Portman, Lankford, Rounds Request DHS OIG Review of TSA’s Security Directives on Cybersecurity

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, James Lankford (R-OK) and Mike Rounds (R-SD) sent a letter to the Department of Homeland Security (DHS) Office of the Inspector General (OIG) requesting a review of the Transportation Security Administration’s (TSA) two recently released pipeline-focused security directives on cybersecurity—“SD-01” and “SD-02”, and forthcoming security directives applicable to rail and air operators. The senators noted industry experts have expressed concern that the TSA’s directives are overbroad and issued with minimal stakeholder or subject matter expert consultation. 

“We write to request you review the process by which the Transportation Security Administration (TSA) has developed and issued several emergency security directives this year, including recently issued and announced cybersecurity directives developed in consultation with the Cybersecurity and Infrastructure Security Agency (CISA)… securing critical infrastructure requires a collaborative approach with the experts in these industries—the people who operate this critical infrastructure and who are charged with implementing these directives,” wrote the senators.  “Unfortunately, we have received reports that TSA and CISA failed to give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible. We are also troubled that TSA and the DHS Office of Legislative Affairs (DHS OLA) refused to provide copies of the draft directives to Congress, including the Chairs and Ranking Members of its congressional oversight committees, despite having shared copies with the pipeline industry… We agree that critical infrastructure must be protected against cyber-attacks, particularly in the wake of the Colonial Pipeline ransomware attack, but the process by which TSA has issued these directives raises concerns.” 

The letter can be found below and here. 

Dear Mr. Cuffari: 

We write to request you review the process by which the Transportation Security Administration (TSA) has developed and issued several emergency security directives this year, including recently issued and announced cybersecurity directives developed in consultation with the Cybersecurity and Infrastructure Security Agency (CISA).  

Our critical infrastructure must be secured and protected against cyberattacks.  However, securing critical infrastructure requires a collaborative approach with the experts in these industries—the people who operate this critical infrastructure and who are charged with implementing these directives.  We believe that care must be taken to avoid unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance.  Unfortunately, we have received reports that TSA and CISA failed to give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible.  We are also troubled that TSA and the DHS Office of Legislative Affairs (DHS OLA) refused to provide copies of the draft directives to Congress, including the Chairs and Ranking Members of its congressional oversight committees, despite having shared copies with the pipeline industry. 

The TSA Administrator has the statutory authority to issue security regulations in the transportation sector.  Under a related authority, which had never before been exercised with the pipeline sector, the Administrator may issue emergency security regulations or directives without notice and comment if the Administrator determines that it “must be issued immediately in order to protect transportation security.”[1]  At least until earlier this year, TSA had worked in close coordination with industry stakeholders to develop practical security guidelines and policies.[2]  

We are concerned that the recently issued security directives appear to depart from TSA’s historically collaborative relationship with industry experts.  On May 27, 2021, in response to the Colonial Pipeline ransomware attack, TSA Administrator David Pekoske exercised the emergency security directive authority and issued TSA’s first ever pipeline-focused security directive (SD-01).[3]  On July 20th, TSA issued a second security directive to the pipeline industry entitled, “Security Directive Pipeline-2021-02: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing” (SD-02).[4]  In response, on August 24, 2021, associations representing more than 2,700 companies in the oil and natural gas subsector sent a letter to TSA Administrator Pekoske warning of inadequate consultation and that the resulting security directives could have “operational safety and reliability” impacts.[5] 

On October 6th, Secretary Mayorkas announced TSA would issue additional security directives requiring railroad and airport operators to improve their cybersecurity practices.[6]  Public reports again indicate that TSA provided very little time for industry feedback.[7

Another area of concern is that TSA and the DHS OLA also refused to provide copies of the draft directives to Congress, including the Chairs and Ranking Members of its congressional oversight committees, despite having shared copies of the drafts with the pipeline industry.  In a briefing with Senate staff on July 15, 2021, TSA officials explained they would not be providing a draft of SD-02 to Senate staff because it was pre-decisional and therefore deliberative.[8]  This argument appears to misapprehend the function and limits of the deliberative process privilege, which is not a bar to disclosure, especially not to Congress, and in any event is generally considered waived once an agency has “officially acknowledged” the record by prior disclosure outside the Government, as here.[9] 

We agree that critical infrastructure must be protected against cyber-attacks, particularly in the wake of the Colonial Pipeline ransomware attack, but the process by which TSA has issued these directives raises concerns.  To address these concerns, we request that you review TSA’s development and issuance of emergency security directives this year.  Specifically, we request that you examine the following with regard to each emergency security directive or emergency amendment related to cybersecurity issued this year: 

  1. The basis for the directive or amendment and, in each case, the basis for employing the emergency authority under section 114(l)(2) of title 49, United States Code, to issue those directives without full notice and comment, including:
    1. Any consultation with the Office of the Secretary of Homeland Security or the Executive Office of the President;
    2. TSA’s identification of additional threats to pipeline critical infrastructure, rail transit systems, and the aviation sector; and
    3. The timing of the directives and announcements of the directives including those announced on October 6;

 

  1. The consultation process with stakeholders in each case, including industry, other agencies, and Congress, which should examine:
    1. The timeline for affected industries to provide feedback;
    2. The extent to which TSA modified draft security directives to address industry comments or concerns; and
    3. The Federal agencies who contributed to the development of these security directives and their involvement;

 

  1. The basis for designating of all or parts of the draft and final security directives and related documents as Sensitive Security Information (SSI) and the non-designation of the final SD-01 as SSI including:
    1. Whether the SSI designation was used to restrict access for any reason other than those reasons authorized by law;
    2. The basis for designating information as SSI in a draft but not a final security directive; and
    3. The specific information designated as SSI in each draft or final security directive and why such a designation was made; and 
  1. The basis for withholding the draft directives from Congress. 

We request that you review this matter and submit a report to us within 120 days.  In the interim, we request that you provide us with monthly updates.  Thank you for your prompt attention to this important request.                                                                  

Sincerely, 

###



[1] 49 U.S.C § 114 (l)(2)(A).

[2] Transp. Sec. Admin, U.S. Dep’t of Homeland Sec., Pipeline Security Guidelines (2018), available at https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf.

[3] Ratification of Security Directive, 86 Fed. Reg. 38209 (Jul. 20, 2021); Press Release, U.S. Dep’t of Homeland Sec., DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators (May 27, 2021), https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.

[4] Press Release, U.S. Dep’t of Homeland Sec., DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators (Jul. 20, 2021), https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.         

[5] Letter from Pipeline Trade Associations to TSA Administrator David P. Pekoske (Aug. 24, 2021) (enclosed).

[6] Press Release, U.S. Dep’t of Homeland Sec., Secretary Mayorkas Delivers Remarks at the 12th Annual Billington CyberSecurity Summit (Oct. 6, 2021), https://www.dhs.gov/news/2021/10/06/secretary-mayorkas-delivers-remarks-12th-annual-billington-cybersecurity-summit.

[7] E.g., Oriana Pawlyk, Freight rail blasts TSA cybersecurity proposal as redundant, Politico (Oct. 6, 2021), https://subscriber.politicopro.com/article/2021/10/freight-rail-blasts-tsa-cybersecurity-proposal-as-redundant-3991607.

[8] Briefing with HSGAC Staff (Jul. 15, 2021) (notes on file with Committee).

[9] See, e.g., Fitzgibbon v. CIA, 911 F.2d 755, 765 (1990).