The Colonial Pipeline CEO Explains The Decision To Pay Hackers A $4.4 Million Ransom
NPR's Mary Louise Kelly speaks with Colonial Pipeline CEO Joe Blount on the ransomware attack on the pipeline's network and the decision to pay the hackers the $4.4 million ransom.
MARY LOUISE KELLY, HOST:
Panic fueling, long lines for gas, handwritten signs taped to pumps, empty - those were the headlines last month in the U.S., particularly the southeast, fallout from a cyberattack. Colonial Pipeline provides nearly half the East Coast's fuel supply. And when hackers hit its network and demanded ransom, the company shut the pipeline down for six days and ended up paying that ransom, more than $4 million. Joe Blount signed off on that payment. He is CEO of Colonial Pipeline, and he joins me now.
JOE BLOUNT: Thank you, Mary Louise, for having us today.
KELLY: Are your operations fully restored now? Any lasting damage?
BLOUNT: No, definitely not fully restored. And I think if you talk to anybody whose suffered from one of these criminal cyberattacks, they would tell you that it takes months and months and months to restore all your IT infrastructure. In our case, our focus initially was to get the pipeline back up and running safely and as soon as we possibly could. So we got the critical IT structure put back together, but we have lots and months and months of work ahead of us.
KELLY: Well, and help me understand this. The attack was on your computer system - right? - not on the actual pipeline. So why did you have to shut down the gas? Why not keep it flowing while you were dealing with the problem with the computers?
BLOUNT: Well, let me take you back to the early morning of May 7. We knew immediately that there was an issue. And, you know, we are programmed to only operate the pipeline if we feel that it's in safe operating condition and won't cause any harm to employees, the communities we serve or to the environment. So we have what we call stop work authority at Colonial. Any of our employees has the opportunity to use it. If they identify a risk, their job is to contain it immediately. In this case, a ransomware note came across the screen in our control room. It was immediately recognized, and the control room supervisor immediately decided to shut down the pipeline. It was the right decision to make because you don't know what you have at that point in time.
KELLY: Let's turn to the other decision you made, that you signed off on paying nearly $4 1/2 million ransom. This was in cryptocurrency. Doesn't that just encourage the next attack?
BLOUNT: You know, obviously probably the hardest decision I've ever made in my career. You know, I've been around this asset for a long time. I've been an employee of Colonial Pipeline for three and a half years, but I've been in the industry for almost 39 (ph) now. So once we identified the risk and contained the risk by shutting the pipeline system down and immediately called in cyber experts to help us with identifying further what had been done to our system, one of the things that came up ultimately was the ransom and whether to pay the ransom or not.
KELLY: Well, and take me inside that conversation because I'm thinking if I'm a hacker in Russia, my takeaway might well be, that worked great. Which big U.S. company should be hit next?
BLOUNT: The conversations went like this. Do you pay the ransom or not? And, of course, the initial thought is you don't want to pay the ransom. You don't want to encourage. You don't want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the southeastern and eastern seaboard of the United States, it's a very critical decision to make. And if only that, the encryption tool, gets you there quicker, then it's the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.
KELLY: You know, as I'm sure you know now - you would have learned it if you didn't know it before - the FBI policy is don't pay the ransom because it does encourage the next attack and the next one. What kind of advice, what kind of pressure were you getting from the government as you were weighing this?
BLOUNT: I don't know that there was any pressure from the government. I think the FBI has stated in the past that they don't encourage it. But at the end of the day, it's a decision that has to be made by the company.
KELLY: What role, in your view, should the government play when a private company like yours faces an attack like this, faces ransom? As this seems to be becoming a more frequent problem, is it too big for private companies to handle privately when so many Americans are ultimately affected?
BLOUNT: I think that obviously private industry has a responsibility here. Pipelines do invest in cyberware and security. It's a natural extension of what we've done historically, which is focus on the physical security of our asset. So it really pretty much needs to become a private-public partnership.
KELLY: So you're happy to share information with the government, but you would prefer to have a private contractor who's helping keep the system safe?
BLOUNT: I think once we complete our investigation into this event, partnering with the government and sharing those learnings with our peers in the infrastructure space and more broadly across other sectors is very important so that they can learn lessons from our event. And obviously we can share with them what they've learned perhaps from similar type events.
KELLY: Mr. Blount, thank you for your time.
BLOUNT: Thank you very much. Have a great day.
KELLY: And you as well. Joe Blount - he's the CEO of Colonial Pipeline. Transcript provided by NPR, Copyright NPR.
An earlier version of this story suggested that Colonial Pipeline waited 6 days to pay the ransom. In fact, it decided to pay the ransom on the same day it got the demand.