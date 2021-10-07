But a leading railroad association insists it's already voluntarily following the practices that are now going to be required by the federal government.
Homeland Security Secretary Alejandro Mayorkas announced new regulations under the Transportation Security Administration (TSA) yesterday. Under the new rules, the country’s most important rail and transit systems would have to identify a cybersecurity point person, report incidents to the Cybersecurity and Infrastructure Security Agency and create an incident recovery plan. Rail entities deemed “lower risk” will get voluntary guidance that “encourages, rather than requires” those companies to take up the measures, Mayorkas said.
The new mandates on “higher-risk’’ railroad and rail transit systems represent an expansion of the government’s regulatory push beyond the country’s pipelines, as my colleague Ellen Nakashima reports.
Indignant industry
The regulations came as a shock to the rail and transit industry, with one leader saying the industry doesn't need the heavy hand of government in order to follow cybersecurity safeguards.
“We’re doing all of those [measures],” said Thomas Farmer, assistant vice president for security at the Association of American Railroads, an industry association. Farmer said the industry has a cybersecurity coordinating committee dating back to 1999. The committee has regularly shared information with the U.S. government since 2014, he said.
“So it is surprising to have mandates for these actions that we have been taking for a long time,” he said.
The group was given just three business days to comment on the planned regulations, Farmer said. That’s the same amount of time the TSA gave pipeline industry groups to comment on a draft of a July directive that was ultimately the subject of industry criticism.
Industry officials and cybersecurity experts criticized those pipeline rules for being overly prescriptive and potentially causing reliability problems.
The Association of American Railroads “assembled a lot of feedback” on the planned rules for the rail industry, Farmer said. He said he hopes “it will be seriously considered.”
Crucial sector
In his announcement, Mayorkas touted the importance of the transportation sector.
“Our freight rail system is essential not only to our economic well-being, but also to the ability of our military to move equipment from ‘fort to port’ when needed,” the secretary said at the virtual Billington Cybersecurity Summit, where he announced the intended new regulations.
There’s “no better example of how the cybersecurity threat can impact our lives than in the transportation sector and how people commute, see one another, engage with one another,” Mayorkas said.
The regulations, which have yet to be imposed by the TSA, will apply to passenger rail companies like Amtrak as well as large subway systems including those in New York and Washington, officials said. They'll initially be imposed through a security directive this year, but expire after a year. Mayorkas said the TSA will ultimately go through the rule-making process to craft permanent rules requiring the agency to solicite public comments.
Since 2009 the TSA has required railroads to report significant security concerns, which the agency has interpreted to include information on railroad cyber disruptions. But there aren't many regulations beyond that.
“There have not previously been specific cybersecurity-related requirements for railroads or rail transit agencies via regulation or security directive,” AAF spokeswoman Jessica Kahanek told me.
Hackers have targeted transit operators around the country.
In fall 2020, ransomware hit the Southeastern Pennsylvania Transportation Authority, which operates Philadelphia’s transit network. And in April, a hacker group believed to be linked to the Chinese government breached the computers of the Metropolitan Transportation Authority (MTA), which operates New York City’s subway system — the country’s largest.
Those hackers didn’t access systems that control trains, but the breach raised concerns about repeat attempts.
“The MTA has multilayered cybersecurity systems, is constantly vigilant against this global threat, and will ensure compliance with any TSA regulations,” said Rafail Portnoy, MTA’s chief technology officer.
The keys
The Justice Department launches initiatives to tackle cryptocurrencies, contractor cybersecurity
The two initiatives aim to target cybercriminals who use digital currencies and government contractors who have lax cybersecurity, Deputy Attorney General Lisa Monaco said at the Aspen Cyber Summit. The Justice Department’s National Cryptocurrency Enforcement Team will aim to “strengthen” the ability of the Justice Department to go after digital markets that let cybercriminals “flourish,” Reuters’s Christopher Bing and Sarah N. Lynch report.
The Justice Department also plans to use the False Claims Act to pursue cybersecurity-related fraud claims against government contractors, it said. The Civil Cyber-Fraud Initiative will be led by the fraud section of the department’s commercial litigation branch, which is in its civil division.
Dubai’s ruler hacked a princess with Pegasus spyware, U.K. court rules
The U.K. high court ruled that Princess Haya and members of her inner circle were subjected to “unlawful surveillance” carried out by agents of her ex-husband, United Arab Emirates Prime Minister Sheikh Mohammed bin Rashid al-Maktoum, Drew Harwell reports. The ruling confirms key elements of the Pegasus Project, an investigation published by The Washington Post and 16 other news organizations.
The findings “represent a total abuse of trust, and indeed an abuse of power, to a significant extent,” Judge Andrew McFarlane, the president of the U.K. high court’s family division, said in the ruling. Sheikh Mohammed denied the allegations. Princess Haya’s attorney declined to comment.
NSO Group, which licenses Pegasus, “chooses ethical standards over revenues,” a company official said. “Whenever a suspicion of a misuse arises, NSO investigates, NSO alerts, NSO terminates,” the official said in a statement. NSO terminated its contract with Dubai after learning of the allegations, a person familiar with NSO operations said in July.
Hackers breached streaming platform Twitch
The company's data was exposed to the Internet after “an error in a Twitch server configuration change,” Twitch said. The company has had “no indication” that log-in information was exposed, it added. It has reset the unique keys that streamers use to connect their accounts to third-party software “out of an abundance of caution.”
The hack has prompted discussion about password safety, security issues and streamer payouts. But the accuracy of the numbers is still in question, as is the exact time in 2019 to which they date back.
Daybook
- CISA Director Jen Easterly and Federal Chief Information Security Officer Chris DeRusha speak at the Billington Cybersecurity Summit today.
- Former CISA Director Chris Krebs and former Principal Deputy Director of National Intelligence Sue Gordon speak at the Mandiant Cyber Defense Summit today.
- European cybersecurity officials speak at Kaspersky’s EU Cyberpolicy Forum today at 5 a.m.
- The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County, Ariz., today at 10 a.m.
- Lawmakers and cybersecurity officials speak at a National Cyber Security Alliance event today at noon.
- Silicon Flatirons hosts an event on encryption today at noon.
