Securing surface transportation modes during disasters, including cyberattacks and pandemics, remains a major focus among federal, state, and local governments as well as among industry stakeholders.
[Above photo by the NYC Transit Police]
According to the Transportation Research Board – which is holding a Conference on Transformative Times in Transportation Security in November – while one size does not fit all in terms of addressing surface transportation security needs, there are “common themes” in all effective security preparedness approaches.
“There are two aspects to keep in mind when preparing for safety or security risks,” explained Patricia Bye, security consultant and coauthor of the Transit Security Preparedness report, in a TRB blog post.
“One is knowing how to protect people,” she said. “The other is to understand the employee and public perceptions about the safety of the system. It is important to make what steps you are taking known and, if possible, very visible. Perception is a really big deal.”
Hazards and threats continue to evolve and there are high expectations for system performance and reliability as well as a lower tolerance for delays, TRB noted.
The group added that the National Cooperative Highway Research Program’s A Guide to Emergency Management at State Transportation Agencies explains why successful emergency plans are “increasingly multimodal” and require “routine testing” through training, drills, and exercises.
Along those lines, the House of Representatives Homeland Security Committee recently released a bill that would establish a Cyber Incident Review Office within the Cybersecurity and Infrastructure Security Agency, which is part of the U.S. Department of Homeland Security.
Known as the “Cyber Incident Reporting for Critical Infrastructure Act of 2021,” the bill would build on recent Executive Orders and directives aimed at improving the security of critical U.S. infrastructure, such as pipelines, and require critical infrastructure owners and operators to report cybersecurity incidents.
The House’s bill mirrors legislation proposed in the Senate this July that would require federal government agencies, federal contractors, and critical infrastructure operators to notify the DHS when a cybersecurity breach occurs; granting limited immunity to companies that come forward to report a breach.
“We believe that if an incident reporting regime is crafted carefully, it can be a helpful tool to improve federal agencies’ situational awareness into cybersecurity incidents as well as to drive improvements in operational collaboration [with] industry,” noted John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council.
In written testimony before a House Committee on Homeland Security hearing September 1, Miller added that cybersecurity is “rightly a priority issue” for governments and industry, which share the “common goals” of improving cybersecurity, protecting the privacy of individuals’ data, and maintaining strong intellectual property protections.
“We have seen policymakers increasingly consider incident reporting as a potentially appropriate tool to improve government’s ability to leverage its resources towards not only helping victim organizations recover from incidents, but ideally to help protect others from similar threats or vulnerabilities,” he added.
“If narrowly scoped and carefully crafted, we believe that an incident reporting regime can help improve the nation’s digital resilience and security,” Miller pointed out.