Five Republican senators are asking the Transportation Security Administration to hold off imposing new emergency cybersecurity regulations on the rail and aviation industries so they can engage with companies through the normal regulatory process.
In an Oct. 20 letter to TSA Administrator David Pekoske, the five lawmakers questioned whether the rules needed to be fast tracked through an emergency security directive, saying the Biden administration has not demonstrated that these industries are facing an immediate threat.
“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority. Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency,” the senators wrote.
On Oct. 6, the Department of Homeland Security announced that the TSA would soon issue a new security directive that would require railroad and transit systems to report to the government when they’re hacked, designate a point person at their company to interact with the government on cybersecurity issues and develop proactive incident response plans. Mayorkas said that his department will be “coordinating and consulting” with industry as it develops the railway directive and will be issuing a separate set of voluntary standards for lower risk surface transportation entities.
But the senators object to the use of an emergency directive and claim the moves are being rushed without sector-specific input in a way that could lead to “unintended consequences” on the operations of essential travel and transportation industries. They point out that a national security memorandum on critical infrastructure cybersecurity the administration put out in May urged companies to work collaboratively with the government, arguing “a more deliberate approach” through the normal regulatory process “will reduce the risks and increase the benefits.”
“Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security,” the senators wrote. “Further, prescriptive requirements may have unintended consequences, such as imposing unnecessary operational delays at a time of unprecedented congestion in the nation’s supply chain. Additionally, allowing outside experts to comment will lead to more effective and sustainable cybersecurity actions and measures.”
The letter was signed by Sens. Roger Wicker, R-Miss.; John Thune, R-S.D.; Deb Fischer, R-Neb.; Cynthia Lummis, R-Wy.; and Todd Young, R-Ind.