TSA not monitoring transportation sector efforts to stop ransomware, watchdog says

Efforts by the Transportation Security Administration (TSA) to address cybersecurity issues faced significant criticism this week from government watchdogs, members of Congress and regulated companies. 

A U.S. Government Accountability Office (GAO) report on Tuesday said four of the six cybersecurity recommendations made to TSA since 2018 have still not been addressed — including one centered around the agency’s efforts to protect companies from ransomware. 

“For example, in January 2024, GAO reported that ransomware was having increasingly devastating impacts in the sector and found that TSA’s security directives did not align with ransomware leading practices,” said Tina Won Sherman, director of Homeland Security and Justice at the GAO.

“GAO recommended that DHS determine the extent to which the transportation systems sector is adopting leading cybersecurity practices that help reduce the sector's risk of ransomware. As of November 2024, this recommendation was not yet implemented.”

Sherman noted that when GAO made the recommendations, TSA or the Department of Homeland Security concurred with all of them. 

Overall, just one of the recommendations has been addressed fully — developing a long-term and short-term strategy to expand its cybersecurity workforce. Another recommendation —  updating the TSA’s 2010 Pipeline Security and Incident Recovery Protocol Plan to include cybersecurity — was only partially dealt with.

TSA has not made progress on determining the extent to which the transportation systems sector is adopting leading cybersecurity practices that help reduce the sector’s risk of ransomware.

The GAO said TSA and other sector risk management agencies “had not fully assessed the effectiveness of their ransomware-related support.” 

“Therefore, we recommended that DHS develop and implement routine evaluation procedures that measure the effectiveness of federal support in helping reduce the risk of ransomware to the transportation systems sector,” Sherman explained. 

“In addition, we found that TSA’s security directives for freight and passenger rail, pipelines, and public transportation did not align with National Institute of Science and Technology’s ransomware leading practices.”

The GAO also said TSA needed to develop a sector-specific plan on securing internet-connected devices and needed to conduct sector-wide cybersecurity risk assessments specific to operational technology — neither of which has been done. 

The watchdog acknowledged that the five cybersecurity-focused directives issued by TSA since the Colonial Pipeline ransomware attack did address some of the problems previously raised, but said the agency has “not developed qualitative or quantitative metrics to measure the effectiveness of their efforts.” 

The report notes that TSA last week issued a notice of proposed rulemaking that would codify many of the cybersecurity requirements previously instituted through the directives for the freight rail, passenger rail and pipeline industries. 

Industry backlash

The GAO report came on the same day that Sherman, two TSA executives and industry leaders appeared before the House Homeland Security Subcommittee on Transportation and Maritime Security to discuss cybersecurity issues. 

TSA leaders Steve Lorincz and Chad Gorman defended the agency’s work, acknowledging that the mistakes made in the first cybersecurity directives issued after the Colonial Pipeline attack were rectified with deeper industry collaboration. 

The two added that they hope to incorporate industry feedback into the proposed cybersecurity rule and focus more on outcome-based guidelines for the transportation sector. 

But two industry leaders — the Association of American Railroads’ Ian Jefferies and American Gas Association’s Kimberly Denbow — did not hold back in their criticism of the TSA, blaming the agency for the confusion caused by the initial security directives and for replicating requirements many companies already have to follow for other regulators. 

Denbow also took issue with a key section of the proposed TSA rule that would force companies to hand over sensitive information about their security environment. 

Denbow told members of Congress that all cybersecurity regulations have to be "attainable, sustainable and auditable" — noting that the auditing of security efforts continues to be an area where they “bump heads” with the TSA.

“As written, the [rule] proposes to collect and aggregate security and operations-related sensitive information of critical infrastructure, storing it in a centralized location under TSA’s jurisdiction,” she said. “No system is perfectly secure, and aggregating so much vital information in one location would create a massive security vulnerability to the pipeline owners/operators with no corresponding benefit.”

She explained that TSA is asking companies to submit reports about “critical cyber systems, specific network architecture, baseline communications, detailed measures to protect our critical cyber systems, measures to address response to and recovery from a cyber incident.”

Denbow suggested TSA come to a company’s headquarters and view security plans there instead of forcing regulated entities to effectively hand over a copy of their most sensitive security documents. 

“If we're going to give all of this to TSA for them to hold on to, we might as well just give it to China or to Russia, because there is no storage system for data that is impenetrable from third party access or insider threats, which is my bigger concern. There is no reason for the government to have to have possession of this information,” she said. 

“I don't necessarily think it's just TSA. I think it is a federal government and state government belief that in order for them to protect us, they need to have our critical information. It's our job as the owner operator to protect us. It's TSA and the federal government's job to protect the community, the nation. We should be able to do that together without putting the owner/operators in a vulnerable position that they would otherwise not be in if they do not have to share that information.”

The TSA’s Lorincz addressed this concern in his testimony, explaining that this would force TSA to expand its inspection timeline from two days to possibly a week. 

“So that drives additional resources. Within the sector, we have about 60 employees that are allocated to handle about 155 entities,” he said, noting that TSA will need an increased budget to handle the kind of on-site reviews Denbow and others suggested. 

The TSA did not respond to requests for comment about the GAO report or industry testimony.