35+ Years of Freedom of Information Action

Cyber Brief: Transportation Security

Published: Jul 11, 2018

Edited by Michael Martelle

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

The cyber threat to critical infrastructure (communication, transportation, energy, finance, and vital services) receives a sizeable volume of attention from researchers and policy analysts. This Cyber Brief looks at transportation security in isolation beginning with President Clinton’s Executive Order 13010 and continuing through recent Federal reports on emerging challenges and technologies.

The White House, "Executive Order 13010: Critical Infrastructure Protection," July 15, 1996. Unclassified.

This Executive Order signed by President Clinton established the President's Commission on Critical Infrastructure Protection. Threats to critical infrastructure are categorized as either physical or cyber, and the Commission is directed to pursue public-private cooperation to protect infrastructure owned and operated by the private sector.

President's Commission on Critical Infrastructure Protection, "Critical Foundations: Protecting America's Infrastructures," October 1997. Unclassified.

This presidential commission report focused on the protection of critical infrastructures - including energy, banking and finance, transportation, and telecommunications - in the context of the "rapid proliferation and integration of telecommunications and computer systems" which "have connected infrastructures to one another in a complex network of interdependence." Its two parts focus on "the case for action" and "a strategy for action."

General Accounting Office, GAO/AIMD-98-155, Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety, May 1998. Unclassified.

This report concerned the Federal Aviation Administration's Air Traffic Control computer systems that provide information to air traffic controllers and flight crews. The GAO found that the "FAA is ineffective in all critical areas included in our computer security review."

William J. Clinton, Presidential Decision Directive/NSC-63, Subject: Critical Infrastructure Protection, May 22, 1998. For Official Use Only/Unclassified.

The introduction to this directive notes that the military and economy of the United States are "increasingly reliant upon certain critical infrastructures and upon cyber-based information systems." The remainder of the 18-page directive specifies the President's intent "to assure the continuity and validity of critical infrastructures" in the face of physical or cyber threats, states a national goal, delineates a public-private partnership to reduce vulnerability, states guidelines, specifies structure and organization, discusses protection of Federal government critical infrastructures, orders a NSC subgroup to produce a schedule for the completion of a variety of tasks, and directs that an annual implementation report be produced.

Federal Bureau of Investigation, "Questions for the Record, June 2000," July 2000. Unclassified.

These FBI responses to questions for the record from various Senators concern the activities and capabilities of the (now-disestablished) FBI National Infrastructure Protection Center, interagency cooperation, specific cyber cases, and legal issues.

Michael A. Vatis, Director, National Infrastructure Protection Center, FBI, Statement for the Record before the Senate Armed Services Committee Subcommittee on Emerging Threats and Capabilities, March 1, 2000. Unclassified.

This testimony from the director of the FBI unit established in 1998 by President Clinton's Presidential Decision Directive 63 (subsequently transferred to the Department of Homeland Security, and later disestablished) provides a year 2000 overview of the organization, a description of the source of cyber threats, an account of interagency cooperation, a review of several incidents and investigations, and the challenges in combating computer intrusions.

General Accounting Office, GAO-01-323, Critical Infrastructure Protection: Significant Challenges in Developing National Capabilities. April 2001. Unclassified.

This report, produced at Congressional request, evaluates the progress of the FBI's National Infrastructure Protection Center - which was established as a result of Presidential Decision Directive 63. It examines three areas of NIPC operations, including capabilities for responding to cyber attacks.

The President's Critical Infrastructure Protection Program, National Strategy for Critical Infrastructure and Cyberspace Security, May 2002. Unclassified.

This report, written in response to Presidential Decision Directive 63, identifies vulnerabilities within the information and communications sector and examines industry and government roles in securing the sector.

Department of Homeland Security, CYBER STORM: Exercise Report. September 12 2006. Unclassified.

This report describes the purpose and objectives of the first CYBER STORM exercise (which tested the response to simulated cyber attacks on the energy, information technology, transportation, and telecommunications sectors), its key achievements, and its major findings.

National Infrastructure Advisory Council, The Insider Threat to Critical Infrastructures, April 8, 2008. Unclassified.

Among the topics discussed in this study are the nature and psychology of insider threat perpetrators, the consequences of the escalation of technology and network risks combined with growing globalization of supply chains and service providers, and obstacles to addressing the insider threat. In addition, it discusses employee screening and contains recommendations with regard to information sharing, technology and several additional topics.

Department of Homeland Security, CYBER STORM II Final Report. July 2009. Unclassified.

The CYBER STORM II exercise simulated cyber attacks on critical infrastructure in the information technology, communications, chemical, and transportation sector. The report consolidates findings, observations, and inputs from participants - which included U.S. and foreign participating organizations from the United Kingdom, Australia, Canada, and New Zealand.

U.S. Coast Guard, United States Coast Guard Cyber Strategy, June 2015. Unclassified.

This document identifies the three key elements of the Coast Guard cyber strategy - defending cyberspace, enabling Coast Guard operations (including intelligence and law enforcement operations), and protecting infrastructure (including critical maritime infrastructure and the Maritime Transportation System).

Government Accountability Office, Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack, March 2016. Unclassified.

Among the topics addressed in this report are the available information about key cybersecurity vulnerabilities in modern vehicles that could impact passenger safety, key practices and technologies that might mitigate cybersecurity vulnerabilities and the impact of attacks, the views of selected stakeholders on challenges, and Department of Transportation efforts to address vehicle cybersecurity.

Office of Inspector General, Department of Transportation, FI-2017-001, DOT Cybersecurity Incident Handling and Reporting is Ineffective and Incomplete, October 13, 2016. Unclassified/For Official Use Only.

This audit details the results of an Inspector General's investigation of the Transportation Department's procedures for (1) monitoring, detecting, and eradicating cyber incidents, and (2) reporting incidents and their resolution to appropriate authorities.

Office of Inspector General, Department of Homeland Security, OIG-17-14, Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports (Redacted), December 30, 2016. Unclassified.

This report summarizes previous reports concerning deficiencies with regard to security controls for the Transport Security Administration's information technology systems at airports and analyzes the effects of TSA efforts to improve security at the sites.

United States Department of Homeland Security, Future Environment Net Assessment: Autonomous Vehicles, June 2017. Unclassified.

This assessment examines future safety and security concerns related to autonomous vehicles to include cyber vulnerabilities in autonomous control systems.

Department of Transportation Office of Inspector General, DOT's Fiscal Year 2018 Top Management Challenges. November 15, 2017. Unclassified.

This review of challenges includes the need to improve the cybersecurity posture of the DOT to reflect evolving threats to transportation and infrastructure.