Senate Republicans raise concerns about TSA cyber directives for rail, aviation

Republican leaders and members of the Senate Commerce Committee on Wednesday raised concerns about the timeline and lack of public input involved in recently announced cybersecurity directives for the rail and aviation sectors. 

The senators, led by committee ranking member Roger Wicker (R-Miss.), sent a letter to Transportation Security Administration (TSA) Administrator David Pekoske detailing potential issues with the upcoming security directives, which were announced earlier this month.

“We write to express concern about the recent announcement that the TSA intends to impose new prescriptive cybersecurity requirements on the rail, rail transit, and aviation industries through Security Directives,” the senators, who also included Sens. John Thune (R-S.D.), Deb Fischer (R-Neb.), Todd Young (R-Ind.) and Cynthia Lummis (R-Wyo), wrote. 

Homeland Security Secretary Alejandro Mayorkas announced the upcoming directives in a speech earlier this month. He noted that the directive issued by TSA will cover “higher-risk rail and transit entities,” and require them to report cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA), along with establishing cyber response plans. 

Mayorkas said that TSA would also issue a directive requiring critical U.S. aviation groups to report cyber incidents to CISA and designate a cybersecurity coordinator. He added that the administration was looking at expanding this cybersecurity initiative to other sectors.

TSA previously announced security directives to shore up pipeline cybersecurity following the attack on Colonial Pipeline in May.

The senators on Wednesday took issue with the process of announcing and rolling out the rail and aviation directives, stating that the measures were announced without allowance for a public comment process. 

“We encourage you to reconsider whether using emergency authority is appropriate absent an immediate threat,” the senators wrote. “With the benefit of public notice and comment through the rulemaking process, TSA may avoid any unintended consequences that disrupt existing effective cybersecurity practices or transportation operations.”

They also questioned whether issuing the rules under an emergency authority was necessary, and warned that more regulations could cause more delays at a time when supply chains are already in crisis. 

“We recognize that circumstances sometimes demand that TSA act quickly using emergency authority,” the senators wrote. “Nevertheless, the very importance of effective cybersecurity for critical infrastructure, such as the rail, rail transit, and aviation systems, counsels against acting rashly in the absence of a genuine emergency.”

“Prescriptive requirements may be out of step with current practices and limit the affected industries’ ability to respond to evolving threats, thereby lessening security,” they stressed. “A more deliberate approach will reduce the risks and increase the benefits.”

A spokesperson for TSA declined to comment on the letter. 

The Republican members of the Senate Commerce Committee are not the first to raise concerns about the new security directives. 

The Association of American Railroads (AAR), whose members include the National Railroad Passenger Corporation, or Amtrak, issued a statement the day Mayorkas announced the directives, saying that the rail sector was only given three days to review the changes, noting some requirements were unnecessary. 

“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” a spokesperson for AAR said in a statement provided to The Hill at the time.