Industry pushes back on federal, congressional cybersecurity mandate efforts

Officials representing key transportation sectors including rail and aviation on Thursday made clear that proposed cybersecurity reporting mandates and other federal cyber efforts aimed at beefing up security are not what is needed to defend against increasing attacks.

Their concerns were voiced as the Transportation Security Administration (TSA) is working to develop and roll out security directives for the rail and aviation sectors that would lay down timelines for required reporting of cyber incidents, among other security steps. 

“There is not a problem with reporting and mandates for reporting, the problem becomes what are we reporting,” Michael Stephens, general counsel and executive vice president of Tampa International Airport, testified to the House Transportation and Infrastructure Committee on Thursday. 

“Part of the TSA proposed guidance that we have been providing comments to is very, very broad-based in terms of what is being required to be reported, and information just for the sake of information is not necessarily a good thing, because it leads to information overload and white noise, and a lot of times it’s ignored,” Stephens said.

The Association of American Railroads (AAR), which represents companies including the National Railroad Passenger Corporation, or Amtrak, has been vocal about its concerns around the proposed TSA security directives since Homeland Security Secretary Alejandro Mayorkas announced they were in the works last month.

Thomas Farmer, the assistant vice president of security at AAR, testified Thursday that he is worried that without a clear definition of what a security incident was, “noise” would be created by too much reporting.

“We have not been apprised of any imminent or elevated threat to railroads or rail transit agencies as a justification for this emergency action, nor are our railroads seeing the sort of activity that would be indicative of an elevated, specific, persistent threat,” Farmer testified.

He also raised concerns around other elements of the directive, including the quick turnaround on for reporting incidents.

“Many cybersecurity experts will tell you that it’s very difficult in that first 24 hour period to have insight into whether what’s taking place is actually significant from a cybersecurity perspective,” Farmer said.

Their concerns were voiced as Congress is scrambling to respond to a rash of attacks this year against critical infrastructure companies, most notably the ransomware attack against Colonial Pipeline in May. The incident crippled the company, leading to temporary gas shortages in multiple states and to the TSA issuing a security directive mandating that pipeline groups report cybersecurity incidents. 

Ransomware attacks have become common occurrences for schools, government agencies and hospitals during the COVID-19 pandemic. Major incidents such as the attacks on meat producer JBS USA and IT company Kaseya over the summer have put added pressure on Congress to take action.

This has led to a bipartisan effort to put in place some form of mandatory reporting standards to give the federal government more oversight of threats facing critical infrastructure groups, often in the private sector, with the Senate and the House advancing legislation on this. 

“With the public’s safety and the national and economic security of the United States at stake, it may be time for voluntary steps by the private sector to give way to mandatory federal reporting requirements,” House Transportation Committee Chairman Peter DeFazio (D-Ore.) said Thursday. 

While there is bipartisan support around the idea of reporting, Republicans have largely pushed back against the proposed TSA directives following industry concerns. 

“I find this hearing somewhat terrifying. It’s based on the premise that federal involvement in ensuring cybersecurity of the private sector is either necessary or insufficient — it’s not either of those things,” Rep. Thomas Massie (R-Ky.) said at the hearing. “I am worried that asking this committee to come up with standards for platforms in cybersecurity is a little bit like asking my cattle to write a term paper on Shakespeare’s works, we are just not qualified to do it.”

Not all sectors disagree with the need for more regulations. The transit sector has been hit by a wave of attacks that have included an attack on New York’s Metropolitan Transportation Authority earlier this year. 

Scott Belcher, a research associate at San Jose State University’s Mineta Transportation Institute, suggested mandating that transit agencies certify they have cybersecurity plans in place before receiving federal funding. 

“The transit industry has almost 3,000 public transit operators that range in size and sophistication, and my experience with them is that they are desperate for regulation, and they are desperate to be told what to do,” Belcher testified. 

While disagreements around what avenue the federal government should take to combat threats remains, hackers continue to target critical infrastructure at a frightening rate, with Stephens saying that Tampa International Airport defends against 3 million “cyber attempts” every year. 

“We are not strangers to mandatory information sharing, again as I stressed before, it’s the nature and the quality of what we share that is really going to make the difference,” Stephens said.