Steady leadership prepares TSA to face evolving cyber threats

New presidents bring new policies. But amid rapidly expanding cyber threats, steady leadership at the federal agencies charged with securing critical infrastructure is, well, critical.

David Pekoske, a retired U.S. Coast Guard vice admiral and administrator of the Transportation Security Administration, is uniquely positioned to provide that leadership. Congress showed foresight in 2018 by creating five-year terms for TSA administrators, ensuring stability for the agency’s long-term planning. With dozens of government cyber leaders departing as President-elect Donald Trump appoints his new team, Pekoske’s steadfast commitment to remain in his role until 2027 provides continuity to secure America’s transportation sector against national security threats.

Before his initial nomination by Trump to lead TSA in 2017, transportation cybersecurity lacked the prominence and urgency it holds today. Digital technologies had already begun transforming transportation systems, increasing efficiency but also creating new vulnerabilities. The integration of energy supply chains with surface transportation adds to TSA’s responsibility as the federal lead on pipeline cybersecurity. But Pekoske brought sharp focus to cybersecurity following the Colonial Pipeline ransomware attack in May 2021. His leadership has earned bipartisan trust, making him a key figure in addressing these critical challenges. Before his reappointment by President Joe Biden in 2022, Pekoske also served as one of the Trump-appointed commissioners on the landmark Cyberspace Solarium Commission, shaping national cybersecurity policy.

Since 2021, TSA reshaped its approach to critical infrastructure protection, turning voluntary cooperation into requirements for companies with outsized impacts on national security. Working closely with the Cybersecurity and Infrastructure Security Agency, TSA rolled out security directives to bolster cybersecurity resilience in pipelines, railroads, and aviation systems. These directives mandated operators to adopt stronger measures for incident response, vulnerability assessments, and advanced threat detection. Cybersecurity is now a central pillar of TSA’s mission, extending beyond the airport security most Americans associate with TSA.

The security directives were not without their challenges. Industry groups criticized them for being overly rigid across transportation modes and neglecting to incorporate industry feedback during their development. Stakeholders also raised concerns over inflexibility of regulatory requirements and overlaps with existing ones.

Under Pekoske’s leadership, TSA learned to do better, vastly increasing collaboration with industry. Over the past three years, TSA has held more than 300 meetings with stakeholders to gather feedback and has hosted numerous classified briefings for c-suite leadership. In November, TSA officials testified before Congress, admitting their initial security directives were “too prescriptive,” shifting instead to an “outcome-focused, performance-based model.” At that same hearing, the American Gas Association praised TSA’s willingness to listen and learn from operators, resulting in a “major course correction” toward a more effective, risk-based approach.

While security directives respond to evolving threats, the formal rulemaking process offers greater opportunities for industry input. Earlier this month, Pekoske announced a notice of proposed rulemaking to formalize these requirements by building on existing collaboration. TSA recognized other shortcomings, responding to the Government Accountability Office’s criticism that directives did not align with the National Institute of Standards and Technology’s ransomware practices, widely considered the gold standard. TSA is now affirming that its proposed rule is “grounded” not only in these standards, but also in CISA’s cybersecurity performance goals.

The proposed rule, expected to impact about 37% of public transportation agencies, 12% of freight railroads, and 115 pipeline facilities and systems, will enhance security of critical infrastructure that underpins U.S. military mobility. With the proposed rule remaining open for public comment until February 2025, TSA is urging stakeholders to help the agency understand the impact of its own regulations and those of other federal, state, and local entities, so that TSA can harmonize regulations and avoid duplication.

Pekoske’s next task is to address the resource constraints that limit TSA’s ability to provide robust support across the sector. TSA’s budget request includes funding for 41 additional cybersecurity experts. Based on aviation industry feedback, TSA now conducts on-site inspections where companies discuss and provide sensitive security information directly rather than submitting it electronically. While more time-intensive, this alternative better addresses concerns about securely handling data. TSA needs additional experts to implement this approach to surface transportation as well.

The Colonial Pipeline attack painted a stark picture of the consequences of under-preparedness, disrupting not just a single business, but prompting a state of emergency across the East Coast. Without TSA’s engagement, the nation would have remained dangerously vulnerable, threatening public confidence in critical infrastructure resilience. 

Instead, David Pekoske has transformed TSA into a proactive force in addressing cybersecurity risks. Doubling down on the selection of him in 2017 as TSA’s administrator and relying on his stewardship would serve the incoming Trump administration well.

Rear Adm. (Ret.) Mark Montgomery is the Center on Cyber and Technology Innovation’s senior director and also directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director. Jiwon Ma is senior policy analyst at CCTI at the Foundation for Defense of Democracies.

The post Steady leadership prepares TSA to face evolving cyber threats appeared first on CyberScoop.