Transportation Department Out in the Cold on Presidential Cyberwar Policy

The Administration is preparing for cyberwar, but its plans are incomplete. Presidential Policy Directive 20 concerning U.S. cyber operations does not specifically address the important relationship between transportation safety and security. The transportation system is a critical infrastructure that has been physically attacked in the past and is susceptible to cyber attacks in the future. This glaring gap leads one to question the Administration’s understanding of the economic importance of transportation systems and the significant damage that can occur if a transportation system is successfully attacked by hackers.

Presidential policy directives are documents that outline new Presidential initiatives, and the documents establish the roles and responsibilities of the departments and agencies involved with implementing the new policies. Those with direct roles are listed in the “memorandum for” section on the first page. The Washington Post published a photo of the first page of PPD 20 on June 8. The Department of Transportation (DOT) was not referenced. Agencies and departments that are not included do not have defined roles and may have no role at all in implementing new policies.

The missing reference to DOT is surprising because a nation’s transportation system is the backbone of its economy. The food we eat and the clothes we wear are brought to us by one or more modes of transportation. If the transportation system is damaged, goods must be rerouted around the damaged areas. The Transportation Research Board and DOT commissioned a paper that highlighted the difficulties in rerouting and bringing transportation systems back to operational capacity after Hurricanes Katrina and Rita. Hundreds of millions of dollars were spent repairing roads, bridges, ports, and airports that were significantly damaged by the natural disasters.

The White House may have decided not to include the Department of Transportation in the PPD because the Department of Homeland Security, which is included in the PPD, is responsible for the security of our nation’s transportation systems. The Transportation Security Administration (TSA) is the lead DHS agency responsible for carrying out this mission. TSA’s responsibilities, however, do not include safety and the efficient movement of commerce; these are the responsibilities of DOT.

When a transportation system is threatened, the government’s response must include both safety and security measures. In 2006, the government discovered a plot to detonate liquid explosives on planes. TSA led the Administration’s security efforts to prevent the attack from occurring and coordinated efforts with the Federal Aviation Administration (an agency within DOT). This coordination was necessary to ensure that the security changes did not impact the safe and efficient transport of people and goods. Similar working relationships have been established between TSA and other DOT agencies that regulate rail, mass transit, and trucking.

The White House has recognized the close working relationship between the DHS and DOT on physical and cyber security threats in the past. Presidential Policy Directive 21 concerning Critical Infrastructure Security and Resiliency (signed on February 12, 2013) directs the two departments to work together to improve transportation security. Similarly, the two departments are directed by reference in the February 12, 2013 Executive Order Improving Critical Infrastructure Cybersecurity to develop guidance to address risks and threats to transportation-related cyber systems. This guidance will include measures to protect transportation systems from attacks like those allegedly outlined in PPD 20.

Sadly, this isn’t the first time DOT has been missing from an important Presidential policy document. On February 11, 2010, the President released a new Executive Order entitled National Export Initiative. The purpose of the new policy was to improve conditions that directly affected the private sector’s ability to export. There was no reference to the DOT in the PPD. Goods are exported via trains, trucks, planes, and ships. More than one person questioned the viability of an initiative that didn’t include a major stakeholder at the decision table.

Transportation cannot be divided between safety and security. The transportation system must be viewed as a whole and measures designed to protect this critical infrastructure must be developed by both the DHS and DOT. This coordination will better protect the system from physical and cyber threats. The United States is not the only government developing cyber warfare plans, and we must be prepared to respond to the coming attacks.

Krepp served as Chief Counsel at the U.S. Maritime Administration and Special Counsel to the General Counsel at the U.S. Department of Transportation during the first Obama administration. She is currently a private consultant and professor at The George Washington University and Pennsylvania State University.