miles of its pipeline, which moves refined gasoline from the Gulf of Mexico to states along the Eastern Seaboard. It appears to be the most disruptive energy-sector hack in U.S. history (Energywire, May 10).
The White House said yesterday that DarkSide ransomware is responsible for the attack. Intelligence agencies are still looking into whether the attack has ties to state-backed adversaries, Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger said during a press briefing.
In the House, leaders of the Energy and Commerce Committee agreed with the need to shore up energy infrastructure.
E&C Chair Frank Pallone (D-N.J.) and ranking member Cathy McMorris Rodgers (R-Wash.) responded to the attack with calls for more attention to a series of bipartisan cyber bills passed through the House last Congress but that stalled in the Senate.
"The last four Congresses, my Energy and Commerce Committee has put forth several bipartisan bills to strengthen our preparedness for cyberattacks on our energy sector, including pipelines," Pallone said in a Twitter post. "Some passed the House last year & now we must immediately pass the rest."
Among the bills pitched, Pallone pointed to a group of four cyber-focused bills moved by the House via voice vote in September 2020 (E&E Daily, Sept. 30, 2020).
One of those bills would codify a new DOE assistant secretary position for cybersecurity. Another would provide more funding for public-private cybersecurity partnerships.
"Agree, Congress must take action on these bipartisan [E&C] bills," McMorris Rodgers responded to Pallone’s tweet. "We should build on our work to protect our energy infrastructure, including pipelines, from cyberattacks."
Even before the incident, the Senate Homeland Security and Governmental Affairs Committee was set to hold a cybersecurity hearing today. The House Armed Services Committee has one Friday (E&E Daily, May 10).
Senate Republicans attack
Other lawmakers took the opportunity to criticize the Biden administration’s energy policies.
The Senate Energy and Natural Resources Committee’s top Republican, Sen. John Barrasso of Wyoming, tied the cyber intrusion as part of a bigger problem with the Biden administration’s energy policies.
"This cyberattack underscores just how important energy pipelines are to our economy and our national security," Barrasso said in a statement. "The Biden administration wants to kill oil and natural gas pipelines. We need more pipelines not fewer."
Sen. Ben Sasse (R-Neb.), a member of the Intelligence Committee, said, "If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors rather than progressive wishlists masquerading as infrastructure."
The top Republican on the Foreign Relations Committee, Sen. Jim Risch (R-Idaho), meanwhile criticized the administration for not choosing a nominee to fill the assistant secretary position that oversees the Department of Energy’s cyber response efforts.
"The Department of Energy is responsible for responding to this attack, yet the administration still has not even put forward a nominee" to lead the Office of Cybersecurity, Energy Security and Emergency Response, Risch said in a statement.
"We need to prioritize hardening our cyber defenses and creating a comprehensive U.S. cybersecurity strategy," he added. "That begins with stepping up and filling the vacant assistant secretary role at CESER without delay."
Risch joined with Sen. Angus King (I-Maine) in March to call on Energy Secretary Jennifer Granholm to put forward a new assistant secretary for the CESER office in fears the new administration may opt to undo changes made by the Trump administration to elevate the role.
Granholm has downplayed those criticisms, saying CESER remains up and running with her support and that her ambition is to expand its capabilities.
‘We need to know more’
Colonial Pipeline has thus far offered scant details on the attack, such as whether it had paid a ransom, though yesterday the company said in a statement that it was aiming to return to normal operations as soon as the end of this week.
As of yesterday afternoon, the White House did not anticipate any threat to the nation’s gasoline supply, Deputy National Security Adviser Liz Sherwood-Randall said, citing U.S. Energy Information Administration analysis.
House Science, Space and Technology Chair Eddie Bernice Johnson (D-Texas) meanwhile urged the private sector to improve its "cyber hygiene" through wider adoption of recommended cyber practices and protections.
"This episode underscores yet again how critical it is for public and private sector agents who enable critical infrastructure to observe the most up-to-date cyber hygiene practices that are informed by federal experts at [the National Institute of Standards and Technology], the Department of Homeland Security, and the Department of Energy," Johnson said in a statement.
Last night, Senate Majority Whip Dick Durbin (D-Ill.) told reporters that he was taking a wait-and-see approach.
"We ought to get some information-gathering, and I’m sure we will, in short order," he said, adding: "I don’t want to presume what caused this, whether it was a bad actor or a bad nation or something else. We need to know more."
Reporter Geof Koss contributed.