WASHINGTON – Companies too often prioritize cost over protection when it comes to cybersecurity, the chairman of the House Transportation and Infrastructure Committee said at a hearing Thursday, but critical infrastructure industry officials said Biden administration security directives are not needed.
Around 85% of the nation’s critical infrastructure, like pipelines and railroads, is in private hands, “and too often, leaders whose organizations are at risk from cyberattacks weigh the risks of attack against the cost of increasing cybersecurity protections,” said Committee Chair Rep. Peter DeFazio, D-Ore.
“Common sense” steps, like mandating strong passwords, multi factor authentication and cybersecurity training go a long way in strengthening cyber defense measures and mitigating the likelihood of successful attacks, DeFazio said. But most companies don’t have these basic and affordable systems in place.
Recent mandates and regulations to protect critical infrastructure industries from cyberattacks were met with opposition from some GOP members of the committee and transportation company leaders.
After a ransomware attack forced the Colonial Pipeline to shut down its pipeline for six days in May, the Biden administration issued an executive order on improving the nation’s cybersecurity. The order urged infrastructure companies to partner with the federal government to develop a more secure cyberspace.
Two months later, the Department of Homeland Security’s Transportation Security Administration issued mandatory security directives for pipeline owners and operators to adopt specific ransomware defense measures, develop and implement contingency and recovery plans, and evaluate their internal cybersecurity systems.
However, those security directives also were met with concern from some committee members and industry officials who said the emergency laws were too rushed.
Rep. Rick Crawford, R-Ark., said he was “concerned that the TSA’s recent security directives are overly prescriptive, rushed and failed to take into account holistic feedback from diverse stakeholders.”
Homeland Security Secretary Alejandro Myorkas announced in October that the TSA is also preparing similar directives for rail and aviation transit companies.
“These mandates are not only unnecessary, but also could prove counterproductive, disrupting well-established and proven practices,” Thomas L. Farmer, assistant vice president of security at the Association of American Railroads.
“We must avoid command and control approaches and still build upon an impressive track record of collaboration,” he added.
The industry experts pointed to a need for a more comprehensive system and information-sharing among the transportation sectors and the government when regulating them.
“Sometimes moving too quickly to get something out significantly creates more obstacles and more bureaucratic red tape and impairs the cybersecurity preparedness of certain agencies,” said Michael Stephens, vice president of the Tampa International Airport.