A federal government left ‘completely blind’ on cyberattacks looks to force reporting

The Colonial Pipeline cyberattack, which led to hoarding and fuel shortages across the East Coast, is spurring new efforts in Congress to require critical companies to tell the government when they’ve been hacked.

Even leading Republicans are expressing support for regulations after this week’s chaos — a sharp change from past high-profile efforts that failed due to GOP opposition.

The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial, which prompted the company to shut down its 5,500-mile-long gasoline, diesel and jet fuel pipeline on May 7. The next five days of increasing chaos at the pump laid bare a major gap in Washington’s ability to respond: The vast majority of private companies don’t have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet.

That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they’re perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks.

Without reporting from companies, “the United States government is completely blind to what is happening,” Brandon Wales, the acting director of DHS’ Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. “That just weakens our overall cyber posture across our entire country.” Wales said the solution was for Congress to require companies to report cyber incidents.

Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government.

The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year’s massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said.

“You couldn’t have a better reason” for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.

Warner said the intent is to provide a “public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse.”

Establishing a reporting mandate for companies like Colonial is the “tip of the iceberg of what we need to do,” said Rubio, the Intelligence Committee’s top Republican.

In the case of Colonial, CISA’s Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive. After Bloomberg reported Thursday that Colonial had paid the hackers a roughly $5 million ransom, Wales told reporters that he had no information about any payment.

Colonial also did not request any assistance from DHS in assessing or responding to the attack, top National Security Council cyber official Anne Neuberger told reporters this week. Instead, it hired FireEye, a cyber firm that has previously responded to breaches at the Democratic National Committee and other high-profile targets.

A spokesperson for Colonial, a privately held Georgia-based company whose owners include Koch Industries and Royal Dutch Shell, said Saturday that the company “called the FBI as soon as we learned we were facing an attack” and then worked with the bureau to begin “alerting other relevant federal agencies.”

“We continue to cooperate and assist the federal government with their own investigation as we learn more about the scope of the incident,” said spokesperson Meredith Griffanti. “As we move forward, we will continue to share information — as we have been doing — to support our industry."

Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won’t protect their information, leading to embarrassing and potentially actionable revelations.

Suzanne Lemieux, the head of operations security and emergency response for the American Petroleum Institute, said that “any discussion of regulation is premature until we have a full understanding of the details surrounding the Colonial attack.”

No federal law or regulation requires pipeline operators to report any cybersecurity incidents to the government. Instead, suggested guidance from the Transportation Security Administration — the federal agency that oversees pipeline cybersecurity — recommends that they tell local and federal officials about significant breaches.

That’s vastly different from the requirements facing companies that operate key parts of the electric grid, such as generators, substations and large transmission lines, which fall under the jurisdiction of the Federal Energy Regulatory Commission. FERC regulations require those operators to report cyberattacks that compromise or disrupt key equipment, along with any failed compromise attempts. Failure to comply can lead to fines of up to $1.3 million per day per violation.

Colonial may actually have to record any ransom payment in its regular financial reports to FERC, though it likely wouldn’t have to separate it out as its own line item, said Jeff Dennis, a former FERC attorney and general counsel for the clean energy group Advanced Energy Economy. The commission requires quarterly and annual filings from liquid pipelines.

The White House did not respond when asked if it supports requiring some types of companies to report cyber incidents, but Biden told reporters Thursday that the government might need to play a bigger role in improving the private sector’s cybersecurity.

“It’s becoming clear to everyone that we have to do more than is being done now,” Biden said.

The administration is already requiring federal contractors to meet some of the requirements the proposed legislation would extend to private companies. In an executive order issued Wednesday, Biden directed agencies to draft rules requiring contractors to report breaches and maintain important security data.

The gaps in the government’s knowledge were apparent in the week’s press briefings by top Biden aides, who repeatedly stressed that Colonial is a private business and that federal authorities did not have complete insight into how the company was responding.

Asked whether Colonial’s reticence was hampering the government’s ability to respond to the attack, Neuberger told reporters: “We’re happy that they are confident in their ability to remediate the incident.”

The bills lawmakers are working on would centralize currently scattered data collection about hackers’ latest tradecraft and clarify how ransomware victims could get help repairing their networks, Rubio said.

“It’s not a punitive measure,” Rubio stressed. Republicans Susan Collins of Maine and John Cornyn of Texas are also involved in the legislation.

Critical infrastructure companies are also far from the only sector officials are worried about. Information technology companies such as Microsoft and Apple, which provide products and services that power some of the government’s most important activities, likewise do not have to report being hacked. Those are already included in the planned bill, and the lawmakers said the requirement could later be expanded to cover a broader range of companies.

The incident reporting situation has become untenable, many cybersecurity experts say. Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere.

DarkSide, the Russian criminal ransomware gang that developed the malware used in the Colonial hack, is not believed to be working on behalf of Moscow , but other groups have been known to act in concert with foreign adversaries. On Thursday, Biden called on the Russian government to take some responsibility for dealing with DarkSide.

Lawmakers have tried before to impose cybersecurity rules on critical U.S. companies. In 2012, Collins co-sponsored such a bill with former Sen. Joe Lieberman (I-Conn.). But the U.S. Chamber of Commerce opposed the bill, calling it overly burdensome on the private sector, and Republicans lined up against it, sinking its chances.

Congress passed a modest law in 2015 that encouraged voluntary reporting in exchange for limited immunity. However, lawmakers of both parties now concede the measure hasn’t worked as intended and didn’t go far enough.

Collins said increased congressional and public awareness about cyber threats and the panic of the past week could be what is needed to get it done this time.

The pipeline attack, with its quick impact on gas supplies and prices, “really brings it home to the American people,” she said in an interview.

Congress is running out of time to prepare the nation for a truly catastrophic cyberattack, according to Wales.

“My sense,” he said, “is that the likelihood is increasing almost every day.”

Eric Wolff contributed to this report.