On Tuesday, November 19th, the House Homeland Security Committee’s Subcommittee on Transportation and Maritime Security held a hearing titled “Impacts of Emergency Authority Cybersecurity Regulations on the Transportation Sector.” The hearing focused on the Transportation Security Administration’s (TSA) use of emergency directives and their recent issuance of a notice of proposed rulemaking (NPRM) issued earlier this month.
On November 6th, TSA posted a NPRM which would require pipelines and railroads to establish cyber risk management programs. The lengthy NPRM would cover a host of areas related to the establishment of cyber risk programs, and the agency is requesting comments specifically related to the following:
- Specific impacts of regulations and requirements and options for regulatory harmonization
- Whether proposed requirements should also include certain software requirements
- Information on existing low-cost options for cybersecurity coordinator training for TSA’s review
- Requirement for owner/operators to have a Cybersecurity Assessment Plan (CAP) to annually assess and audit effectiveness of their TSA-approved Cybersecurity Operational Implementation Plan (COIP); Options for methodology within CAP
- Comments from pipeline owner/operators on streamlining compliance and reducing redundancies in the regulatory process
- Various security and immigration background check potential requirements and their impacts
- Feedback on whether “security-sensitive employees” should be required to be vetted by TSA
- Information for various elements of costs and benefits and economic impact of regulatory requirements
All written testimonies can be found here.
The History
While many often solely associate TSA with aviation, the agency has the larger task of “protect[ing] the nation’s transportation system to ensure freedom of movement for people and commerce.” TSA was established following the terrorist attacks of September 11th, 2001, and the agency is responsible for overseeing security in commercial and general aviation, mass transit, freight and passenger rail, highways, pipelines, and ports.
TSA has a broad purview with expanding responsibilities given our increasingly digital world, which is reflected by recent budget and staff growth. Ranking member Thanedar noted in his opening comments that TSA had an $86 million budget and 86 dedicated positions in fiscal year 2021, which has since grown to $137 million and 167 positions for fiscal year 2024. The request for 2025 would further increase the budget by approximately $8 million and 41 dedicated positions.
As much of the world continues to further automate and digitize operations, one of the areas requiring the most significant attention from the agency is cybersecurity. In May of 2021, the Colonial Pipeline Company experienced a ransomware attack from a cybercriminal hacking group believed to be based in Russia (DarkSide). While Colonial Pipeline was able to disconnect portions of the pipeline system to prevent further impact, the event still forced a temporary shutdown of systems and, by default, the transport of energy products around the country.
Although brief, the pipeline incident led to fuel shortages, long queues at gas pumps, and a level of frenzy amongst the public. For TSA, the event caused a greater level of concern over the broader risks of malicious cyberattack incidents, and since this time, the agency has taken a more regulatory approach to cybersecurity. The agency maintains the statutory emergency authority to issue security directives, or mandatory measures, and began doing so in 2021. Since that time, TSA has issued, revised, and extended five directives related to freight rail, passenger rail, and pipeline modes.
The Hearing
The subcommittee invited testimony from five panelists, broken up into two panel groups of public vs. private entity participants, including the following individuals:
- Steve Lorincz, Deputy Executive Assistant Administrator for Security Operations, TSA
- Chad Gorman, Deputy Executive Assistant Administrator for Operations Support, TSA
- Tina Won Sherman, Director, Homeland Security and Justice, Government Accountability Office
- Ian Jefferies, President and Chief Executive Officer, Association of American Railroads
- Kimberly Denbow, Vice President of Security and Operations, American Gas Association
The hearing was brief with the government entity participants providing very brief comments in their remarks, and the back-and-forth with members was very limited.
The Positives
If you take nothing else away from this hearing overview, may it be this: everyone in the room wants an outcome-focused, performance-based model in a cybersecurity regulatory framework mandated by TSA. This outcome-focused model would allow owner/operators to adapt a cybersecurity plan based on their specific needs and technology without the limitations and rigidity of overly prescriptive requirements. This was harped on throughout the hearing and reiterated by the TSA witnesses. While various owner/operators may see some of the security directives as too inflexible and stifling innovation, the panelists praised the outputs-focused approach. Overall, the panelists commended TSA for issuing a NPRM rather than continuing to rely on less formalized directives.
The Issues
While Dr. Sherman mentioned that TSA does still have one recommendation open from a 2019 GAO report on pipeline security (a need to update the 2010 pipeline security and incident recovery plan), as expected, most of the discussion on the NPRM and TSA requirements came from the second panel.
Between these two panelists, they flagged an array of issues related to how TSA might opt to roll out any regulations stemming from the NPRM. AAR’s Jeffries expressed concern over the NPRM’s requirement for reporting a cyber incident. The NPRM would require reporting of a cyber incident within 24 hours, which conflicts with the statutory requirement to report within 72 hours, and further conflicts with the Securities and Exchange Commission’s (SEC) requirement to report within four business days. This can create confusion within reporting requirements, but the 24-hour deadline can also create issues in pulling critical staff and resources away from an ongoing attack to adhere to a reporting requirement.
Additionally, Jefferies noted that for railroads specifically, the requirement for a cybersecurity coordinator to be a U.S. citizen is a significant challenge for the two Canadian Class I railroads. He commended TSA for the NPRM process but shared some of his pause related to overly prescriptive requirements that stifle innovation and may not have true security justification.
Closing out the final panel, Denbow primarily reiterated much of what was already said. She doubled down on the idea that no single law, standard, or regulation can be applied universally across all pipelines and concerns about inapplicable security measures and unattainable compliance timelines. In her final statements, Denbow threw a slight curve and somewhat came down on TSA, and government more broadly, on larger data practices. She pointed out that no system is completely secure, yet TSA continues collecting and aggregating the most sensitive security operations data related to critical infrastructure. She expressed a need to limit vulnerabilities introduced by government’s “subpar” cybersecurity and conduct audits in person without aggregating this information.
Overall, the hearing flowed smoothly with minimal disagreement between members and panelists. While this could have related to the fact that this hearing was sparsely attended by democratic representatives, there was a level of agreement amongst witnesses and members that one of the keys to protecting cybersecurity operations in the U.S. is to continue to allow businesses to adapt and innovate to a changing world without hinderance from overly prescriptive government regulation.