Senate Republicans raise concerns about TSA cyber directives for rail, aviation

Senate Republicans raise concerns about TSA cyber directives for rail, aviation
© Greg Nash

Republican leaders and members of the Senate Commerce Committee on Wednesday raised concerns about the timeline and lack of public input involved in recently announced cybersecurity directives for the rail and aviation sectors. 

The senators, led by committee ranking member Roger WickerRoger Frederick WickerHillicon Valley — Chinese disinformation accounts removed GOP resistance to Biden FCC nominee could endanger board's Democratic majority Bottom line MORE (R-Miss.), sent a letter to Transportation Security Administration (TSA) Administrator David Pekoske detailing potential issues with the upcoming security directives, which were announced earlier this month.

“We write to express concern about the recent announcement that the TSA intends to impose new prescriptive cybersecurity requirements on the rail, rail transit, and aviation industries through Security Directives,” the senators, who also included Sens. John ThuneJohn Randolph ThuneCongress averts shutdown after vaccine mandate fight House passes bipartisan bills to strengthen network security, cyber literacy Senate nearing deal on defense bill after setback MORE (R-S.D.), Deb FischerDebra (Deb) Strobel FischerOvernight Defense & National Security — A new plan to treat Marines 'like human beings' Republicans press Milley over perceived progressive military agenda Senate Republicans raise concerns about TSA cyber directives for rail, aviation MORE (R-Neb.), Todd YoungTodd Christopher YoungOvernight Defense & National Security — Presented by Boeing — Senators to take up defense bill Wednesday Schumer: Time is 'now' to repeal Iraq War resolution It's time to give Medicare beneficiaries the opportunity and choice of recovery in the home MORE (R-Ind.) and Cynthia LummisCynthia Marie LummisLobbyists turn to infrastructure law's implementation Republicans struggle to save funding for Trump's border wall Holiday season poses major test for Biden economy MORE (R-Wyo), wrote. 


Homeland Security Secretary Alejandro MayorkasAlejandro MayorkasHillicon Valley —TSA to strengthen rail sector cybersecurity TSA issues directives to rail sector to strengthen cybersecurity US to restart 'Remain in Mexico' program following court order MORE announced the upcoming directives in a speech earlier this month. He noted that the directive issued by TSA will cover “higher-risk rail and transit entities,” and require them to report cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA), along with establishing cyber response plans. 

Mayorkas said that TSA would also issue a directive requiring critical U.S. aviation groups to report cyber incidents to CISA and designate a cybersecurity coordinator. He added that the administration was looking at expanding this cybersecurity initiative to other sectors.

TSA previously announced security directives to shore up pipeline cybersecurity following the attack on Colonial Pipeline in May.

The senators on Wednesday took issue with the process of announcing and rolling out the rail and aviation directives, stating that the measures were announced without allowance for a public comment process. 

“We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat,” the senators wrote. “With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.”

They also questioned whether issuing the rules under an emergency authority was necessary, and warned that more regulations could cause more delays at a time when supply chains are already in crisis. 

“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority,” the senators wrote. “Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency.”

“Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security,” they stressed. “A more deliberate approach will reduce the risks and increase the benefits.”

A spokesperson for TSA declined to comment on the letter. 

The Republican members of the Senate Commerce Committee are not the first to raise concerns about the new security directives. 

The Association of American Railroads (AAR), whose members include the National Railroad Passenger Corporation, or Amtrak, issued a statement the day Mayorkas announced the directives, saying that the rail sector was only given three days to review the changes, noting some requirements were unnecessary. 

"AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts," a spokesperson for AAR said in a statement provided to The Hill at the time.