Is DC's Subway Ready for a Cyberattack?

It would be an exercise in futility to list the headaches experienced by riders of the Washington Metropolitan Area Transit Authority in recent years.

Following the death of a 61-year-old woman in a smoke-filled Metro tunnel in January 2015, SafeTrack—a year-long series of planned repair jobs to WMATA’s 117 miles of track—routinely causes delays. Only five days into 2017, Metro experienced its first meltdown of the year as a computer glitch left its control center unable to communicate with tracks for about 10 minutes. Yet, the small disruption added 90 minutes to some riders’ commutes, who predictably responded with language unsuitable for small children to WMATA’s Twitter handle.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The glitch, too, seems to have prompted concern in Congress over Metro’s cybersecurity operations, wireless communication and first-responder communication systems.

Sen. Mark Warner, D-Va., wrote a letter Monday to WMATA General Manager Paul Wiedefeld, referencing both the glitch and a November cyberattack on the San Francisco Municipal Transportation Agency’s computer systems. In that incident, attackers took over 900 computers and demanded a ransom to unlock them.

“As a co-founder of the Senate Cybersecurity Caucus and a staunch supporter of WMATA, I am acutely concerned about what this kind of attack may mean for transportation systems like WMATA,” Warner wrote. “While early reports indicate that the attack on SFMTA may have been opportunistic rather than targeted, I am concerned that WMATA may represent a particularly enticing target for more advanced threats, given its importance to the region and the number of federal agencies that rely on the system to transport their workforces each day.”

Warner’s letter references a growing increase of so-called ransomware attacks, whereby outdated IT systems are targeted by hackers and held hostage. The federal government itself has an incredibly complex legacy IT problem, with numerous systems several decades old. Old systems can lead to very real problems.

For example, outdated systems were at least partially to blame for the Office of Personnel Management hack that exposed the personal information of 20 million federal employees and contractors. Similar attacks could devastate Metro, warned Warner, who requested information from WMATA when its last IT overhaul occurred. Daily delays and unscheduled track work are temporary annoyances for riders, to be sure, but Warner said a cybersecurity failure could have long-lasting effects on both riders and Metro systems.

“Should a cyberattack cripple WMATA’s ability to collect fares for days at a time, or have the effect of deterring alarmed riders, the financial implications would only exacerbate WMATA’s serious and mounting fiscal problems,” Warner said. “A cyberattack could potentially threaten these vital networks as well, putting riders at risk if an accident or emergency were to occur during a cyberattack.”

Responding to Nextgov, a Metro spokesperson said, “Metro has received the senator’s letter and will provide a timely response.”

The spokesperson declined to answer questions regarding its cybersecurity defenses but noted it does have systems in place to defend IT systems.

“Due to the sensitive nature of cybersecurity, we do not comment on specific security details,” the spokesperson said. “Metro has various security protocols and safeguards in place to protect our systems and data.”

In the letter, Warner also pushed WMATA to release an “updated plan and timeline for the build-out” of its cellular communication network, noting Metro has “missed several internal and congressionally mandated deadlines.”

Warner also seeks updates on Metro’s emergency response training, its plan to introduce Wi-Fi coverage within stations and whether interoperability of public safety communications systems has improved. An investigation into the January 2015 Metro incident, which left one person dead and dozens injured, revealed the emergency response team faced radio communication problems during the accident.

Warner wants answers from Metro by Feb. 15.