Colonial Pipeline CEO on Capitol Hill after ransomware attack crippled East Coast fuel pipeline

An out of service bag covers a pump handle at a gas station May 12, 2021 in Fayetteville, North Carolina. (Photo by Sean Rayford/Getty Images)

(CNN) — Colonial Pipeline CEO Joseph Blount will testify on Capitol Hill Tuesday, a month after the company was hit with a debilitating ransomware attack that led to a halt in operations at one of America’s most important fuel pipelines.

Blount will face lawmakers for the first time since a six-day shutdown of the pipeline in May led to panic-buying and widespread gas station outages in the Southeast.

The Colonial incident, followed several weeks later by a cyberattack on a major U.S. meat producer, highlighted the grave risk that ransomware can have for businesses and vital services throughout the U.S., as criminals have increasingly had success targeting large enterprises.

Blount’s public testimony comes a day after the Justice Department announced that U.S. investigators recovered millions of dollars in cryptocurrency paid in ransom to hackers.

Ransomware attacks have grown in both scope and sophistication in the last year, Deputy Attorney General Lisa Monaco said Monday, calling it an “epidemic.”

Blount admitted last month that he authorized a ransom payment of $4.4 million, calling it a “highly controversial decision,” in an interview at the time.

“I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” he told The Wall Street Journal.

The FBI and Department of Homeland Security recommend against paying ransom because of the potential to encourage additional attacks. Payment also does not guarantee that a victim’s files will be recovered.

In the case of Colonial, it appears the company’s notification to the FBI helped investigators track down and seize approximately $2.3 million in Bitcoins that had been paid to the criminal group — a rare outcome for a company that has fallen victim to ransomware.

U.S. authorities previously attributed the pipeline attack to DarkSide, a hacking group linked to Russia that emerged last summer offering ransomware as a service to so-called affiliates.

Blount is scheduled to address lawmakers twice this week, where he will likely be questioned about the payment decision, as well as the cyber security standards the pipeline had in place prior to the attack.

He testifies first before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, and again before the House Homeland Security Committee Wednesday.

Over the weekend, Energy Secretary Jennifer Granholm said she would be open to a law that bans the payment of ransom, but she said it’s unclear if Congress or President Joe Biden agree.

“I think that we need to send this strong message that paying a ransomware only exacerbates and accelerates this problem,” she told NBC’s “Meet the Press.”

The hearing also follows Colonial’s revelation that ransomware attackers gained access to the company’s computer networks in April using a compromised password.

The password had been linked to a disused virtual private networking account used for remote access, and the account was not guarded by an extra layer of security known as multi-factor authentication, the cybersecurity firm hired by Colonial confirmed to CNN.

Bloomberg first reported the password vulnerability following interviews with Blount and Charles Carmakal, senior vice president at Mandiant — the forensic division of the cybersecurity firm FireEye.

It is still unclear how the attackers obtained the compromised credential.

U.S. authorities later said that while the attack compromised Colonial’s IT systems, there was no evidence that its operational systems had been affected.

As part of the Biden administration’s effort to grapple with the threat from ransomware, the Transportation Security Administration issued a security directive last month mandating that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours and designating a “24/7, always available” cybersecurity coordinator.

The cyberattack on Colonial exposed how ransomware, which is primarily a criminal, profit-driven enterprise, “can rise to the level of posing a national security risk and disrupt national critical functions,” a DHS official said when the directive was announced.

The top lawmakers on the Senate Homeland Committee, Sens. Gary Peters, a Michigan Democrat, and Rob Portman, an Ohio Republican, introduced legislation in April that would establish a cyber response and recovery fund to help companies recover from significant cyber attacks.

“Our nation is increasingly vulnerable to cyberattacks every day, as the Colonial Pipeline ransomware attack showed. Cyberattacks are getting worse and more frequent while the government and critical infrastructure are more dependent on information technology,” Portman said in a statement last month.