TSA set to mandate railroads and rail systems report cyber incidents to government
A similar directive was issued for the pipeline industry in May.
The Transportation Security Administration will issue a new directive for railroad and rail transit system operators to implement more stringent cybersecurity measures, Homeland Security Secretary Alejandro Mayorkas said Wednesday.
The new directive will mandate those companies report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and hire a cybersecurity point person.
In addition to railways, the TSA is also requiring U.S. airport operators, passenger aircraft operators and all cargo aircraft operators to designate a cybersecurity coordinator and report all incidents to CISA, by next spring, Mayorkas said at the Billington Cybersecurity Forum.
"TSA will expand the covered entities gradually to other relevant entities that can consider additional measures," he said.
In the wake of the Colonial Pipeline hack in May, TSA directed pipeline operators to report any cyber incidents to CISA. TSA is the agency responsible for pipeline security.
The agency has just 34 staff positions, including headquarters personnel, policy planners and field inspectors, to perform its pipeline and cybersecurity mission, according to a TSA official. Of those, only eight have attended any specialized cybersecurity training.
Both the secretary and the head of the Department’s cybersecurity division also tackled the scourge of ransomware that has been a growing problem in the U.S. and across the world.
"It really is an epidemic," Cybersecurity and Infrastructure Security Agency Director Jenn Easterly said at the Mandiant cyber conference on Wednesday. "Some of this is because we all went to work from home in a less secure environment. And some of it is these actors have become much more capable over the past couple of years, empowered by the democratization of these tools and the weaponization of all the data that's out there."
Easterly said it is an "international effort" to combat ransomware attacks across the world.
"If a highly dedicated, sophisticated state actor wants to own you they will, but there are things that people can do to keep themselves safe," she explained.
The CISA director said over 90% of successful cyber attacks occur because of a phishing email and urged companies to prepare for a disruption.
The announcement comes as the Department of Justice on Wednesday will seek to use civil enforcement tools to extract "hefty fines" against companies and contractors who receive federal funds and fail to follow necessary cybersecurity standards.
"When those who are entrusted with government dollars who are trusted to work on sensitive government systems fail to follow required cybersecurity standards, we're going to go after that behavior and extract very hefty -- very hefty fines," Deputy Attorney General Lisa Monaco said Wednesday in an appearance at the Aspen Cyber Summit.
Monaco said DOJ's new 'Civil Cyber Fraud Initiative' is in part a response to companies who receive government dollars but decline to report breaches to the FBI or CISA when they are victims of cyberattacks.
ABC News' Jack Date and Alexander Mallin contributed to this report.