Official: White House to Meet with Rail Industry Before Issuing Cybersecurity Rules

NICHOLAS KAMM/AFP via Getty Images

The meeting comes as the Office of the National Cyber Director prepares a more comprehensive approach to securing privately owned and operated critical infrastructure.

The White House plans to consult with leaders of the rail industry next month on a new cybersecurity directive, according to Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger.  

Speaking at the Aspen Security Forum Wednesday, Neuberger said security directives the administration issued for the pipeline sector last year—in response to a ransomware attack that led to a run on fuel supplies along the East Coast—were “a major change which we then rolled on to additional sectors.”

“We will be inviting all the rail CEOs in the country to come in the beginning of August to the White House also for a classified briefing as we, again, pursue a similar directive there,” she said, adding, “We're working sector by sector to put that in place, because we know that a disruption or degradation would impact millions of Americans.”

But, after the industry complained about the pipeline directive being too rigid, the Department of Homeland Security’s Transportation Security Administration is relaxing its enforcement of requirements for the sector, and White House officials have asserted a lack of authority for mandating similar rules for other providers of critical infrastructure. 

During the rollout in January of a voluntary initiative to secure industrial control systems in the water sector, for example, senior administration officials said the Environmental Protection Agency has limited authorities to impose basic cybersecurity requirements on operators and that the White House is working with the agency to propose legislation that would give it powers similar to TSAs.  

Not everyone agrees with that assessment. During an event the R Street Institute recently hosted on water-sector cybersecurity, Mark Montgomery, who served as executive director of the congressionally mandated Cyberspace Solarium Commission, said “EPA has tons of regulatory authority” it could use for cybersecurity.

Montgomery, who is now a senior fellow at the Foundation for Defense of Democracies and director of its center on cyber and technology innovation, said the issue is one of insufficient resources, adding it wasn’t too long ago that TSA was in a similar situation with only a handful of employees working on pipeline cybersecurity.  

In a report FDD published on the issue last fall, Montgomery recommended a temporary solution as EPA builds up its cybersecurity bench. 

He—and water sector leaders—support mirroring the self-regulatory model used by the Federal Energy Regulatory Commission, which regulates electric utilities via the industry-comprised North American Electric Reliability Corporation. The utilities themselves agree on a standard they will meet for cybersecurity, which FERC then approves. Violations of the standard can result in fines, as it did in the case of Duke Energy. But NERC is responsible for their administration.   

“It's initially self regulated,” he said of the recommendation, adding, “If EPA gets stronger and more effective, then EPA can take a stronger oversight role. That's their responsibility as a federal agency. I mean, it’s very frustrating that they’re not doing it.”

In an interview with Nextgov, Montgomery noted the role of National Cyber Director Chris Inglis who is expected to produce a comprehensive cybersecurity plan and recently said cybersecurity mandates are coming, particularly for commercial information and communications technology. 

“Chris is also being pretty coy about how,” that will happen, Montgomery said. “You can’t pin him down [on a model].”

Inglis’ office is reportedly writing the national strategy document this fall