Lawmakers split on next steps to secure transportation sectors against hackers

Lawmakers are split on the next steps that should be taking to secure key transportation avenues like air and rail against cyber threats.

Alarms about the risks to transportation have grown louder since the Colonial Pipeline hack, but lawmakers disagree over whether directives from the Transportation Security Administration (TSA) go too far or not far enough.

Lawmakers are focused on threats to pipelines, rail transit and aviation.

After the Colonial hike caused crippling gas shortages in multiple states in May, the TSA issued two directives to secure pipelines. 

Homeland Security Secretary Alejandro Mayorkas announced earlier this month that the TSA would soon issue security directives for rail and aviation, which will require higher-risk transit entities to report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, among other measures. 

Multiple transportation-related organizations have been the victims of cyberattacks in recent years. The New York Times reported that computer systems for New York’s Metropolitan Transportation Authority were hacked by Chinese-linked hackers in April, while the Port of Houston was hit by a cyberattack this past summer. 

But while most officials agree on the need to prioritize cybersecurity after a year that has seen a concerning rise in ransomware and other cyberattacks against critical infrastructure, the speed and process around the directives being put out is worrying to some. 

A group of Senate Republicans led by Senate Commerce Committee ranking member Roger Wicker (R-Miss.) last week sent a letter to TSA Administrator David Pekoske noting their concerns around “prescriptive security requirements” imposed on various sectors. 

“We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat,” the senators wrote. “With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.”

Rep. Carlos Gimenez (R-Fla.), ranking member of the House Homeland Security transportation subcommittee, stressed during a hearing Tuesday the need to involve industry in the process. 

“The owners and operators know their systems the best and what is workable,” Gimenez said. “Having a strong public-private partnership as new cyber requirements are imposed in the transportation sector is key.”

Industry has also raised concerns around the way the directives are being put out and the need to consult with companies impacted. 

The Association of American Railroads, whose members include the National Railroad Passenger Corporation, or Amtrak, said in a statement earlier this month that they hoped the directives would “enhance, not hinder, coordinated cybersecurity efforts” and noted they were given only three days to review the changes. 

Scott Dickerson, the executive director of the Maritime Transportation System Information Sharing and Analysis Center Institute, testified Tuesday in favor of industry inclusion in the process of securing transportation sectors.

“It feels like industry is being threatened with additional regulation and security directives rather than being treated as the partners who own and operate the vast majority of critical infrastructure,” Dickerson noted in his prepared testimony to the House Homeland Security Committee’s cybersecurity subcommittee.

However, some lawmakers saw the proposed security directives as not only necessary, but don’t go far enough.

Rep. Bonnie Watson Coleman (D-N.J.), chairwoman of the House Homeland Security Committee’s transportation subcommittee, urged the TSA to issue directives for the maritime and automobile sectors to increase cybersecurity. 

“Secretary Mayorkas’s announcement of forthcoming requirements for rail transit and aviation are justified, necessary, and an important first step, but more action is needed,” Coleman testified Tuesday. “In the 21st century, physical security and cybersecurity are two sides of the same coin.”

Sen. Angus King (I-Maine), the co-chair of the Cyberspace Solarium Commission, stressed to The Hill on Tuesday that “industry should not be objecting, they should be helping, they are the ones who are at risk.”

The security directives for rail and aviation groups are not yet out, giving TSA potential time to consider feedback from those concerned with potential overlapping requirements for industry.

“I think I want to examine those and we can always evaluate them once they’re out, but we clearly need to take action,” Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) told The Hill Tuesday. 

While divides remain on what is necessary and how to involve the industries impacted, with attacks continuing to increase, there is agreement around the urgency of the moment. 

“This is our moment to ensure that every transportation operator in America prepares themselves for 21st century threats,” Watson Coleman testified. “We can’t wait until a hacked plane falls from the sky or a breached railroad gridlocks our nation’s supply chain to take action.”