TSA Considers Rulemaking Process for Cybersecurity in Transportation Sector

The Transportation Security Administration is exploring use of the rulemaking process to create a more enduring approach to its cybersecurity objectives, according to a leading National Security Council official. 

The effort is distinct from new security directives Department of Homeland Security Secretary Alejandro Mayorkas announced on Oct. 6 would be coming later this year to companies related to freight and transit rails as well as airports and others in the aviation industry. The administration expects to start issuing those directives early this month, according to Jeffrey Greene, chief of cyber response and policy at the NSC’s cybersecurity directorate.

“The TSA is also going to study a separate rulemaking process to develop a longer term regime to strengthen cybersecurity” in the transportation sector, he said. A timeline for that process is still undetermined.

Greene was addressing the president’s National Security Telecommunications Advisory Committee which met Tuesday and approved a report with recommendations on software security assurance. He mentioned the attack on Colonial Pipeline as one of a string of massive hacks that created a sense of urgency to act. While the directives only relate to one sector, their fate will have implications for the administration’s broader approach to securing critical infrastructure owned and operated by the private sector.

After the ransomware attack on Colonial Pipeline—which spurred multiple state-of-emergency declarations along the East Coast—in May, TSA also issued a pair of security directives for critical pipeline operators. 

The industry pushed back. And responding to the announcement of the new security directives aimed at rail and aviation, Republicans on the Senate Committee on Commerce, Science and Transportation sent a letter dated Oct. 19 to TSA Administrator David Pekoske expressing concern about unilateral action and a lack of collaboration with industry. The senators said a longer rulemaking process would be better. 

“We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat,” the senators wrote. “With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.”   

Though the senators disputed the existence of an emergency, threats to the sector at large are ongoing, as seen with the Toronto Transit Commission reporting a ransomware attack just this Friday. The New York Times also reported the Metropolitan Transit Authority coming under cyberattack in June, and in September, a port in Houston revealed it was also targeted by potential nation-state actors.

On Thursday, Sen. Rob Portman, R-Ohio, ranking member of the Homeland Security and Governmental Affairs Committee, asked DHS Inspector General Joseph V. Cuffari to investigate TSA’s motive and process for issuing the directives, including the extent of their collaboration with industry and why they didn’t share the directives with Congress ahead of time.

“Unfortunately, we have received reports that TSA and [the Cybersecurity and Infrastructure Security Agency] failed to give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible,” the senators wrote.

Industry representatives will share more of their perspective on the issue during a hearing with the House Transportation and Infrastructure Committee on Thursday.