March 1, 2019

On February 26, the House Homeland Security Committee held a joint hearing to look at ways to secure the U.S. surface transportation system from cyber attacks, including potential threats posted by Chinese manufacture of rail cars.

The hearing jointly held by two subcommittees, the Transportation and Maritime Security Subcommittee (Lou Correa (D-CA), chair, and Debbie Lesko (R-AZ), ranking), the Cybersecurity, Infrastructure Protection and Innovation Subcommittee (Cedric Richmond (D-LA), chair, and John Katko (R-NY), ranking).

The hearing had two panels – one from the federal government, and one from outside groups. Links to their prepared testimony are below.

Panel 1:

• Sonya Proctor, Director for the Surface Division, Office of Security Policy and Industry Engagement, Transportation Security Administration, Department of Homeland Security
• Bob Kolasky, Director of National Risk Management Center, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security

Panel 2:

• James Lewis, Senior Vice President and Director, Technology Policy Program, Center for Strategic & International Studies
• Rebecca Gagliostro, Director of Security, Reliability and Resilience, Interstate Natural Gas Association of America
• Erik Robert Olson, Vice President, Rail Security Alliance
• John Hultquist, Director of Intelligence Analysis, FireEye

The discussion with the first panel had two main foci. The first was proper roles. It became clear that the TSA surface transportation division has no cyber security specialists of its own. Rather, it (like other DHS subunits) now relies on the new CISA (Cybersecurity and Infrastructure Security Agency) within DHS to provide advice and expertise as needed.

The other was pipeline security, in the wake of a negative GAO audit two months ago that had a list of ten recommendations for TSA and DHS to improve their pipeline security oversight. The GAO report also got a little into the overlap of responsibility between the Energy Department, which has cybersecurity responsibility for the energy sector, versus DHS, which has cybersecurity responsibility for transportation generally. (Are petroleum and natural gas pipelines more about energy, or more about transportation? You be the judge.)

Full committee chairman Bennie Thompson (D-MS) and the other members present expressed concern about DHS’s status in implementing the audit’s recommendations, and urged more attention to pipelines, but also hewed to a close line and did not recommend that pipeline security responsibilities be given to the Energy Department (because if DHS loses the jurisdiction, then the Homeland Committee loses the jurisdiction as well).

During the first panel, Rep. Kathleen Rice (D-NY) was the first to mention a topic that many on the second panel would also address – potential cybersecurity threats caused by the purchase by U.S. mass transit agencies from manufacturers owned by the Chinese government. Rice noted that CRRC, the state-owned Chinese rail manufacturing company, has recently won several major mass transit railcar procurements by being by far the lowest bidder (low bids made possible by government subsidies) and said that some of the same cybersecurity concerns about purchase of Huawei products might also apply to buying CRRC cars.

Kolasky from DHS responded that the problem was less about CRRC specifically but more about getting practices in place to ensure that risk is not added to the system. This should include the addition of tough cybersecurity requirements to all government procurements, and only then looking at which bid is the lowest. He said that DHS is still in the process of working with transit authorities to put better cyber standards in their procurement processes.

The rail car discussion continued on the second panel, which included Erik Olson, head of the Rail Security Alliance, which has been the principal advocacy group pushing a ban on U.S. procurements of passenger rail cars from CRRC. In his prepared testimony, Olson drew a moral line (it’s wrong to use taxpayer dollars to subsidize the state-owned entities (SOEs) of other countries) and also worried that CRRC’s “aggressive, anticompetitive underbidding” would someday decimate the U.S. freight rail manufacturing sector. (Unlike mass transit rail, where there are no U.S. manufacturers, the freight rail car industry is very domestic.)

In response to questioning from Rice, Olson reminded the panel that both the House and Senate had passed different versions of a one-year ban on procurement of CRRC rail cars using federal mass transit funds in 2018, but the final conference agreement last month dropped that provision because, as Olson said, some members of Congress now have jobs created in their districts by assembling CRRC rail cars parts shipped from China. Olson mentioned that in the instance of Boston, CRRC’s bid was so much lower than anyone else’s that MBTA was able to waive the use of federal dollars so that no Buy America requirements applied to the purchase. Olson said that unless there is an outright federal ban on such purchases, he assumed that state and local agencies would continue to buy from CRRC because of price. James Lewis from CSIS echoed that in his statement, saying that with China, American consumers have to choose between buying cheap versus buying secure (and more expensive).

Rep. Emanuel Cleaver (D-MO) raised the stakes, pointing out that when he was mayor of Kansas City, he had major concerns about radioactive waste being sent via freight rail through Kansas City on the way to Yucca Mountain, Nevada. Cleaver found a sympathetic ear in Olson, who said that China’s possible entry into the freight rail sector could give them a view on how nationals security items are moved in the U.S.

Chairman Richmond asked Olson what could DHS be doing better in this regard, and Olson asked Richmond to make sure that DHS finishes the study of the national security risks posed by CRRC’s entry into the U.S. rail car market required by section 1719(c) of the 2018 defense authorization law on time (it is due by August 13, 2019).

Overall, Lewis from CSIS was probably the best witness of the day, because he kept coming back to a few clear points:

1. The governments of Russia, China, Iran and North Korea already have the ability to make devastating cyberattacks on U.S. infrastructure.
2. The main thing stopping those state actors from taking action is the threat of U.S. cyber retaliation, so the best defense is a good offense.
3. Any device or component that is (a) connected to the Internet and (b) has to periodically link back to its manufacturer to give telemetry, receive updates, etc. cannot be secured.

A video of the recording can be viewed here.

Reminder: in September 2018, the Eno Center released a report, The Implications of the Federal Ban on Chinese Railcars.