Republican Senate leaders slam new TSA cybersecurity regulations for rail and aviation industry

Despite recent attacks, the Senators questioned whether the emergency passage of the rules was "appropriate absent an immediate threat."

must read

Cyberwar: A guide to the frightening future of online conflict

Every device had become a battleground. Here's everything you need to know.

Read More

Republican leaders in the US Senate have come out harshly against new cybersecurity regulations designed to protect US railroad and airport systems. 

The new rules were handed down earlier this month by Homeland Security Secretary Alejandro Mayorkas and will be managed by the Transportation Security Administration (TSA). The regulations were prompted in part by an April attack on New York City's Metropolitan Transportation Authority -- one of the largest transportation systems in the world -- and a 2020 attack on the Southeastern Pennsylvania Transportation Authority. 

But in a letter to David Pekoske, administrator of the Transportation Security Administration, five senior US Senators criticized the new rules and how they were rolled out.

Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer -- all part of the Committee on Commerce, Science and Transportation -- slammed the use of emergency authority to push the rules out, questioning whether they were "appropriate absent an immediate threat."

The senators urged Pekoske to "reconsider" the rules, arguing that "the very importance of effective cybersecurity for critical infrastructures, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency."

The letter says the "prescriptive requirements" rolled out by TSA "may be out of step with current practices" and may "limit affected industries' ability to respond to evolving threats, thereby lessening security." They also claimed the rules will impose "unnecessary operation delays at a time of unprecedented congestion in the nation's supply chain."

The Republican leaders argued that the country is not in an emergency situation because it has been five months since the ransomware attack that shut down Colonial Pipeline and left significant parts of the East Coast in a week-long scramble for gasoline. 

They added that the TSA erred in forcing the rules onto the industry and not adopting "a more collaborative approach" with industry experts before issuing them. 

"Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals," the senators wrote. 

"If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns."

The senators additionally claimed that current practices are "working well."

Chinese state-backed hackers were implicated in the April attack on New York City's Metropolitan Transportation Authority, which alarmed city officials and federal authorities. 

According to sources who spoke to The New York Times at the time, the attackers did not get far enough into the system to cause damage but easily could have, effectively pulling out on their own accord. City officials are still concerned that the hackers may have left any number of backdoors in the system that would allow them to regain entry easily. 

Those backing the TSA regulations also noted a ransomware attack on ferry services to Cape Cod earlier this year.

Responses to the letter ranged from those who tacitly agreed that the new rules were pushed out in a heavy-handed way to others who thought the country's cybersecurity protections for critical industries continue to be dangerously lax. 

US Rep. Jim Langevin -- co-founder of the Congressional Cybersecurity Caucus and a commissioner of Congress' Cyberspace Solarium Commission -- slammed the letter, taking particular issue with the idea that the country's repeated cybersecurity failings are not an immediate threat.

"My Republican colleagues need to get their heads out of the sand if they think ransomware and other cyber-intrusions do not represent an 'immediate threat,'" Langevin told ZDNet

"These new TSA regulations will require rail and airport operators to create incident response plans, which they already should be doing. The American people rely on these operators, so CISA needs to know when they've been hit by a cyber-incident. These are the bare minimum regulations and are long overdue."

Industry experts like BreachQuest CTO Jake Williams noted that every cybersecurity regulation carries with it the possibility of creating operational issues, particularly when drafted by those without experience in the operational domain. 

"We don't know what the guidance will dictate yet, so it's hard to critique the guidance itself. However, the specific criticism levied by Sen Wicker and others is very valid," Williams said. 

"The TSA is using emergency measures to enact new regulations while bypassing the normal feedback process. It is reasonably likely that without the feedback process in use that TSA will inadvertently introduce operational issues with their new regulations."