The House Homeland Security Committee is urging the Transportation Security Administration (TSA) – a component of the Department of Homeland Security – to develop an “adaptive” cybersecurity posture to combat evolving threats.
In a March 6 letter to TSA’s acting administrator Adam Stahl, Homeland Security Committee Chairman Mark Green, R-Tenn., and a coalition of Republican committee members voiced concerns over recent cybersecurity incidents within the TSA and asked a dozen questions for the agency to report back on regarding its cybersecurity efforts.
“Recent cyber incidents and information technology (IT) disruptions have exposed systemic vulnerabilities within critical transportation systems and networks, reinforcing the urgency of enhanced security and resilience measures,” the letter reads.
The letter references a July 19, 2024, global IT outage following a faulty software update from CrowdStrike at the TSA. The letter said the outage disabled 8.5 million Windows systems and caused financial losses exceeding $10 billion due to its disruption of travel services.
According to the letter, a separate cybersecurity incident occurred at the Seattle-Tacoma International Airport in August 2024.
In response to these incidents and growing foreign cybersecurity threats, TSA established a proposed rule that would formalize its cybersecurity directives and incorporate them into a national cybersecurity framework developed by the National Institute of Standards and Technology (NIST) as well as directives from the Cybersecurity and Infrastructure Security Agency (CISA).
Lawmakers said they want to ensure that TSA’s regulatory framework balances security and operational realities. The letter criticized the Biden administration for “imposing more requirements on entities that already face a complex cyber regulatory landscape.”
“A rigid or overly burdensome approach could impose operational challenges, while insufficient oversight may leave critical vulnerabilities unaddressed,” the letter reads.
“TSA must ensure that its cybersecurity framework is not only effective but agile enough to respond to multiple simultaneous cyber incidents that impact different nodes of the transportation sector without compromising operational continuity,” the letter reads.
The lawmakers are giving TSA until March 27 to respond to its questions, which include queries on cybersecurity personnel quotas and training, public-private partnerships, foreign threat response, and goal revisions.
The letter was also joined by chair of the Subcommittee on Transportation and Maritime Security Carlos Gimenez, R-Fla., Chair of the Subcommittee on Cybersecurity and Infrastructure Protection Andrew Garbarino, R-NY., and Rep. Sheri Biggs, R-SC.
“Striking the right balance will require continuous engagement with industry partners, regular assessments of existing directives, and the flexibility to refine policies in response to emerging threats and technological advancements,” the letter reads.
