joining us is nbc security correspondent ken dilanian. good evening, ayman. darkside used an unused vpn account that had a single password, not the two-factor authentication that we need to access our nbc accounts from home. he said it was a complicated password, not a colonial 123 type password. but he said the company did not have a ransom plan despite spending an average of $40 million a year on cybersecurity. he says his company now complies with the latest cybersecurity standards ordered last month by the transportation department. he recounted how colonial shut down its pipeline 15 minutes after it learned it had been breached because the company didn t know whether it was only the corporate i.t. systems or whether it was the pipeline operating systems that had already been compromised. then he described, u.s. heard there, making the decision to pay the ransom the next day,
last year i worked on legislation that became law to tighten up our illegal cash payments, the use of dummy corporations. america was, frankly, not even at international standards. we need more transparency. right what s happening around ransomware, not only are the companies not reporting they re attacked, but they re not reporting ransomware payments. i want to get to the ransomware payment in a second. you want to make it basically illegal to not report a ransom ware attack if you re a company based in the united states. what about a step further where you mandate a minimum level of security? if you want to be a defense contractor, you have to prove your ability to handle classified information. you know this very well. that s how colonial has to be treated, gbs, anybody who essentially sells goods and services in the united states. chuck, here is the challenge. we need higher cybersecurity standards.
later. but right now in terms of the domestic response to this right now, the u.s. has no cybersecurity requirements for companies that basically aren t related to electricity, nuclear, banking. there have been proposed legislation that would have set the cybersecurity standards for many industries but that was blocked in 2012 by republicans. but business groups as well lobbied hard to defeat the legislation. why are they so dead set against regulation? even if it is expensive to go through all of this, you d think it would be in their long-term interest. it actually would be in their long-term interest. but i think you hit the nail on the head. that the short-term, it s going to cost them a lot of money to come up to compliance. to be compliant with what the government is going to recommend that they have to implement. and they don t want to do that, unfortunately. we see that time and time again in these instances, whether it s ransomware or something else, where there were securit
when you think about it, specifically when we talk about ransomware in the case of colonial pipeline, right now there are hundreds of threat actors that are trying to gain access to vulnerable systems. and they have such a wide variety of attack vectors they can go after that it s very difficult to basically protect against all of them. which is why you really need a defense and depth strategy. but you also need cooperation amongst governments to try and make it more expensive for threat actors to carry out ransomware attacks. i want to get to the international component a bit later. but right now in terms of the domestic response to this right now, the u.s. has no cybersecurity requirements for companies that basically aren t related to electricity, nuclear, banking. there have been proposed legislation that would have set the cybersecurity standards for many industries but that was blocked in 2012 by republicans. but business groups as well lobbied hard to defeat the legislation.
infrastructure here in the united states. while they are trying to get these companies to lockdown their networks, some are saying they should go further than that. senate intelligence committee chairman mark warner saying there should be some level of liability for companies that don t completely lockdown their networks and live up to certain cybersecurity standards. take a listen. we need higher cybersecurity sta standards. many of us remember when equifax lost information to the chinese. there does need to be some level of liability for companies that don t hit the standards. the truth is, when you have a tier one adve adversary in term their spy services, it s tough to be 100% perfect all the time. that s why if we have an incident reporting requirement,