Republican Senate leaders slam TSA’s new cybersecurity regulations for rail and aviation
Republican leaders in the U.S. Senate have spoken out harshly against new cybersecurity regulations designed to protect U.S. rail and airport systems.
The new rules were made earlier this month by Homeland Security Secretary Alejandro Mayorkas and will be handled by the Transportation Security Administration (TSA). The regulation was prompted in part by an April attack on New York’s Metropolitan Transportation Authority – one of the world’s largest transportation systems – and a 2020 attack on the Southeastern Pennsylvania Transportation Authority.
But in a letter to David Pekoske, administrator of the Transportation Security Administration, five senior US senators criticized the new rules and the way they were implemented.
Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer – all members of the Trade, Science and Transport Committee – criticized the use of the emergency authority to push back the rules, wondering whether they were “appropriate in the absence of an immediate threat.”
Senators urged Pekoske to “reconsider” the rules, arguing that “the sheer importance of effective cybersecurity for critical infrastructure, such as rail, transit and aviation systems, advises against acting recklessly in the absence of a real emergency “.
The letter says the “prescriptive requirements” deployed by the TSA “may be out of step with current practices” and may “limit the ability of affected industries to respond to evolving threats, thereby reducing security.” They also said the rules would impose “unnecessary operational delays at a time of unprecedented congestion in the country’s supply chain.”
Republican leaders have argued that the country is not in an emergency as it has been five months since the ransomware attack that shut down Colonial Pipeline and left significant parts of the East Coast in a race of one. week on gasoline.
They added that the TSA erred in forcing the rules on the industry and not taking a “more collaborative approach” with industry experts before releasing them.
“Rather than prescriptive requirements that might not improve capabilities to deal with future threats, the TSA should consider performance standards that set cybersecurity goals while allowing companies to meet those goals,” the Senators wrote. .
“If it is decided to proceed with specific terms of reference, the notice and comment process would at least allow for a thoughtful examination of industry practices and concerns.”
Senators further asserted that current practices “are working well.”
Chinese state-backed hackers were implicated in the April attack on New York’s Metropolitan Transportation Authority, which alarmed city officials and federal authorities.
The attackers did not go far enough into the system to cause damage, but could easily have, withdrawing on their own, according to sources who spoke to The New York Times at the time. City officials are still concerned that the hackers have left a number of backdoors in the system that would allow them to easily regain the entrance.
Those who support TSA regulations also noted a ransomware attack on ferry services to Cape Cod earlier this year.
Responses to the letter ranged from those who tacitly agreed that the new rules had been brutally pushed back to others who believed the country’s cybersecurity protections for critical industries continued to be dangerously lax.
U.S. Representative Jim Langevin – co-founder of the Congressional Cybersecurity Caucus and commissioner of the Congressional Cyberspace Solarium Commission – criticized the letter, particularly challenging the idea that the country’s repeated failings in cybersecurity do not pose an immediate threat.
“My fellow Republicans need to stick their heads out of the sand if they think ransomware and other cyber intrusions don’t pose an ‘immediate threat’,” Langevin told ZDNet.
“These new TSA regulations will force rail and airport operators to create incident response plans, which they should already be doing. The American people rely on these operators, so CISA needs to know when they have been affected by a cyber incident. . These are the minimum regulations and are long overdue. “
Industry experts such as BreachQuest CTO Jake Williams have noted that every cybersecurity regulation comes with the potential to create operational problems, especially when written by people with no previous experience in the field. operational.
“We don’t yet know what the guidelines will dictate, so it’s hard to criticize the guidelines themselves. However, the specific criticisms made by Sen Wicker and others are very valid,” said Williams.
“The TSA is using emergency measures to promulgate new regulations while bypassing the normal feedback process. It is reasonably likely that without the feedback process being used, the TSA will inadvertently introduce operational problems with its new regulations.”