At a glance.
- US Senators ask Departments of Homeland Security and Transportation about cybersecurity policies and practices.
- USCG on cybersecurity for the maritime domain.
- The Cyberspace Solarium Commission moves on.
US senators query DHS and DOT on cybersecurity measures.
A bipartisan group of ten US senators kicked off the new year by penning a letter to the Department of Homeland Security (DHS) and the Department of Transportation (DOT) asking for details on their plans to defend the country’s critical infrastructure against cyberattacks. GovInfoSecurity explains that the two departments are cco-sector risk management agencies (co-SRMAs) for the transportation sector, identified as one of sixteen critical infrastructure sectors. The senators state that, despite the fact that some transportation entities have responded the recent surge in critical infrastructure attacks by adopting tighter cybersecurity measures (like the Transportation Security Administration, which issued two new directives last month focused on incident reporting), “many state and local transit agencies are not fully equipped to implement more than basic cybersecurity protections." (The letter cites a report from the Mineta Transportation Institute that revealed only 60% of transit agencies had a cybersecurity plan in place last year.) The senators asked for details on how the departments intend to "collaborate to avoid both gaps and redundancies" and update the seven-year-old Transportation Systems Sector-Specific Plan.
Some officials see the letter as merely a half-measure. As Frank Downs, a former offensive analyst for the National Security Agency, argues, "[These] letters act as unofficial mechanisms of accountability, in lieu of legitimate binding reform, policy, and legislation.” Ron Brash, vice president of technical research and integrations at the firm aDolus, agreed, "The risk that these senators truly want addressed is something more than lip service…Protection and prevention involves proactive intervention, improved vendor responses to creating better technology or fixing current deployments, ensuring more secure products by default in consumer and industrial spaces, addressing crucial workforce and education gaps, and ultimately, the management of supply chain cyber risks."
Coast Guard discusses maritime cybersecurity.
Rear Admiral John Mauger, the US Coast Guard Assistant Commandant for Prevention Policy addressed the House Transportation and Infrastructure Committee at a cybersecurity hearing in December. During his speech, he acknowledged that the community should expect attacks on the marine transportation system (MTS), which is responsible for 25% of the country’s GDP and one out of every seven US jobs. Homeland Security Today reports that Mauger reassured Representatives that the Coast Guard is preparing by making cybersecurity “part of our prevention and response framework to make sure that we’re getting after this threat at the speed and pace at which it demands.”
One measure of this is the establishment of the Coast Guard Cyber Command, with cyber forces that “are manned, trained, and equipped in accordance with joint DoD standards, but have a broad range of authorities to address complex issues, spanning national defense and homeland security, including protecting the MTS.”
A new day for the Cyberspace Solarium Commission.
The Cyberspace Solarium Commission, established in 2019 to tackle US cybersecurity legislation challenges, is shutting down this month, having completed its designated tenure and succeeded in submitting nearly one hundred policy recommendations. However, Nextgov.com reports, the commission has announced that it will be living on as a non-profit (affectionately called Solarium 2.0) in order to continue work on legislation that proved to be just out of reach. The panel boasts several major accomplishments, like the establishment of the national cyber director, the release of cybersecurity-focused executive orders, and broadening the reach of the Cybersecurity and Infrastructure Security Agency. Much of the commission’s legislation was carried through in the National Defense Authorization Act, but some of the more challenging efforts, like a seventy-two-hour cyber incident reporting requirement for critical infrastructure companies, were left on the cutting room floor. Commission co-chair Representative Mike Gallagher stated “All the low hanging fruit has been picked. So only the very difficult issues remain.” Mark Montgomery, the executive director of the commission, feels boosting cybersecurity talent is key, while Laura Brent, a senior fellow at the Center for a New American Security, says the commission needs to focus on establishing assessment metrics. “Even if there’s success of implementation, we still need to see if there’s success of impact,” Brent stated.