The Department of Homeland Security is putting the collective force of its component agencies behind its latest 60-day cyber sprint focused on transportation security.
DHS Secretary Alejandro Mayorkas, speaking Wednesday at the Billington Cybersecurity Summit, said the Transportation Security Administration, as part of its fourth sprint, will require critical infrastructure partners to elevate their cybersecurity practices.
TSA will issue a security directive later this year requiring railroad and rail transit entities to name a cybersecurity point person, report cyber incidents to the Cybersecurity and Infrastructure Security Agency, and complete contingency and recovery plans.
“Taken together, these elements — a dedicated point of contact, cyber incident reporting, and contingency planning — represent the bare minimum of today’s cybersecurity best practices,” Mayorkas said.
By the end of this sprint, TSA also will require critical U.S. airport operators, passenger aircraft operators, and all-cargo aircraft operators to designate a cybersecurity coordinator and report cyber incidents to the Cybersecurity and Infrastructure Security Agency.
Meanwhile, Coast Guard this summer updated its Cyber Strategic Outlook for the first time since 2015. As part of that strategy, the Coast Guard is now integrating cyber risk management into vessel and facility safety, as well as security planning and operations.
Starting this month, Mayorkas said more than 2,300 maritime entities must submit a cyber plan to the Coast Guard that addresses any cybersecurity vulnerabilities identified in their facility security assessments; and outline the owner or operator’s cybersecurity mitigation measures.
The Coast Guard has also deployed cyber specialists to major U.S. ports to oversee assessments and preparedness.
Mayorkas said the Federal Emergency Management Agency will also make cybersecurity a top priority in the next cycle of its transportation-related grant programs. He said a new working group with CISA, FEMA, TSA, and the Coast Guard is leading this effort
The agency has already shown some signs of progress. Mayorkas said FEMA increased the required minimum spent on cybersecurity through its grant awards by more than 7%.
Mayorkas also promoted CISA’s CyberSentry program, a voluntary partnership between government and business that helps CISA spot sophisticated threats early and share critical threat information.
“The Department of Homeland Security is fundamentally a department of partnerships. Our ability to execute our critical mission relies on the strength of our partnerships. We need your expertise, perspective, and strategic guidance. We need your partnership,” he said.
Mayorkas also highlighted a bill the Senate Homeland Security and Governmental Affairs Committee passed Wednesday as a tool that would help agencies respond to address a surge of cyber threats.
The Cyber Incident Reporting Act would require companies behind critical infrastructure to report cyberattacks and ransom payments.
“Candidly, I worry a little bit about timeframes being legislated, given how dynamic the cybersecurity landscape is, and whether legislation could match that dynamism as things evolve, but I think we will appreciate and understand the imperative of mandatory reporting, given what we’re seeing in the country and around the world today,” Mayorkas said.
Beyond DHS, other top cyber officials outlined their short-term priorities for bringing cohesion to the federal cyber response.
National Cyber Coordinator Chris Inglis stressed the need for cybersecurity shared services to protect the federal government from emerging threats.
That work is already taking shape at CISA’s Quality Services Management Office and has begun rolling out mobile security products for agencies to take advantage of through its shared services marketplace.
“There are some agencies that are quite capable in building, defending their digital infrastructure — so much so that they provide material assistance to other agencies. It’s not that they have excess capacity, but they’ve got an expertise that lends itself to operating broadly across the federal landscape,” Inglis said. “There are some agencies that aren’t so blessed, have a tougher time trying to figure out what their security architecture should be, or mustering the resources necessary to defend that. For them, we need to have a shared services option – and that’s not true simply in the response to a give incident, but in the day-to-day kind of bump and grind that is our work life.”
Rob Joyce, director of the National Security Agency’s National Cybersecurity Directorate, said agencies need to focus on protecting small and medium-sized vendors in an effort to protect the defense industrial base.
“We’ve seen the adversary change over the last several years. They’ve recognized that the big companies are doing security well, and so now they’re going after their supply chain. They’re going after the smaller companies, because what they’ve found is that same information that’s protected at a big company is not so well-protected at some of these smaller companies. So for us, it’s figuring out common services that can be provided to put the smaller entities under the same rigor of cybersecurity help,” Joyce said.
Joyce said securing the defense industrial base is not just a matter of preventing intrusions, but also taking steps to mitigate intrusions when they happen.
“In that world, especially the defense industrial base, we’ve got to assume there’s going to be compromises. So it’s not only how you protect yourself, it’s also the case of, are we really configured and instrumented to find those intrusions fast, and then deal with them quickly before they get to move to the places where sensitive information is, or get to dig in to the point that we’ll really have a hard time getting them out,” he said.