Chairman Gimenez Delivers Opening Statement in Subcommittee Hearing on TSA Cybersecurity Regulations

WASHINGTON, D.C. - Today, House Homeland Security Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL) delivered the following opening statement in a hearing to examine how the Transportation Security Administration (TSA) manages cybersecurity risks within the transportation sector, particularly following the recent release of a Notice of Proposed Rulemaking affecting cybersecurity practices in rail, pipeline, and bus transportation.

Watch Chairman Gimenez's full opening statement.

As prepared for delivery:

Today, this Subcommittee is examining how the Transportation Security Administration utilizes Security Directives and Public Rules to manage cybersecurity risks within the transportation sector.

In today's interconnected world, cybersecurity is more than just an IT issue-it's a critical component of our national security.

Cyber threats have become pervasive, and their potential impact on critical infrastructure has profound implications for the safety and stability of our society and the resilience of our economy.

Nowhere is this more evident than in our transportation systems, which serve as the backbone of the American economy. These systems connect our communities, support commerce, and facilitate the movement of goods and services across the country and around the world.

Our transportation networks, spanning aviation, rail, public transit, highways, pipelines, and maritime ports, are increasingly reliant on complex digital systems for operation and coordination. This reliance makes them especially vulnerable to cyberattacks by criminal groups and nation-state actors.

Moreover, as emerging technologies like autonomous vehicles, connected infrastructure, and artificial intelligence become more integrated into our transportation systems, the cybersecurity landscape grows more complex.

These advances, while offering new efficiencies and capabilities, also create additional access points that cyber criminals and nation-state adversaries could exploit.

A cyberattack on any of these systems could disrupt travel, halt commerce, threaten public safety, and create cascading effects across our economy and national security landscape.

Whether through ransomware attacks, data breaches, or other malicious cyber activities, such threats have the potential to cause extensive harm, demonstrating the urgent need for targeted cybersecurity regulations within the transportation sector.

Safeguarding our transportation infrastructure is not only about securing physical assets-it is also about protecting the digital networks that power and control them, ensuring resilience in the face of evolving threats.

The Transportation Security Administration (TSA), established to protect our nation's transportation systems, has an essential and increasingly complex role in defending these critical networks against cyber threats.

With its mandate to secure the nation's vast transportation infrastructure-covering everything from aviation and rail to maritime and public transit-TSA is tasked not only with physical security, but also with developing and enforcing cybersecurity regulations across the industry.

I have concerns about the TSA's current approach. In recent years, TSA has issued numerous Security Directives aimed at addressing cyber risks. However, these directives often seem reactive, hastily implemented, and lacking the necessary consultation with stakeholders.

Industry feedback indicates that these directives can be overly prescriptive rather than performance-based, limiting operators' ability to tailor cybersecurity practices to their specific operational needs.

A Security Directive that lacks clarity and flexibility may do more harm than good. Instead of fostering robust security measures, it can lead to confusion, inefficiency, and a checkbox mentality, where compliance is valued over actual risk reduction.

Moreover, the lack of collaboration with industry experts-the people who understand these systems best-raises concerns about whether these directives are even capable of addressing the most pressing vulnerabilities.

On November 6th, less than two weeks ago, TSA issued a Notice of Proposed Rulemaking that aims to establish mandatory cyber risk management and reporting requirements for certain surface transportation owners and operators.

The sheer complexity of these regulations-spanning over 300 pages-is overwhelming, especially considering smaller operators who are already operating with limited resources.

These proposed rules raise an important question: will they effectively fulfill their intended purpose by reducing cybersecurity risks within the transportation sector, or will they simply place an undue burden on operators?

TSA should empower operators with the flexibility to develop and implement tailored cybersecurity strategies that best address their unique risks and operational needs.

When I was Mayor of Miami-Dade County, I focused on reducing overhead and streamlining regulations to enable business innovation and improve government efficiency. I believe this same approach is essential as we work to effectively protect our nation's transportation systems from cybersecurity risks.

By balancing regulatory standards with operational adaptability, we can promote robust cybersecurity practices that both protect critical infrastructure and foster innovation and efficiency within the industry.

Thank you to our witnesses from both panels for appearing before the Subcommittee. I look forward to your testimony.

###

Public link

Please use the above public link if you want to share this noodl on another website.