WASHINGTON — In response to rising concerns of cyberattacks on the nation’s airports, pipelines and water systems, officials from federal transportation agencies discussed potential solutions Thursday to the House Transportation Committee, including mandatory cybersecurity audits and software oversight.
Just as personal email addresses and credit card information can be hacked, the nation’s transportation and energy infrastructure is at high risk for internet attacks that could reveal classified information, dismantle IT systems and shut down operations, according to a Government Accountability Office report released Thursday before the hearing. These attacks could come from malicious individuals, criminal organizations, other countries or foreign groups.
Nick Marinos, the GAO’s director of information technology and cybersecurity, told the committee that federal agencies have neglected to update cybersecurity policies and their software systems.
“We’re constantly operating behind the eight ball,” Marinos said.” The reality is that it just takes one successful cyberattack to take down an organization.”
This May, a criminal hacking group hacked the Colonial Pipeline’s computer management system, causing the pipeline to shut down from May 7 to May 12. The cyberattack had major repercussions: the pipeline provides diesel to the southeastern United States, and Rep. Carolyn Bourdeaux, D-Ga., told the committee that 43% of the gas stations in her state were out of service during the shutdown.
Federal agencies are susceptible to similar attacks. Kevin Dorsey, an inspector general for IT audits at the Department of Transportation, said the DOT has a long history of cybersecurity shortcomings. The DOT has failed to address 66 prior audit recommendations involving 10,000 identified vulnerabilities, Dorsey said.
He recommended the development of a department-wide cybersecurity strategy to address recurring weaknesses, protect sensitive information and coordinate with other agencies and industry partners. Dorsey said the DOT also lacks a department-wide cybersecurity coordinator to be responsible for fixing such shortcomings.
But Cordell Schachter, the DOT’s chief information officer, defended the agency’s cybersecurity as on par, or even ahead, of other federal agencies.
“We have begun a series of cyber-sprints to complete tasks and make plans to meet our federal cybersecurity requirements and implement best practices,” Schachter said. He cited department-wide improvements in system access control, website security, and oversight coordination across DOT.
President Joe Biden’s infrastructure bill, which he signed into law Nov. 15, provides funding to improve the national highway system and other public transportation systems’ cybersecurity preparedness. The bill also allocates $21 million through September 2022 to the Office of the National Cyber Director, the president’s principal adviser on cybersecurity policy.