- Freight rail recognizes that cyber resiliency is a must, as is maintaining the public’s trust as a critical infrastructure organization.
- The changing threat environment demands that private and public entities’ response capabilities remain nimble and effective without concerns for liability or punishment.
Freight rail logistics are a 24/7 operation, and its cyber network protection is no different. For more than 20 years, freight rail has continuously shared cyber threats, incidents, and indicators of concern with government agencies like the Department of Homeland Security, Transportation Security Administration, and National Security Administration. By tapping into this robust range of private and public capabilities, freight rail is prepared to respond effectively to hostile acts — which is why policymakers should build upon this collaborative approach when developing cybersecurity policy. As Congress considers cybersecurity legislation, freight rail recommends the following
1. Include the reasonable protections provided in the Cybersecurity Information Sharing Act of 2015 (CISA 2015) in all future cyber legislation.
A key component of CISA 2015’s success was the proper protections that it provided to private entities reporting on cybersecurity. Together, these provisions provide reporting agencies the protections and confidence needed for the free flow of cybersecurity information between reporting entities and the federal government. Including these protections in all future cyber legislation will build upon the successful legacy and partnerships CISA 2015 has formed. The protections include:
- Antitrust exemptions and civil liability protections (Division N—CISA 2015; Sec. 104(e)).
- Disclosure law exemptions; such as freedom of Information laws, open meetings laws, or similar laws requiring the disclosure of information or records at the state, local, and tribal levels (Division N—CISA 2015; Sec. 104(d)(4)(B)(ii)).
- Certain regulatory use exemptions, which prevent any state, local, or tribal government from bringing an enforcement action based on the sharing, but not the development or implementation, of a regulation. (Division N—CISA 2015; Sec. 104(d)(4)(C)(ii)).
- No waiver of privilege when privileged material is shared (Division N—CISA 2015; Sec. 105(d)(1)).
- If designated commercial, financial, and proprietary by the sharing entity, the privileges, and protections of such information will be afforded to that shared information (Division N—CISA 2015; Sec. 105(d)(2)).
- Shared information shall be exempt from disclosure under FOIA (Division N—CISA 2015; Sec. 105(d)(3).
- Shared information is strictly limited in its disclosure, retention, and use Division N—CISA 2015; Sec. 105(d)(5).
2. Expand the analytical capabilities of the Cybersecurity and Infrastructure Security Agency’s (CISA) workforce before requiring more reporting.
CISA must be allowed to increase the technical acumen of its workforce before requiring more cybersecurity reporting. Private entities recognize the federal government’s ability to see and respond to threats not just across its own sectors, but across other government agencies as well; that is why private entities already report cyber incidents at a far greater pace and frequency than is currently required.
In addition, private entities note a lack of effective action by CISA on submitted reports. CISA, as currently staffed, is not equipped with the appropriate resources to do the analysis and response needed for private entities to be the most effective in cybersecurity incident prevention and response. Further increasing mandatory reporting, without a simultaneous increase in threat assessment feedback, will not improve our nation’s cyber security, but rather, overload an already-struggling CISA system.
3. Direct CISA to regularly update a cyber threat profile based on analyses of attacks, failed attempts, and successful disruptions.
To build an understanding of how cyber threats arise and the measures most effective in preventing or mitigating their effects, it is important to realize two critical truths of cybersecurity. (1) What happens around the world affects us here at home, so we should be willing to learn from all attacks, and (2) When it comes to the creation of standard operating procedures, less is more. The creation of a clear and concise cyber threat profile by CISA should be no different.
For example, the Australian Cyber Emergency Response Team has successfully proven that the key components of cyber risk factor mitigation have an 85% higher success rate when the following four protective measures comprise the cyber threat profile:
- Tactics most commonly used to perpetrate breaches;
- Vulnerabilities most frequently targeted and exploited;
- Indicators of developing threats that are often missed or misunderstood; and
- Inadequately implemented protective measures that could have prevented incidents.
Given Australia’s success in the example to the right, CISA should closely review this model and provide guidance for measures and procedures by reporting entities that are equally as clear, concise, and effective.
4. Direct CISA and Sector Risk Management Agencies (SRMAs) to work with private entities to establish early notification networks.
After every cyber-attack, a traceable event occurs that is known as an indicator of compromise. Quickly and efficiently identifying these indicators is critical to stopping future attacks of the same indicator, as well as locating previously undetected attacks across a system. Early notification networks are the conduit by which these indicators of compromise find their way over to federal government security operation centers, and the way patterns and timely responses to developing threats are created.
Early notification networks have been recognized by private entities as a necessity for streamlined reporting. Currently, however, the federal government is without an early notification network as robust as private entities’, and, while steps are being taken to reconcile this through like-technology implementations, much work remains and should be encouraged.
5. Define and publicize procedures for stakeholders to submit requests for information (RFIs) and requests for assistance (RFAs) to enhance cooperative cybersecurity efforts.
The federal government has the impressive ability to access and compile data across a swath of public and private entities; however, its ability to analyze that data properly and efficiently is lacking. That is where RFIs and RFAs come in. Private entities across multiple sectors continuously use RFAs and RFIs to gain insight into both cyber preparedness and post-attack damage control; thus, private entities need to be able to learn of relevant information happening across the world. Similar benefits would occur if the federal government provided similar products.
If an attack on critical infrastructure happens in Israel, for example, an established standard operating procedure surrounding RFIs and RFAs will in turn lead to the increased capabilities of domestic private entities. The federal response must be both timely and attainable in these requests. Unfortunately, the federal government lacks consistency in the execution of this submission, review, and consideration process. For this reason, future cyber legislation should direct CISA and SRMAs to work with private entities so that they can execute actions that continue to present innovative initiatives and solutions that enhance capabilities and cooperative efforts in cybersecurity.