TSA cyber mandates draw pushback

Officials representing key transportation sectors including rail and aviation on Thursday made clear that proposed cybersecurity reporting mandates and other federal cyber efforts aimed at beefing up security are not what is needed to defend against increasing attacks.

In the pipeline: Their concerns were voiced as the Transportation Security Administration (TSA) works to develop and roll out security directives for the rail and aviation sectors that would lay down timelines for required reporting of cyber incidents, among other security steps.

“There is not a problem with reporting and mandates for reporting, the problem becomes what are we reporting,” Michael Stephens, general counsel and executive vice president of Tampa International Airport, testified to the House Transportation and Infrastructure Committee on Thursday.

“Part of the TSA proposed guidance that we have been providing comments to is very, very broad-based in terms of what is being required to be reported, and information just for the sake of information is not necessarily a good thing, because it leads to information overload and white noise, and a lot of times it’s ignored,” Stephens said.

Aviation not alone: The Association of American Railroads (AAR), which represents companies including the National Railroad Passenger Corporation, or Amtrak, has been vocal about its concerns around the proposed TSA security directives since Homeland Security Secretary Alejandro Mayorkas announced they were in the works last month.

Thomas Farmer, assistant vice president of security at AAR, testified Thursday that he is worried that without a clear definition of what a security incident was, “noise” would be created by too much reporting.