Press Briefing by Press Secretary Jen Psaki, Homeland Security Advisor and Deputy National Security Advisor Dr. Elizabeth Sherwood-Randall, and Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger, May 10, 2021
James S. Brady Press Briefing Room
12:38 P.M. EDT
MS. PSAKI: Hi everyone. Happy Monday. Today, we are joined by Homeland Security Advisor and Deputy National Security Advisor Dr. Liz Sherwood-Randall and Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger.
I know you all know who they are, so I’m going to skip the introductions so we have more time for questions. We have very limited time, but we will try to take as many as possible.
So, with that, I’ll turn it over to Liz.
DR. SHERWOOD-RANDALL: It’s great to be with you today. Thank you, Jen.
I have an update for you on the Colonial Pipeline and what the Biden administration is doing to provide assistance through a whole-of-government effort.
On Friday evening, May 7th, Colonial Pipeline reported that its pipeline system had been subject to a ransomware cyberattack. Colonial chose to shut down its pipeline operations as a precautionary measure and to ensure that the ransomware could not migrate from business computer systems to those that control and operate the pipeline. We’ve been in ongoing contact with Colonial, and the President continues to be regularly briefed on the incident and our work.
Colonial is currently working with its private cybersecurity consultants to assess potential damage and to determine when it is safe to bring the pipeline back online. Thus far, Colonial has told us that it has not suffered damage and can be brought back online relatively quickly, but that safety is a priority given that it has never before taken the entire pipeline down.
Beginning on Friday night, soon after we learned of the shutdown, the White House convened an interagency team that included the Department of Energy, which is the lead agency for incident response in this case; the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — or “CISA”; the FBI; the Department of Transportation Pipeline Safety and Hazardous Materials Safety Administration; the Department of the Treasury; the Department of Defense; and other agencies.
To give you a sense of what we’ve been doing together since that first meeting, we have met throughout the weekend. The Department of Energy’s Information — Energy Information Agency — or “EIA” — is in contact with state and local agencies to assess current supply and impacts due to the shutdown.
DOE has also convened the oil and natural gas and electric sector utility partners to share details about the ransomware attack and discuss recommended measures to mitigate further incidents across the industry.
DHS’s CISA is preparing a release to go to the broader critical infrastructure community to ensure it has visibility into the ransomware attack and it’s taking appropriate measures to protect its networks.
Colonial is responsible for safely returning the pipeline to service.
And our role in the federal government is to take proactive steps to analyze the impacts of the shutdown on the delivery of gasoline, diesel, and aviation fuel in states that are dependent on the pipeline; and to identify federal options for alleviating supply shortfalls should they develop.
For example: To help address potential supply disruptions, the Department of Transportation issued an hours-of-service waiver yesterday, which provides greater flexibility to drivers transporting gasoline, diesel, jet fuel, and other refined petroleum products across 17 states, as well as the District of Columbia.
Right now, there is not a supply shortage. We are preparing for multiple possible contingencies — because that’s our job, especially on the Homeland Security team — and considering what additional steps may be useful to mitigate any potential disruptions to supply.
This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private-sector companies. When those companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses.
To improve the cybersecurity of our critical infrastructure, the Biden administration has already launched a high-priority initiative to collaborate with our private-sector partners to harden our defenses and to build our nation’s resilience.
And that is a perfect segue to my colleague, Anne Neuberger, our Deputy National Security Advisor for Cyber and Emerging Technologies.
MS. NEUBERGER: Thank you, Liz. Good morning everyone.
So, building on Liz’s comments: As you know, on Friday, Colonial shut, proactively, its pipeline operations as a precautionary measure to ensure ransomware would not spread to its sensitive operational networks.
In response, we’re taking a multi-pronged and whole-of-government response to this incident and to ransomware overall.
First, we’re actively engaged with the company and offered support as needed to restore their systems. Right now, they’ve not asked for cyber support from the federal government, but we remain available to meet their cybersecurity needs.
Second, we’re aggressively investigating the incident and its culprits. As part of their work today, FBI released a flash alert with indicators of compromise and mitigation measures once infected.
The FBI identified the ransomware as the DarkSide variant, which they’ve been investigating since October of last year. It’s a ransomware as a service variant, where criminal affiliates conduct attacks and then share the proceeds with the ransomware developers.
We recommend all critical infrastructure owners and operators use the indicators that came out in the FBI flash to protect themselves. And if other inc- — if other entities are infected, please notify the FBI.
Third, the government is convening stakeholders more broadly to ensure everybody has the information needed to protect themselves and to rapidly share information.
This morning, the Department of Energy convened calls with the electricity and oil and gas sectors to keep them informed. The Departments of Energy, Transportation, and DHS, and others will be sharing further indicators of compromise with the sector Information Sharing and Analysis Centers — or “ISACs.”
And the Department of Energy will be holding additional calls with critical infrastructure sector owners as well as state and local leaders to ensure everyone has the latest information about how to protect themselves.
Fourth, we’re taking the threats posed by ransomware seriously with several initiatives. First, we’ll focus on industrial control systems. Critical infrastructure, as Liz noted, in the United States is largely owned and operated by the private sector, which determines their cybersecurity protections are applied to their systems.
Under that context, in mid-April, the administration launched a new public-private initiative to enhance the security of critical infrastructure systems and improve visibility across their operational control systems — the systems on which all Americans depend.
The Department of Energy had the lead for the first 100-day sprint focused on the utility sector, and we will follow with follow-on sprints with natural gas pipelines, water, and other sectors.
The administration encourages all private-sector owners of critical infrastructure to focus on improving cybersecurity, and the government remains open and willing as a partner to support those efforts.
Second: In tackling ransomware, we’re working to disrupt ransomware infrastructure. The FBI recently worked with international partners to disrupt two particular strains of ransomware: the Emotet and NetWalker strains.
More recently, DOJ has established a ransomware taskforce to ensure it can better investigate and prosecute ransomware actors.
Third, CISA is leading a counter-ransomware sprint, which is focused on helping small- and medium-sized companies, who are often the targets of ransomware, better protect themselves.
Finally, we’re pursuing greater international cooperation — ransomware affects countries around the world — to address ransomware because transnational criminals are most often the perpetrators of these crimes and they often leverage global infrastructure and global money-laundering networks.
Indeed, to combat the exploitation of virtual currencies that are often used for payment in ransomware, the U.S. Treasury has also been leading international efforts, including driving development and adoption of virtual assets standards under the Financial Action Task Force.
With those updates, I welcome your questions, turning it over to Jen and Liz. Thank you for your time today.
MS. PSAKI: Okay. Aamer, kick us off.
Q Thanks. Just to clarify something: Has Colonial paid any ransom? And has there been any advice on that?
And then, secondly, is there any timeline for when Americans should be certain that this is going to be taken care of? People are getting ready — Memorial Day is not that far away, and we’re — everyone is concerned about their gas prices. What’s the timeline on when this thing is going to be under control?
MS. NEUBERGER: Absolutely. I’ll speak to the first, and then I’ll turn it to my colleague, Liz, for the second.
So, first, we recognize that victims of cyberattacks often face a very difficult situation. And they have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom. Colonial is a private company, and we’ll defer information regarding their decision on paying a ransom to them.
Q Did you — would the administration offer any advice on whether or not to pay a ransom?
MS. NEUBERGER: So, typically, that is a private-sector decision, and the administration has not offered further advice at this time. Given the rise in ransomware, that is one area we’re definitely looking at now to say, “What should be the government’s approach to ransomware actors and to ransoms overall?”
DR. SHERWOOD-RANDALL: So, on the issue of gas prices: As I indicated, right now there are no supply disruptions. And the Department of Energy’s Information Agency — the “EIA” — is doing the analysis right now about potential supply disruptions and what price effects that could have. And we’re working with other agencies to consider how, if necessary, we can move supplies to a place where it might be needed if it turns out that there is a shortfall.
MS. PSAKI: Nandita.
Q Thank you, Jen. My question is just a follow-up on what Aamer was asking. Has the White House broadly considered advice for companies who are victimized by — you know, in such incidents going forward? Is there any advice that you’re considering when it comes to paying ransom in the future?
MS. NEUBERGER: So that’s a really good question. The first and most important advice is: Secure your systems. In this case, the ransomware that was used is a known variant. The FBI has investigated many cases of this in the past, as I noted, beginning in October. So the first and most important thing is to ensure that systems are patched and that cybersecurity is maintained at the level needed in a given network.
We want to see ransomware not be successful, and that begins with greater resilience, particularly in critical infrastructure networks.
Q And another question. You mentioned perpetrators are usually transnational criminals. Do you have any information on whether this particular incident has any ties to Russia or other Eastern European criminals?
MS. NEUBERGER: At this time, we assess that DarkSide is a criminal actor, but that’s certainly something that our intelligence community is looking into.
MS. PSAKI: Josh.
Q Can I ask a little bit more about DarkSide? What — what do you know about them? Is there any retaliatory measures that have been taken or are being considered by the U.S.
in response to this or any investigation? You mentioned it dates back to October.
MS. NEUBERGER: Absolutely. So I mentioned that DarkSide is a ransomware, is a service variant. It’s a new and very troubling variant where it’s essentially provided as a service and the proceeds are split. So, in that way, it’s something that we’re particularly troubled by.
And I mentioned as well that the FBI has recently worked with international partners to take down and disrupt ransomware infrastructure. We expect that that will be a continued focus area to make it far more difficult for these actors to prey on their victims.
Q And even though you’re treating it as a criminal act, are you saying it’s state sanctioned? Or is there suspicion that it’s state sanctioned? Or do you just not — don’t know right now?
MS. NEUBERGER: As I mentioned a moment ago, currently we assess DarkSide as a criminal actor. But, of course, our intelligence community is looking for any ties to any nation-state actors. And if we find that further information, we’ll look into it further.
Q But you’re not blaming a particular country right now for (inaudible)?
MS. NEUBERGER: No, we are not.
MS. PSAKI: David.
Q Thanks very much, both of you, for doing this.
First, Anne, just to clarify what you said on ransomware: The FBI has, for years, advised people not to pay it. I didn’t quite hear you say that, so I wondered whether or not you’re reconsidering the advice the FBI has given across many administrations.
And both you and Liz both mentioned the concern that the ransomware may have revealed some kind of data that would then move over to the operational side or put malware in that could move to the operational side. We don’t have a lot of understanding about what that concern is.
Did you no- — did you see, in the early parts of the investigation, that there was malware in the IT side that could be moved to operational? Was it simply that they froze up their ability to bill and, you know, move the fuel, which has been one theory, or that they simply learned information that would allow the ransomware operators to later on be able to get access to the main operational site?
MS. NEUBERGER: Thank you, David. So I’ll begin and then, of course, turn it over to Liz if she’d like to add anything.
So, first, thank you for highlighting the FBI has provided advice in the past that paying a ransom would encourage further ransomware activity and is so troubling. We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.
And that is why — given the rise in ransomware and given, frankly, the troubling trend we see of often targeting companies who have insurance and maybe richer targets — that we need to look thoughtfully at this area, including with our international partners, to determine what we do in addition to actively disrupting infrastructure and holding perpetrators accountable to ensure that we’re not encouraging the rise of ransomware.
And to your second point regarding the concerns on the connection between the information technology and the operational technology side of a network: The operational technology side of the network is the part that actually drives control of a pipeline, for example, and, as such, it is the more sensitive part. The — we are aware that it is the more significant part.
Colonial was very careful. And one of the reasons they proactively chose to shut down the pipeline was because of concerns to manage the incident and gate the ransomware as quickly as they could. So —
Q What I was asking was: Did you see evidence in the malware there was something that could move to the operational side?
MS. NEUBERGER: So the Colonial incident is the private-sector entity themselves.
That being said, speaking to the ransomware directly, the ransomware could, of course, infect technology — whether it is on the IT side or, for example, when there’s Windows-like technology on the OT side.
In this case, I won’t speak to details here because it’s subject to an investigation and those details are held within that investigation. But it certainly is a concern we have in the case of ransomware and why quickly and effectively gating the spread of the ransomware is always the first area of priority.
MS. PSAKI: We can do Kelly and Phil. They got to be quick though because we have — short timeline. Go ahead.
Q Can you explain to us if you believe that this — since it’s criminal, in your judgment now, that there’s a financial motive there — but do you believe that there was a desire to try to penetrate a kind of system that has such huge implications for the U.S. economy and so forth? And how does that create concern for other kinds of systems: the electric grid, whatever it might be, other energy companies? Or was Colonial just a rich target because they could financially pay, potentially? Do you see this as being about the infrastructure more than just the financial incentive?
MS. NEUBERGER: We don’t have further information about the intent of the perpetrators when conducting the ransomware hack against Colonial.
However, as you know, ransomware affects broad sectors. And clearly, criminals have learned that those sectors — one of the key sectors we saw during the COVID pandemic was the hospital sector that was affected by ransomware. Clearly, we know — we see that criminal actors have focused on the more vulnerable victims: state and local governments, schools, critical infrastructure.
And that is why coming up and addressing ransomware with great vigor is a key priority of the administration, because we’re very concerned about the growth in ransomware and the impact it has both on small and medium businesses, as well as the state and local governments in the United States and around the world.
Q Thank you, and just two quick ones. Do you guys consider this attack ongoing or has the malicious actor been removed?
And then, Anne, just to follow up on something: You said that they have not — Colonial has not yet asked for cyber support. Does that create a problem in terms of your ability to respond or the — just federal government’s ability writ large to get a grasp or handle on what’s happened?
MS. NEUBERGER: The details regarding the actual incident are being currently investigated by the FBI. Colonial has noted in their public statement that they’ve worked to control the spread of the ransomware and are actively working to bring back up their network, and they’re at the remediation phase.
So, we’re happy to see the important progress that they made there. And, I’m sorry, what was your second question?
Q You said that the company has not yet asked for cyber support. Does that create a problem for your — the U.S. government’s ability to respond or get a handle on what’s exactly happening when a private entity is not requesting support in that capacity?
MS. NEUBERGER: Our goal is ensuring that the support is available so that any private sector entity who is experiencing a cyber hack can turn to the government for remediation assistance and technical assistance. We judge that the company said that they have adequate support. And they noted, in their public remarks, that they’re using a third-party service, that they feel they’re making adequate progress with their own resources, and we know we’re standing by.
But that — that is — we’re happy that they are confident in their ability to remediate the incident and rapidly recover to meet the needs of their customers in this current environment.
MS. PSAKI: Thank you both so much. I’m sorry. They have to run to another meeting as they go run the world.
MS. NEUBERGER: Thank you.
DR. SHERWOOD-RANDALL: Thank you.
MS. PSAKI: Thank you both for coming.
DR. SHERWOOD-RANDALL: Thank you.
MS. PSAKI: Okay. I know we also have a hard stop because of the President’s remarks. Just keeping you busy on a Monday.