This past Tuesday, the House Homeland Security Committee convened a hearing to discuss cybersecurity mandates on nationally significant infrastructure sectors such as aviation, rail, and pipelines. This hearing, titled “Transportation Cybersecurity: Protecting Planes, Trains, and Pipeline from Cyber Threats,” was a dual hearing of their Infrastructure Protection, & Innovation and the Transportation & Maritime Security subcommittees.

In light of the catastrophic Colonial Pipeline ransomware attack in May 2021, the Homeland Security Committee has met to discuss next steps for better cybersecurity, particularly for infrastructures of national significance.

Much of the hearing discussed mandates for reporting cybersecurity incidents. Most participants agreed that there is need for increased mandates while reducing redundant reporting. All also agreed on the need to harmonize reporting processes between the many agencies that deal with cybersecurity incidents (DHS, DOT, FBI, TSA, FAA), and recommended using PPPs to take over for capacity-strapped agencies like CISA (Cybersecurity and Infrastructure Security Agency). Witnesses also recommended CISA act as centralized repository for incident reporting.

Witnesses included:

• Hon. Suzanne Spaulding, Senior Adviser, Homeland Security International Security Program, Center for Strategic and International Studies, Former Under Secretary, National Protection and Programs Directorate
• Ms. Patricia F.S. Cogswell, Strategic Advisor, Guidehouse, Former Deputy Administrator, Transportation Security Administration
• Mr. Jeffrey L. Troy, President & CEO, Aviation Information Sharing and Analysis Center, Former Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation
• Mr. Scott Dickerson, Executive Director, Maritime Transportation System Information Sharing and Analysis Center

All witnesses agreed that we no longer can rely solely on voluntary measures for cybersecurity protections. Instead, we must turn to mandates. Currently, Spaulding said, almost no companies report cybersecurity incidents, and many put off safety measures until it is too late – she noted that Colonial Pipeline was due for a cybersecurity update, but they had put it off. Cogswell noted the value of TSA’s Security Directives, which immediately mitigate a threat and sending message to hackers. DHS enacted one following the Colonial hack, mandating critical pipelines take immediate cybersecurity measures.

Nevertheless, while enacting these mandates, Troy recommended consulting and working with the industry, citing the DOD’s successful model of working with defense contractors on cybersecurity requirement. He also recommended using a phased approach to regulation so the industry can get requirements squarely in place.

However, the problem with some reporting mandates come when a facility is intermodal, such as ports. Some ports own, in addition to their maritime infrastructure, the last mile of rail lines or pipelines. Dickerson pointed out that having mandates specific to each type of mode can lead to ports spending much money on redundant reporting to satisfy mode-specific requirements.

Many witnesses mentioned the concept of “harmonizing” the cybersecurity reporting system. The redundancies mentioned above show why harmonizing the reporting process is so essential: if there is an incident and a facility must report it, staff do not have to use their time and resources to craft reports specific to local, state, and federal or mode-specific reporting requirements instead of dealing with the issue itself. Dickerson recommends standardizing incident reports to ease the burdens on facilities.

In addition, it is often unclear who to submit the report to. There are often overlapping jurisdictions within DHS, TSA, FBI, FAA, DOD, and DOT, and an incident report could be submitted to multiple agencies. Spaulding also noted that the need for better inter-agency cooperation so all are kept up to date, particularly as agency jurisdictions overlap.

In line with the harmonization theme, Troy recommended that Congress streamline the federal and state reporting process, so resources are not wasted on customizing reports for multiple agencies. This is why Dickerson and Spaulding both recommended that CISA act as the standard depository for all cybersecurity incident reports. Troy also recommended that CISA should distribute timely information on cyberattacks. When autonomized incident reports are shared widely and quickly, the industry is better informed against potential threats. One place where the reporting-sharing exist, told Dickerson, is within the maritime sector. Many security advisories are being distributed, mostly because of the anonymization of identities, which reinforces trust within maritime community.

Cogswell and Spauling were both advocates for using public-private partnerships that include reputable third parties. For example, there is precedent for P3s as TSA’s canine program contracts out to a third-party to train the animals. This way, TSA can regulate both the entity that is providing the service and entity that is using it. With this model, agencies can expand services without worrying about a lack of resources. CISA’s resources are stretched, and P3s are a good way to expand capacity.

In addition, even when some in the industry give the government information on cyber-attacks, they do not hear back. Dickerson confirmed that sometimes it can be months before the Coast Guard give anything back to the industry. They are working to lessen the wait time and get information reports back to industry in a timely manner.

While improving cybersecurity was at the top of each of these participants’ minds, there was some disagreement on classification. Spauling stumbled while answering Rep. Ritchie Torres’ (D-NY) question on whether the Colonial Pipeline should be classified as a “significant incident” (hint: it was not). If that incident, which led to skyrocketing gas prices and gas shortages on the East Coast is not a significant incident, then what is? Torres also pressed Spaulding on why there are no universal cybersecurity measures, such as multiple factor authentication, software updates, password updates, and contingency planning. If these are the most basic best practices in all sectors, he wondered why we don’t mandate. Spaulding, nor others, had a good answer.