Lawmakers examine TSA's growing role in cyber

Cybersecurity experts and former federal officials called for streamlined reporting requirements and enhanced information-sharing between the public and private sectors around cyber threats for planes, trains and pipelines during a congressional hearing on Tuesday.

The hearing was held to discuss current and emerging threats to domestic transportation infrastructure and potential new regulatory measures after the Department of Homeland Security (DHS) announced upcoming cybersecurity directives for the aviation and transit industries earlier this month that will strengthen the Transportation Security Administration's authority over cybersecurity.

Democrats on the House Homeland Security committee expressed support for the upcoming DHS directive at the hearing, but also said additional regulations were necessary after a series of recent cyberattacks targeting major railroads and airports, as well as the Colonial Pipeline ransomware attack and others targeting oil and gas pipelines.

"Inaction isn't an option," said Rep. Bonnie Watson Coleman (D-NJ), chairwoman of the Transportation and Maritime Security subcommittee. "When gas stops flowing due to a cyberattack, it doesn't just impact the pipeline's owner. It means Americans struggle to fill up their tanks."

Republicans on the panel noted that there were bipartisan efforts underway to create mandatory cyber incident reporting legislation, but cautioned that industry needs to have a voice in the creation of new rules of the road, including a plan to identify owners of systemically important critical infrastructure.

"It is…incumbent on Congress to ensure such a program includes the appropriate guardrails, guidance and built-in mechanisms for industry collaboration," Rep. Andrew Garbarino (R-N.Y.), ranking member of the Subcommittee on Cybersecurity, Infrastructure Protection and Innovation said in an opening statement.

The upcoming directive for the rail and aviation industries focus on protecting critical airport operators and "higher-risk" railroad and transit assets, according to DHS Secretary Alejandro Mayorkas.

Suzanne Spaulding, senior adviser of the Center for Strategic and International Studies and a former undersecretary at DHS, said in her testimony that the directive has so far been described as prescribing a "relatively basic level of cybersecurity measures and plans for incident response."

"The details will be important but, as described, these directives seem like a step in the right direction," Spaulding said. "Moving forward, [the TSA] will need to operate collaboratively with these sectors to ensure that the requirements and timelines drive toward actual improvements in security and resilience."

She added: "No directives or regulations will achieve perfect security."

Other witnesses also called for new regulatory measures that could potentially help increase trust between the public and private sectors around bi-directional information sharing. Jeff Troy, president and CEO of the Aviation Information Sharing and Analysis Center and former deputy assistant director of the cyber division at the FBI, also suggested expanded liability protections were critical to ensure the private sector can comply with any new reporting requirements.

The hearing followed a set of directives issued by the TSA earlier this year requiring fuel pipeline operation to institute new cybersecurity measures aimed at safeguarding their systems from ransomware attacks. Those directives, issued in May and July, feature mandatory reporting requirements for "confirmed and potential" cybersecurity incidents, and require certain pipeline operators to establish mitigation measures and recovery plans around cyberattacks targeting IT and operational technology systems.