U.S. Sens. Roger Wicker (R-MS), John Thune (R-SD), Deb Fischer (R-NE), Todd Young (R-IN), and Cynthia Lummis (R-WY) raised concerns about the Transportation Security Administration’s (TSA) plans to issue additional cybersecurity mandates in a letter Wednesday.
The TSA’s plan to issue the additional cybersecurity mandates using its emergency authority for Security Directives would obviate important feedback from experts on the impacts of those kinds of mandates, the senators wrote. Applying to rail, rail transit, and the aviation industries, the new requirements could undercut existing cybersecurity arrangements and may be unworkable, the senators wrote.
“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority,” the senators, led by Wicker, the ranking member of the Senate Committee on Commerce, Science, and Transportation. “Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency. Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security. Further, prescriptive requirements may have unintended consequences, such as imposing unnecessary operational delays at a time of unprecedented congestion in the nation’s supply chain.”
The senators also said that rail and aviation stakeholders have expressed concerns to them that the definition of a cybersecurity incident is so broad that the transportation sector could end up wasting limited time and resources reporting insignificant incidents due to insufficient time to assess the severity of the event.
“TSA should adopt a more collaborative approach that can reliably enhance cybersecurity in the rail, rail transit, and aviation industries,” the senators wrote. “Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals. If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns. Whatever the path forward, TSA must be responsive to inquiries and mindful of potential harms and adverse effects on practices that are working well.”