Governance, Risk and Compliance, Industry Regulations

Hill Republicans to Biden: Pump brakes on emergency rail, aviation cybersecurity regs

A United Airlines 787 Dreamliner lands at San Francisco International Airport on October 19, 2021 in San Francisco, California. Five Republican Senators are asking the Biden administration to hold off on an emergency cybersecurity directive for rail and aviation companies and engage more with industry to avoid “unintended consequences.”...

Five Republican senators are asking the Transportation Security Administration to hold off imposing new emergency cybersecurity regulations on the rail and aviation industries so they can engage with companies through the normal regulatory process.

In an Oct. 20 letter to TSA Administrator David Pekoske, the five lawmakers questioned whether the rules needed to be fast tracked through an emergency security directive, saying the Biden administration has not demonstrated that these industries are facing an immediate threat.

“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority. Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency,” the senators wrote.

On Oct. 6, the Department of Homeland Security announced that the TSA would soon issue a new security directive that would require railroad and transit systems to report to the government when they’re hacked, designate a point person at their company to interact with the government on cybersecurity issues and develop proactive incident response plans. Mayorkas said that his department will be “coordinating and consulting” with industry as it develops the railway directive and will be issuing a separate set of voluntary standards for lower risk surface transportation entities.

But the senators object to the use of an emergency directive and claim the moves are being rushed without sector-specific input in a way that could lead to “unintended consequences” on the operations of essential travel and transportation industries. They point out that a national security memorandum on critical infrastructure cybersecurity the administration put out in May urged companies to work collaboratively with the government, arguing “a more deliberate approach” through the normal regulatory process “will reduce the risks and increase the benefits.”

“Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security,” the senators wrote. “Further, prescriptive requirements may have unintended consequences, such as imposing unnecessary operational delays at a time of unprecedented congestion in the nation’s supply chain. Additionally, allowing outside experts to comment will lead to more effective and sustainable cybersecurity actions and measures.”

The letter was signed by Sens. Roger Wicker, R-Miss.; John Thune, R-S.D.; Deb Fischer, R-Neb.; Cynthia Lummis, R-Wy.; and Todd Young, R-Ind.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.