if it's work, work gets to see everything do you over the vpn if you pay for a personal vpn, your vpn provider is somebody you're trusting with that information. with this two hop system apple is using, nobody including apple, has access to the traffic that you're going through. these two hops that your safari browsing goes through, nobody keep as log. there is no reported of it it's -- it is total lip private. totally private. >> really interesting distinction. we weren't expecting a.r. developments yesterday apple versus a snap, developing a.r. in public with its cre creaters >> they gave one hint about a.r. yesterday. talking about -- didn't talk about a.r. specifically. talking about maps and apple maps they showed an example actually right in san francisco. i'm familiar with the area, but it's right off market street and there's diagonal streets it's hard to know what you mean by make a right, because some of the streets are -- and they showed preview using a.r. with street directions on a map where a 3d arrow showed you which street you wanted to go on for your walking direction

i did reference earlier that the vpn was a legacy vpn. we could not see and it did not show up in any pin testing. that's unfortunate. but again, the safety and security of the system is highly critical. we've neverdsds had our board d us any funds associated with safety and security, whether it's on the i.t. side or physical side of the pipe. if my cio wants funds, she gets them. >> and thiss is an issue that i think we're seeing across i the board on cyber. we h need to start imagining wh canco happen and respond accordingly as opposed to always be looking at what the last problem dwas. right? and really investing. and for critical infrastructure, it's absolutely important we haveve standards that really ma sure thatt companies are investing in thehe kind of infrastructure they need. i haveul another question i am running out of time so i'll submit it foror the record, but really wouldat like to get your thoughts about what kind of information public/private information sharing needs to happen between and among whom and atie what level

so even if you have a vpn, then you're breaking the law. i use that you're going to south. i mean, all of this is we have present issues. we have so many things that we're supposed to focus on as a nation. it just doesn't make sense that tweeter is what is what the resonance is focusing on. for many off information live will have the day tutored by deleted whitish suite. he had held a press conference. this man, we didn't know he could hold a press conference the same day. an event happens. because every time students i keep on going, students have never had a press conference on the same day. every time the bomb explosion, every time i'm killed, every time that people die, he never held a press conference the same day. people are complaining about the price of, of things like the price will feel the same way. and i'll never have a press conference that same day, but because i said, why do you sweet the love, how the dress girlfriends that same day. and we're just really upset because there are so many breast issues that we're fortunate. we like to focus on the nice place f

i referenced earlier that the vpn was a legacy vpn. we could not see it. that was unfortunate.he safety and security of the system is highly critical. we have never had our board tinnitus any funds associated with safety and security. if my cio gets funds, she gets them. sen. hassan: this is an issue i think we are seeing across the board. we need to start imagining what can happen and respond accordingly. really investing, and for critical infrastructure, i think it is important that we have standards that make sure that companies are investing in the kind of infrastructure they need. i have another question. i will submit it for the record, but i would like to get your thoughts about what kind of information, public or private information sharing needs to happen, between whom and at what level, because i think that is an important piece. thank you for being here this morning. sen. peters: thank you for your questions. the >> there is no ce have in america that wants to sit in the chair that you are now. a month past a major attack, there is a lot of work that you are doing. w

and the issue we have about the vpn. a lot of companies would have admitted to that, moved on, especially prior companies, but our work here is critical and we will be clear about what has happened to us so that it doesn't happen to someone else in the future. >> thank you, mr. -- thank you, mr. blount. i yelled back. >> thank you. the chairman recognizes the representative. >> thank you. my question is for mr. carmichael. you raised the cyber awareness of the pipeline sector. mr. carmichael: it is hard to make an assessment now, but i would say there are opportunities for improvement. >> you feel like that's a factor? >> i believe it is. >> do you advise your client to pay a ransom? >> [indiscernible] we don't have requirements to pay or not to pay but we encourage them to have a robust conversation about whether or not a payment should be made and we look at a number of criteria, such as does the threat actors still have access to the environment? could they escalate their attacks? have they stolen data? what is the im

china has strict control laws and while apple's private relay is not technically a vpn, it acts quiteri, apple or the user's network provider cannot see the data. what is significant is that china is one of the iphone maker �*s split was most important markets, and accounts for about 15% of its revenue and china's so—called great firewall effectively allows authorities to block websites from being accessed within china including google and facebook as well. the vpns are used to get around china's strict internet controls, and it is not the first time this has actually happened. in 2017 apple removed a number of its vpn services from the app store to comply with local regulations. is notjust china that has done this, this feature is blocked in a number of other countries as well, including belarus, colombia, egypt, kazakhstan, saudi arabia, south africa, even the philippines. again, it is being made not available because of local laws, and this feature has a number of privacy protections that apple has announced at a software developer conference, and it is part of an effort that had m

so even if you have a vpn, then you're breaking the law. i use that. you have to south naming all of this is we have present issues. we have so many things that we're still hosting for us on as a nation. it just doesn't make sense that tweeter is what is what the president is focusing on. for many saw people, mission lie more, have the day tutored by deleted, whitish suite. he had held a press conference. this man, we didn't know he could hold a press conference. the same day an event happened because every time students i kids, my own students, he had never held a press conference on the same day. every time the explosion, every time i'm killing every time that people died, he never held a press conference the same day. people are complaining about the price of, of paying like the price of fuel, the rest of everything went and he never had the risk on that same day. but because steve, i said, why do you sweet? the love, how the dress girlfriends that same day. and we're just really upset because there are so many breast issues, but unfortunately, they

an issue we had with vpn. a lot of companies would not admit to that. they would've just moved on especially private companies. our role is critical to the nation and were going to be very clear about what happened to us so that it doesn't happen to someone else in the future. >> thank you, mr. blount. mr. chairman, i yield back. thank you. >> thank thank you very muc. chair recognizes the vice chair of the full committee, gentleman from new york. >> thank you, mr. chairman. my first question directed to mr. carmakal at how would you rate the cybersecurity preparedness of the pipeline sector? >> congressman, again it's hard to make an assessment right now but i would say there's certainly opportunities for improvement. >> do you feel like it's satisfactory? >> i do believe that we can continue to improve the security of the sector. >> do you advise your clients to pay a ransom? >> congressman, we don't tell our clients to pay or not to pay but we do encourage them to have a very robust conversation about wheth

system through a vpn. how wide open were they, i think that's the question and i read somewhere there wasn't even a two-step authentication in place , is that correct? >> yes that's correct. unfortunately this is a widespread issue. people have this idea that, you know, vpn's are a security product. while they are, they product your data in transit but i've actually likened the vpn to the equivalent of a hypodermic needle that can inject into a company and bypass security products if you do not have things like two-factor or multi -factor authentication so unfortunately that simple step is what facilitated their ability to get these credentials on the dark web and then leverage them through and effectively get in without any really knowing they were there. ashley: so kareem let me follow-up with how many other companies out there, some with some perhaps critical exposure to our infrastructure, also has this wide open door to hackers who want to find it? >> unfortunately, due to the pandemic, it's probably

it's because the account and the vpn profile wasn't believed to actually be enabled. one person as far as we know. >> and is that person vetted in your prospective? >> it was an employee account. >> where else was it used? >> we do not know the exact source of the site that it was used, but presumably at least one other website because there are passwords that are readily available on the internet and we did find that it was one of the passwords that was stolen from another website but we don't know where it came from. >> wasn't listed on any of the company's documentation? >> not that i am aware of. >> dealing with cyber security vulnerability mediation act to hopefully go to the floor but the crux of this is part of it is a reporting feature that requires companies to indicate what the companies are engaged in. do you think if a company crosses into the domain and when i say that impact as you well know, massive energy streams that literally shut down the east coast and that the government should come in more quickly than it obviously did would that be appropriate i

firewalls and vpn was good for a while but it's no longer relevant and it has lived its useful life andues ransomware and the like. liz: well does that mean that this sort of new threat that's out there and we're thinking of the ransomware that came in, and of course, in that form, it's called a rat, the remote access trojan, which sneaks in and then hangs out for a while and then suddenly, just mutates and explodes throughout the entire system shutting it down. what is it that all of these companies don't get? because you talk about firewall, a lot of that is the hardware of it, right? do we need to shift to software protection? >> it's not the hardware or the software. it's the model. the old model said if you're inside the castle you're safe, if you're outside you're not safe and i use fire work technology at the moat and a door to keep you safe. the challenge is applications are no longer the castle. users are no longer in the castle they are out there, everywhere and that's where the model fails. what's really needed is this new architecture that's cabbies advocated by gartners of

but they are using vpn, so it's unclear how the prosecutions are really going to work.ent has said it's a temporary suspension and night an out right ban and it says twitter is using double standards by deleting the president's remarks but not a group that has led a lot of unrest in the southeast has clashes between the nigerian army and this group, and there's conflict there right now, and the government says twitter doesn't understand the political landscape by wading into this and deleting the president's tweets which is why they issued a temporary suspension on twitter. many people say in a week where young children have been kidnapped, at the youngest four and five, twitter should not be the main concern of the government. you know, it's an ongoing situation and, you know, there's a lot of shock and anger, robin. >> thank you. >>> now the black box has been recovered and handed over to authorities for the investigations, and the governorance says no oil or fuel leaks have been found so far, and the ship started to sink last week after it was gutted by fire. >>> you

the we definitely as the both the use of like vpn technology and the doc not playing a critical role. also, reason protests in russia. obviously both states heavily sense of the use of social media and they take away accreditation of journalists and so communicating through alternative means and circumventing these things. censorship tools has become really critical. i take freedom of speech seriously. journalists rely on the dark web to work and to be protected from state control. for this reason, lisa bit my from reporters without border assess that we shouldn't simply think of the dark rip as being just the dark side of the internet. the darkness definitely hasn't missed problem the term brain. but the aspect of a sudden technology in a way to say this is about illegal activity online. and it's not just that funded mentally. it's an anonymous ation tool. and that enables both legal activity and illegal activity. but it's really critical to general with the flow as around the world, and therefore we need to talk about the positive aspects much more prominently as well. i think the t

one that employees can access through vpn.quired only a user name and password, single factor. the company has shut that down. that is one change. we learned new details. colonial discovered at 5:00 a.m. on may 7 that it was hit with ransomware and shut down the pipeline remarkably quickly, within 15 minutes because the company didn't know whether the hackers only got into the data system or into the computer system that controls the pipeline. they contacted fbi and were in touch with several other federal agencies. with the uncertainty of what was hit, the ceo said he decided to pay the ransom the next day because of the need to get the pipeline back up as soon as possible. he said the fbi did not try to talk him out of paying the ransom although he knew well they felt ransoms shouldn't be paid. they got in through a single factor vpn, they said it proves you are only as strong as your weakest link. >> there is no requirement they notify the government. there are a lot of loose parts. it is a good thing they told the governme

cybersecurity hygiene item that companies should have in place >> in the case of this particular legacy vpn, it did only have single factor authentication it was a complicated password so i want to be clear on that it was not a colonial 123 type password >> now, blount also defended the company's spending on cybersecurity when pressed by senator josh hawley. >> our owners have never denied us any opportunity to spend what we need to spend in order to keep the pipeline safe and secure. >> which is about what a year? >> take the average. over $200 million in the last five years >> now, that $200 million is for i.t. spending overall, not just on cybersecurity it's not clear exactly how much the company is spendsing on cyber. the company told me today it won't disclose that number blount testified colonial has 100 people dedicated to i.t. and he said the company realized it might have to relearn how to do some things manually without computers in this age of ransomware because almost everyone who knows how to do that is gone >> a lot of those people that did operate colonial pipeline and other

. >> in the case of this particular legacy vpn, it did only have single factor authentication. it was a complicated password so i want to be clear on that. it was a colonial 123 type password. >> the president's first top stop is in england where he will meet with prime minister boris johnson and queen elizabeth. mona. >> faith, thank you. >>> the biden administration is urging companies to protect themselves from ransomware attacks like the one that crippled the colonial pipeline. during an exclusive interview with abc's pierre thomas, homeland security secretary alejandro mayorkas warned about the growing threat facing the power grid, the food supply and other critical infrastructure. >> we're not talking about people with conscience. we're talking about criminals who want to make money illegally or who want to do harm independent of a profit motive. >> mayorkas is urging businesses to create fire walls and backup computer systems and train workers to avoid scam emails. >>> a new warning for teenagers about a highly infectious variant of the coronavirus. the delta variant fue

it denies the same rights internally, forcing its own population to use virtual public network -- vpnsual private networks, or other circumvention technologies? let's not forget that denying the ability of the u.s. to maine -- u.s. domain name service provider to host and rainy and website is a far cry from the censorship that iran has with at least 15 journalists in jail, the murder of a journalist, the assassination of -- by the state. overt, rampant censorship. we also need to be careful about false equivalency here. anchor: scott, i would like to ask you another question with regard to the timing of this move by the u.s. this comes days after braemar ec -- ebrahim raisi has been elected president. should this be construed as a message to him and his incoming administration? guest: as the professor pointed out, we do not know. we do not know if the two tracks i pointed to earlier arlington anyway. i would be surprised if they are meant to be a message from for a couple of reasons. first of all, raisi is there is a spokesperson for the supreme leader. his manufactured election was be

mobile phone networks. 0n wi—fi, you could still access the website and the hashtag "thank god for vpnmany users have managed to find a way to use the website by using virtual private networks. the nigerian government had announced on friday that it had planned to suspend all of twitter�*s activities in the country. at the time it was unclear what they meant by that. it seems they have now decided to block access to the website. telecoms companies that operate in nigeria released a statement saying that they had received a directive from the government to suspend twitter and that they had complied, but they did say that they followed the united nations provisions on freedom of communication and that they agreed with those. twitter users in nigeria have been very angry. they say this is undemocratic. nigeria is africa's largest democracy and many see this as a step backwards for the country. many also pointing out to the fact that president buhari was a military dictator in this country in the �*80s and they see this latest move as a continuation of that legacy. twitter has issued a sta

although the investigation is still ongoing, and we believe the attacker exported the legacy vpn profile that was not intended to be in use. i made the decision to pay and i made the decision to keep the information about the payment is confidential as possible. it was the hardest decision i made in my 39 years in the energy industry. and i know how critical our pipeline is to the country. we are further hardening our cyber defenses. we have rebuilt and restored or critical i t systems and are continuing to enhance our safeguards. but we are not where i want us to be. and the rest where attackers had gained access to colonial computer networks in april using a compromised password. blunt confirmed, it was not protected through multi factor authentication. now, meanwhile, officials from the department of justice and outs monday, they were able to recover a majority of the $4400000.00 encrypted currency ransom paid to the dark side. hackers. today we announced the seizure.

messages while it denies the same rights internally forcing its own population to use virtual public vpn virtual private networks, or other anti, you know, other circumvention technologies. and meanwhile, like let's not forget that, denying the ability of a us domain names service provider to host moran in website is a far cry from the censorship that iran house, with at least 15 journalists in jail. the murder of a journalist, the assassination by the state and you know, overt ramp and censorship. so i think we also need to be careful about kind of false equivalency here. scott, if i might, i'd like to ask you another question with regard to the timing of this move by the us. because this comes just days after abraham racy was elected president in iran, he's the incoming president. the u. s. is accused him of human rights abuses. they've been post sanctions on him in the past. should this in any way be construed as a message to him and his incoming administration? i think is, doctor ross pointed out where we don't know what other the 2 tracks are from earlier are linked in any way. i'd

looking for that we was the other which but the thing is, but like i said, i do think we're using a vpn to actually i still says that the media, i will continue to do that, will continue to speak up and continue to show our rights in the demo. chris is protect that we ask that a group of and i do that are we are not knock off, make the trip up late. i see you, so if a great to talk to you. thank you for your time. we appreciate it. thank you so much for having me. you're welcome. right, i don't often get to say this on television, but we're going to talk about safe. not an outbreak of alki tend to see of mama in turkey, which is really alarming scientists. the slime has grown so much that it is threatening wildlife, local businesses and the environment as a whole. the hunting has more slime sludge. cease not. these are just some of the ways this form of pollution is being described. the thick brown bubbly foam is officially called marine usage, and it's killing wildlife. a long turkey southern coast. i saw 20 to 30 shrimps on top of the seas, not all deed that had jumped up and got stuc

without all of my niger finally, it feels quite lonely that all people working around that using a vpn, which is the typical go to tools when as authorities, whenever a country says ok, twitter is now there is a work around you see that i'm seeing a little bit of that we've had time or which is what twitter treated out on saturday to support nigerian rally around. please bring back to my cherry. well, on the day i love vps trying to use the search, but then it was after that that they made progress and corporations that no tv or your station is allowed me to believe you have a tv and you're not allowed. and there i'm at one of the physician has said that, given an order that now you need to eat, i will be criminalized. so even if you will be in, then you're breaking the law. i use you going to south. i mean, all of this is we have present issues. we have so many things that we're supposed to focus on as a nation. it just doesn't make sense that tweeter is what is what the resume is focusing on. many saw for mission live will have the day tutored by me. deleted. whitish suite he had hel

although the investigation is still ongoing, and we believe the attacker explored the legacy vpn profile that was not intended to be in use. i made the decision to pay and i made the decision to keep the information about the payment is confidential as possible. it was the hardest decision i made in my 39 years in the energy industry. and i know how critical our pipeline is to the country. we are further hardening our cyber defenses. we have rebuilt and restored our critical i t systems and are continuing to enhance our safeguards. but we are not where i want us to be. and the rest where attackers had gained access to colonial computer networks in april using a compromised password. blunt confirmed, it was not protected through multi factor authentication. now, meanwhile, officials from the department of justice and outs monday, they were able to recover a majority of the $4400000.00, encrypt currency ransom, paid to the dark side hackers. today we announced the seizure of millions of dollars in big point, paid by an innocent victim in ransom in a bid to regain control of computer system

. >> the ceo of colonial said they had a single vpn authentication. are these companies prepared? >> a big part of this, particularly with the large corporations or infrastructure, they have a lot of legacy systems. they are always upgrading systems. every one of those updates creates a complex overlapping layer that all of your inpoints are protected. it sounds like in this case it was an old access point that didn't have two factor authentication. sometimes we forget the scale of these organizations, sometimes millions and millions, that's tough to check. >> for sure. thank you both very much. as always, appreciate your insights. >>> coming up next, president biden is expected to make major announcement on donating vaccines to the places in the world that need it most. e place world that need it most. my parents worked long hours and i helped raise my younger brother. when college felt out of reach, the kpmg future leaders program was there for me. it was more than a scholarship. it was four years of mentorship and support. today, i'm an investment banking analyst and i'm just g

. >> in the case of this particular legacy vpn, it did only hav

solve the problem but of course they're not putting devices that have been on other networks into the vpns or you bring threats and really these are difficult questions and i think a really important question that the caller asked about theproblem we need to get ahead or that you brought from the washington journal . the problem we need to get ahead of his hybrid environments if there with us to stay we need to get it. >> a virtual private network l so you might have a situation where your own worker is talking your corporate network through an encrypted double so all the data is going back and forth. it's well protected but it's a device that creates operating on your home network and then you bring us this encrypted safe space. it's like it's almost like bringing the coronavirus into the a safe space with you. you might bring bonds in inadvertently. >> host: barbara, independent. you're on. >> caller: i have 2 questions. first is if they could see this crypto currency, why can't they determine who was going to be the recipient of the dough currency and the second is do people or do gover

blount, right, that a vpn account that was legacy, single factor authentication, these are things we have to take into consideration. we talk about multi-factor authentication now for months, certainly highlighted even more during the pandemic last year, but, you know, having passwords that are stronger, making sure that you change your passwords. no matter how strong your password, if it's compromised -- these everyday things that us as consumers can do certainly get in the way of being that weakest link. that's what these attackers want to do. they want to attack the weakest link. the goal is not to be the weakest link, and then that will help us be able to defend these type of attacks and be safer as a society. >> is there a safe place to store your passwords for those of us who try to change them regularly? >> that's the beauty of multi-factor authentication, it's a new password every single time. it's not something that is a static password that we use and reuse again and that's the password that can be compromised. perhaps published on the dark web and being reused. outside of

you are putting devices that were not on the vpn into the vpn and bringing threats in, these are difficultuestions. a really important question that our caller has asked about and we need to get working on and get ahead of is this new hybrid environment. we have to defend it. host: forgive my ignorance, vpn? guest: virtual personal network. your worker could be talking through an encrypted tunnel so all the data going back and forth is fairly well protected. if the device was operating on your home network and was unprotected, you are bringing it into a safe space. it is almost like bringing the coronavirus into a space with you. host: barbara in fairhope, alabama, independent. you are on with jamil jaffer. caller: two questions. first, if they could see this cryptocurrency, why can't they determine who was going to be the recipient of the cryptocurrency? the second question is, do governments in russia and north korea and china, do they also get hacked and do they have to pay for this kind of operation? guest: it's a great question from barbara. one of the things to think about in cybersp

but those hackers are getting better and better and better and with the vpn services and the redirectionnd. think the best the biden administration could hope for on an international scale is to make it such that whenever country has the beach on which those dudes are sitting are taking it as seriously as we do and trying to make it an inhospitable place. and on june 2nd the memo said to everybody in the private sector, you have to do more because we're all going to be affected, ally. >> thank you. feel bad getting you up early in the morning but better for ow viewers. jake ward, coming to us from the dark west coast right now. president biden's infrastructure bill is now a proposed $1.7 trillion plan. down from the original $2.3 trillion price tag. what is a few hundred billion between friends. apparently it is a deadlock. the president has rejected latest republican offer. what that all means for our economy is next. ca. thousands of smarter towers, with the 5g coverage you need. broader spectrum for faster 5g speeds. next-generation servers with superior network reliability. because t

darkside used an unused vpn account that had a single password, not the two-factor authentication thatur nbc accounts from home. he said it was a complicated password, not a "colonial 123" type password. but he said the company did not have a ransom plan despite spending an average of $40 million a year on cybersecurity. he says his company now complies with the latest cybersecurity standards ordered last month by the transportation department. he recounted how colonial shut down its pipeline 15 minutes after it learned it had been breached because the company didn't know whether it was only the corporate i.t. systems or whether it was the pipeline operating systems that had already been compromised. then he described, u.s. heard there, making the decision to pay the ransom the next day, which he said was the hardest decision he ever had to make although he thought it was in the best interests of the american people. we should note it was a decision he made without a complete understanding of how deeply the ransomware had penetrated his company's systems. the hacking group darkside the

they added interesting privacy features, including vpns, which pro protect you where you're browsingnd google maps in general, so that's kind of cool. just trying to have you be part of the apple ecosystem even more, so you again -- everything you do on apple is something you want to keep doing on apple. they'll probably run into some regulatory issues around the facetime stuff, although they had facetime before zoom so we will see they're definitely moving into other people's area iz and that will attract government regulation and scrutiny for sure. >> if only the android techs would stop coming through green, i think that would literally change my life. >> would that? i can call someone. >> thank you. >> i want to ask you about the apple wallet update. i will be able to flash the wallet to get on a plane what do you make of that update? >> you could always do that before with your ticket. >> not without my driver's license. >> exactly so it's just the inevitable march of everything on your phone. the same thing with cryptocurrency everything is going to be on these phones and event