WASHINGTON – U.S. Sens. Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, John Thune, R-S.D., Deb Fischer, R-Neb., Todd Young, R-Ind., and Cynthia Lummis, R-Wyo., sent a letter to the Transportation Security Administration (TSA) raising concerns about the agency’s plans to issue additional cybersecurity mandates using its emergency authority for Security Directives, which will obviate important feedback from experts on the impacts of such mandates.
These directives will apply to the rail, rail transit, and aviation industries. The new requirements may undercut existing cybersecurity arrangements that are functioning well. The required reporting of cybersecurity incidents to the government may also prove unworkable. Rail and aviation stakeholders have expressed concerns that the definition of cybersecurity incident is so broad that the transportation sector may waste time and limited resources, reporting insignificant incidents without sufficient time to assess severity.
Click here or read the full letter below.
Dear Administrator Pekoske:
We write to express concern about the recent announcement that the TSA intends to impose new prescriptive cybersecurity requirements on the rail, rail transit, and aviation industries through Security Directives. We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat. With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.
We recognize that circumstances sometimes demand that TSA act quickly using emergency authority. Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency. Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security. Further, prescriptive requirements may have unintended consequences, such as imposing unnecessary operational delays at a time of unprecedented congestion in the nation’s supply chain. Additionally, allowing outside experts to comment will lead to more effective and sustainable cybersecurity actions and measures. A more deliberate approach will reduce the risks and increase the benefits.
The timeline of cybersecurity actions undertaken by the Biden Administration since May belies the notion that emergency action is necessary for the rail and aviation industries. The White House released the “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” at the end of July, envisioning and urging a collaborative process between industry and government. Rather than engaging the experts in rail, rail transit, and aviation sectors, however, TSA is now embarking on a unilateral approach that excludes input under the confusing guise of an emergency threat to disparate modes of transportation, even though five months have elapsed since the Colonial Pipeline ransomware attack.
TSA should adopt a more collaborative approach that can reliably enhance cybersecurity in the rail, rail transit, and aviation industries. Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals. If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns. Whatever the path forward, TSA must be responsive to inquiries and mindful of potential harms and adverse effects on practices that are working well.
We look forward to your response and to continuing to work with you to enhance the security of transportation.