December 02, 2021

Chair DeFazio Statement from Second Committee Hearing on Protecting the Nation’s Infrastructure Amid an Evolving Cybersecurity Landscape

Washington, D.C. The following are opening remarks, as prepared for delivery, from Chair of the House Committee on Transportation and Infrastructure Peter DeFazio (D-OR) during today’s hearing titled, “The Evolving Cybersecurity Landscape: Federal Perspectives on Securing the Nation's Infrastructure.”

More information on the hearing can be found here.

Chair DeFazio:

Last month, we heard from industry stakeholders and cybersecurity experts on the challenges they face in protecting our nation’s transportation systems and critical infrastructure from cyberattacks. The testimony was troubling. Witnesses discussed serious gaps such as shortages of cybersecurity personnel and a lack of basic cyber hygiene practices. Notably, there was a consensus among our witnesses that more—not less—federal action is needed to help the private sector, which owns and operates an estimated 85% of the nation’s critical infrastructure, defend itself from, respond to, and recover from cyberattacks.

Since our November hearing, Congress passed with bipartisan support and the president signed H.R. 3684, the Infrastructure Investment and Jobs Act. Along with other vital investments in our nation’s infrastructure, this bill takes significant steps toward improving the cybersecurity of our nation’s critical infrastructure. It provides funding at the local, state, and federal level to enhance the nation’s cyber resilience and response to cybersecurity incidents, it improves the national highway system and other public transportation systems’ cybersecurity preparedness capabilities, and it empowers the newly established Office of the National Cyber Director, the president’s principal advisor on cybersecurity policy and strategy, to identify cybersecurity incidents and coordinate a federal response. These steps are noteworthy, but there is much more to do.

Today, we will hear from the federal agencies who are responsible for transportation systems and other critical infrastructure sectors about their efforts to help private industry address these cybersecurity gaps, as well as the challenges these agencies face themselves in protecting the government’s own networks from cyberattacks.

In the cybersecurity realm, the federal government has largely permitted the private sector to take a “voluntary” approach to protecting their assets, choosing not to mandate cybersecurity standards, cyber audits, or cybersecurity exercises. In contrast, in other areas where private sector assets have the potential to cause significant harm, the government has established requirements to protect the public.

For example, nuclear power plants are subject to strict federal mandates on their operation. Commercial airlines must comply with federal reporting requirements regarding runway incursions and other safety-related mishaps. Drinking water utilities must report to the federal government if they detect spikes in lead or other dangerous chemicals that can harm the public. These requirements have not undermined these industries. In fact, they have made them stronger, safer, and more resilient.

Yet, when it comes to intrusions into the networks of a critical infrastructure entity, an intrusion that could damage critical components of an airplane, a train, an oil or gas pipeline, or a port facility, if that network belongs to a private company, up until now, the federal government has merely asked for “voluntary” cooperation. As we learned at our last hearing, an astounding 30 percent of public transit agencies failed to report known breaches to anyone. I expect the statistics in the private sector are far worse. In addition, the short-term financial implications of making a cyber breach public, possibly affecting a company’s economic bottom line or shrinking a CEO’s bonus, inhibits cybersecurity transparency, masking known vulnerabilities that should be quickly corrected.

Implementing basic cybersecurity standards, reporting requirements, and cybersecurity awareness training should not be voluntary—they should be required. The public’s safety and the nation’s security depend on these systems. While no single change can prevent every cyberattack, we need to raise the bar significantly and make cyberattacks on our systems much more difficult to accomplish.

The Biden administration has taken notable steps to address these issues holistically. They have issued orders and memoranda to encourage infrastructure owners and operators to increase their cybersecurity investments to minimize threats to all critical infrastructure sectors. In the wake of the Colonial Pipeline cyberattack, the Transportation Security Administration mandated specific cybersecurity protections for pipelines to defend against ransomware and other attacks, along with contingency and recovery plans. Last week, TSA issued basic cybersecurity enhancements for the aviation sector that will go into effect early next year and I understand TSA intends to issue a security directive for passenger rail, high-risk freight rail, and the transit sector as early as today. So, we appear to have scheduled this hearing quite well. In addition, last month, the Cybersecurity and Infrastructure Security Agency issued a binding directive that ordered federal agencies to fix known software and hardware vulnerabilities in their computer networks within six months. For those that care about the public’s safety and the nation’s economic and national security, these efforts—in both the public and private sectors—should not be controversial. They should be welcomed and supported.

Both the Government Accountability Office (GAO) and the Department of Transportation’s Office of Inspector General (DOT OIG)—whom we will hear from today—have made thousands—literally thousands—of recommendations related to cybersecurity weaknesses at federal agencies. Many of these recommendations remain unaddressed.

Some of GAO’s more alarming findings include DOT’s failure to implement a cybersecurity risk management strategy and weaknesses in FAA’s approach to cybersecurity for avionics systems in commercial aircraft.

Similarly, the DOT OIG has uncovered a range of cybersecurity deficiencies and deemed information security one of the department’s top management challenges. The OIG has found, among other things, evidence of inconsistent software updates, lax enforcement of federal cybersecurity requirements, and IT systems at DOT that are vulnerable to exploitation by hostile actors.

I look forward to hearing from our government witnesses today. I expect them to explain the steps they are taking to address the cybersecurity issues that have plagued them for far too long and update us on the status of their efforts to work with private industry to address the cybersecurity threats that endanger us all. As our transportation systems and critical infrastructure assets—both public and private—evolve, we become more efficient and connected than ever, but we also create new opportunities for cyber villains. To improve our resiliency to these threats, we must work together and address them in a holistic manner.

With that, I recognize Ranking Member Graves for his opening statement.