Cyber Officials Outline Critical Infrastructure ProtectionsLeaders from US DOT, TSA, FAA Outline Progress; Auditors Stress Urgency
Several cybersecurity officials charged with safeguarding U.S. critical infrastructure on Thursday outlined both current progress and the complexity of today's network defense. Oversight officials also testifying before the House discussed top-line items that remain outstanding among major agencies, including the Department of Transportation.
In the hearing, entitled Federal Perspectives on Securing the Nation's Infrastructure, officials from the DOT, the Federal Aviation Administration, the Transportation Security Administration, the U.S. Coast Guard, the Office of the Inspector General for the DOT, and the Government Accountability Office said cybersecurity concerns are a critical, evolving risk with clear ties to Americans' daily lives.
The session was the second of two full committee hearings on cybersecurity around the nation's infrastructure - the first of which included testimony from industry stakeholders and cybersecurity experts. In Tuesday's hearing, Victoria Newhouse, deputy assistant administrator for policy, plans and engagement at the TSA, defended the agency's development and rollout of multiple security directives around pipelines in the wake of the Colonial Pipeline Co. ransomware hit in May, and its collaboration with industry on subsequent regulations, including those for railways expected this week (see: TSA Issues Cybersecurity Requirements for Pipelines).
DOT, FAA's Cyber Controls
Asked to outline the DOT's latest cybersecurity initiatives, Cordell Schachter, the department's CIO, said, "We've begun a series of cyber sprints to [both] complete tasks and make plans to meet our federal cybersecurity requirements and implement best practices, including those from President Biden's executive order." He said the cyber sprint prioritizes system access control, website security, and improved governance; oversight; and coordination across the DOT.
"The DOT is actively working to meet its responsibilities to securely improve the department's IT infrastructure while implementing our portions of the bipartisan infrastructure law," Schachter said.
Larry Grossman, CISO for the FAA, which regulates civil aviation, confirmed that there is "ongoing concern" around the increasing reliance on highly integrated, interdependent computers and networks, prompting vigilance at all levels of the aviation industry, and especially at the FAA.
"Safety is a journey, not a destination. The same is true of cybersecurity," Grossman said. "What we do today will not be good enough for tomorrow or the day after. We are always striving to improve."
Grossman said the FAA's cybersecurity mission continues to involve enhancing its risk management capabilities, building and maintaining workforce capabilities and engaging with external partners.
Update from TSA, US Coast Guard
TSA's Newhouse told the House committee that the agency continues to work collaboratively with public and private stakeholders to drive the implementation of "intelligence-driven, risk-based policies and programs."
She also outlined TSA's security directives issued in the wake of the Colonial Pipeline Co. attack, including requiring pipeline operators to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, designate a cybersecurity coordinator available around the clock and implement specific mitigation measures.
"We're working with our rail, higher-risk freight rail, passenger rail and rail transit operators and aviation on four [similar and] critical actions," Newhouse said.
Rear Adm. John W. Mauger, assistant commandant for prevention policy for the U.S. Coast Guard, outlined the military branch's distinct actions to protect the maritime transportation system, or MTS.
"Any substantial disruption to marine transportation can cause cascading effects to our economy and to our national security," Mauger said. "Cyberattacks are a significant threat to the maritime critical infrastructure. And while we must continue to work to prevent attacks, we must also be clear-eyed that attacks will occur, and we must ensure that the MTS is resilient."
Mauger told lawmakers that the Coast Guard this summer released a "cyber strategic outlook" to guide future work and recognizes that cybersecurity is an operational imperative. He also highlighted the establishment of the Coast Guard Cyber Command, with "cyber forces trained and equipped to address complex issues spanning national defense and homeland security."
Mauger told committee members that the Coast Guard also leverages its authorities in the nation's ports to set standards and conduct thorough risk management exercises to prepare and, if necessary, respond to an attack.
He said the Coast Guard also stood up a maritime cyber-readiness branch within its Cyber Command "as a focal point for maritime threat monitoring, information sharing and response coordination." and he called on Congress for continued support for Cyber Command operations.
Auditors Outline Deficiencies
Despite cited progress by agency officials, those with oversight and audit jurisdiction told House lawmakers that more work needs to be done to solidify the nation's cybersecurity posture.
Kevin Dorsey, assistant inspector general for information technology audits at the OIG DOT, said the agency now relies on more than 400 IT systems for the U.S. transportation system. "Malicious cyberattacks and other compromises to these systems and the OT network may put public safety, sensitive information or taxpayer dollars at risk," he said. "Our office has long identified cybersecurity as one of the department's top management problems."
Dorsey told lawmakers that the DOT has established formal policies and procedures for cybersecurity, but it faces challenges implementing them. As a result, he said, the agency faces the risk that its mission-critical systems could be compromised.
"Many of these weaknesses can be attributed to DOT's lack of progress in addressing 66 of our prior audit recommendations," Dorsey said. He noted that through joint vulnerability assessments and penetration testing at multiple operating administrations, his office was able to gain unauthorized access to "millions of sensitive records including personally identifiable information."
"DOT must effectively partner with other federal agencies and the private sector on efforts such as securing cloud-based services and meeting the president's recently issued executive order on improving cybersecurity," Dorsey said.
Nick Marinos, director of information technology and cybersecurity for the GAO, told lawmakers Wednesday that the federal government as a whole must address major cybersecurity challenges, including the need to develop and execute a comprehensive national cyber strategy, and strengthen the federal role in critical infrastructure.
Marinos said that since 2010, the GAO has made more than 3,700 recommendations on cyber-related topics, and more than 900 of them have not yet been addressed. Fifty of the recommendations relate to critical infrastructure, he noted.
"Our federal government needs to do a better job of implementing strategy, oversight and coordination among agencies and with the owners and operators that are on the frontlines of this digital battle," Marinos said.