Senators Seek Clarity on DHS, DOT Cybersecurity EffortsLawmakers Request Cyber Details from Alejandro Mayorkas, Pete Buttigieg
Ten U.S. senators this week wrote to the secretaries of both the Department of Homeland Security and the Department of Transportation inquiring about specific measures they plan to pursue to prevent and respond to cyberattacks on the nation's critical infrastructure.
Addressed to DHS Secretary Alejandro Mayorkas and DOT Secretary Pete Buttigieg, the bipartisan group of senators - six Republicans and four Democrats - cite increasingly sophisticated attack attempts.
As co-sector risk management agencies, or co-SRMAs, for transportation, the senators say, "DHS and DOT must have the capabilities and resources to prevent and address these threats." Transportation is one of 16 critical infrastructure sectors designated in a presidential policy circa the Obama administration - and recently reemphasized in a summit between current president, Joe Biden, and Russian leader Vladimir Putin (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
The senators are requesting information about the respective agencies' security-related processes. In the letter, dated Jan. 3, the lawmakers say: "Cyberattacks on American transportation infrastructure are escalating in frequency and severity, as evidenced by the ransomware attack … on Colonial Pipeline … which led to the shutdown of a network that carries nearly half the gasoline, diesel, and jet fuel for the East Coast."
They continue: "At the same time, many state and local transit agencies are not fully equipped to implement more than basic cybersecurity protections."
The lawmakers then cite a study by the Mineta Transportation Institute, which found that only 60% of transit agencies had a cybersecurity plan in place last year. Nevertheless, they contend, some entities across aviation, highways, motor carriers, maritime transportation, railroads, rail transit, and pipelines, have been implementing comprehensive security strategies. Federal efforts to enhance security, then, will require a "delicate balance" of critical assistance for some, and recognition for others, the senators contend.
They also request information about how the departments are "meeting their responsibilities" as co-SMRAs. These include assessing risk, facilitating information sharing, supporting incident management and contributing to emergency preparedness efforts.
They also request an update on how the departments "collaborate to avoid both gaps and redundancies," and a breakdown of respective roles and law enforcement responsibilities.
The group of senators also requests details on potential updates to the seven-year-old Transportation Systems Sector-Specific Plan, to adapt to new and emerging threats. For instance, they say ransomware attacks on the transportation industry increased by 186% between June 2020 and June 2021.
Senators who signed the letter include: Jacky Rosen, D-Nev.; Roger Wicker, R-Miss.; Rob Portman, R-Ohio; Shelly Moore Capito, R-W.Va.; Raphael Warnock, D-Ga.; Todd Young, R-Ind.; Dan Sullivan, R-Alaska; James Lankford, R-Okla.; Amy Klobuchar, D-Minn.; and Maggie Hassan, D-N.H.
'Will Do Little to Change the Reality'
"[These] letters act as unofficial mechanisms of accountability, in lieu of legitimate binding reform, policy, and legislation," says Frank Downs, a former offensive analyst for the National Security Agency. "While legislation was proposed and put forward in multiple instances last year, following the Colonial Pipeline attack, little progress has been made in codifying legal requirements to enhance the security of the transportation sector."
Downs, who is currently the director of proactive services for the security firm BlueVoyant, adds, "It would appear that lawmakers are grasping at whatever tools are available to them to push positive change within the DHS and DOT to secure the national infrastructure."
Downs says it is "encouraging" that the senators "care about the security of U.S. infrastructure," but that "letter-writing campaigns can do little to change the reality of our weak infrastructure."
Other security experts agree. Ron Brash, vice president of technical research and integrations at the firm aDolus, says outstanding work "extends down" to those supplying tools to railroads, airlines, and other transportation entities.
"The risk that that these senators truly want addressed is something more than lip service," Brash says. "Protection and prevention involves proactive intervention, improved vendor responses to creating better technology or fixing current deployments, ensuring more secure products by default in consumer and industrial spaces, addressing crucial workforce and education gaps, and ultimately, the management of supply chain cyber risks."
Brash adds, "If we wish to protect critical infrastructure, we need to shift farther away from just the asset owners, [and] onto the companies who make the products they own, and towards their major suppliers."
Last month, the U.S. Transportation Security Administration, which sits within DHS, issued two new security directives for higher-risk freight railroads, passenger rail, and rail transit that it said will strengthen cybersecurity across the transportation sector (see: TSA Issues New Cybersecurity Requirements for Rail Sector).
The directives require eligible railway owners and operators to designate a cybersecurity coordinator; report cyber incidents to CISA within 24 hours; develop and implement an incident response plan within 180 days; and complete a vulnerability assessment to identify potential gaps or vulnerabilities.
TSA also released guidance recommending that lower-risk surface transportation owners and operators voluntarily implement the same measures.
This follows two security directives issued for pipeline providers in 2021. In May, TSA required pipelines to report confirmed and potential cybersecurity incidents to CISA within 12 hours, designate a cybersecurity coordinator, and review current practices and identify gaps and remediation measures. A follow-up in July required pipelines to implement certain mitigation controls, develop a recovery plan and conduct an architecture design review (see: TSA Issues Cybersecurity Requirements for Pipelines).
GOP lawmakers were critical of TSA's directives, with Portman and other Republican colleagues calling the requirements "too inflexible".