House Republicans and representatives from the rail and pipeline industries criticized what they say are overly onerous security regulations during a Tuesday hearing that could be a preview of how cyber rules are handled in the Trump administration.

The House Homeland Security Subcommittee on Transportation and Maritime Security hearing focused on the business impact of Transportation Security Administration emergency directives issued weeks after a ransomware hack forced Colonial Pipeline to take offline nearly half of the gasoline and jet fuel on the East Coast. Republican lawmakers largely voiced concerns that those directives and the agency’s recently issued notice of proposed rulemaking on the subject were far too burdensome. 

While TSA’s summer 2021 security directives to the pipeline industry were an early indication of just how big of an issue mandates around critical infrastructure would be for President Joe Biden’s administration, Tuesday’s hearing could highlight just how pared back cyber mandates might be starting Jan. 20 when Donald Trump is inaugurated again.

Kimberly Denbow, vice president of security and operations at the American Gas Association, said during her opening remarks that while TSA has worked with industry on the initial security directives that she said were too prescriptive, Congress should still “place guardrails on this regulatory mechanism to reduce its potential for future abuse or misuse.”

While the AGA recognizes that emergency “security directives serve a logical purpose” when there are imminent threats, TSA’s updates and subsequent rulemaking process is costly for owners and operators, Denbow added.

The TSA is currently asking for comment on a proposed rule that would harmonize most of the cyber regulations for pipeline, train, and other surface transportation industries under their authority. The rulemaking will replace the security mandates that have to be updated yearly under emergency authorities.

However, witnesses at Tuesday’s hearing noted that some conflicts with the proposed rule remain. Denbow said that one industry issue they have with TSA — and other government agencies — is requiring critical infrastructure owners and operators to submit information that could potentially help adversaries if that data was leaked. 

Additionally, there are still inconsistencies with reporting cyber incidents for some owners and operators, who have to consider TSA’s proposed rules, Securities and Exchange Commission requirements, and the Cybersecurity and Infrastructure Security Agency’s incoming cyber reporting mandate. 

Rep. Clay Higgins, R-La., said several times during the hearing that cybersecurity regulations from the government can be overburdensome for organizations and take up time and money from businesses.

Higgins later told Ian Jefferies, president and chief executive officer of the Association of American Railroads, that he could reassure the trade group’s “partners across the country that we are watching that.” Jefferies advocated for an “outcome-based approach and not an input-based approach”

Higgins last week introduced a bill that aims to streamline cybersecurity regulations in the federal sector. A companion bill headed for a full vote on the Senate floor would create a committee to harmonize cybersecurity regulations that are deemed “overly burdensome, inconsistent, or contradictory.” 

Earlier in the hearing, lawmakers heard from TSA officials who said that they are hoping that additional allocations for the office as spotlighted in Biden’s fiscal year 2025 budget request will be fulfilled.

Steve Lorincz, deputy executive assistant administrator for security operations at TSA, said the office has just 32 employees allocated for 168 entities and additional resources would “help tremendously.”

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com



Plus de détails sur l’article original.