On November 4th, 2021, the House Committee on Transportation and Infrastructure held the first hearing of a two-part series on “The Evolving Cybersecurity Landscape: Industry Perspectives on Securing the Nation’s Infrastructure.” IWP alumnus Thomas L. Farmer appeared as a witness, testifying on behalf of the Association of American Railroads (AAR) where he serves as the Assistant Vice President of Security.
During the hearing, Mr. Farmer discussed the railroad industry’s commitment to safety and unified and cooperative effort for cybersecurity. He highlighted the “Proven and long-standing commitment to collaboration – within our industry, across sectors, and with the government – to protect against cyber-attacks.” Throughout, he emphasized the underlying premise of the railroad industry’s security program: that “Prevention is attainable,” that “with the right structures, supporting the right people, armed with timely and actionable cyber threat intelligence and security information, we can prevent attacks and mitigate their effects should they occur.”
The vital component is information sharing – focused on cyberattack tactics employed, vulnerabilities exploited, related indicators of compromise or concern, and protective measures that can make the difference.
In this vein, Mr. Farmer’s opening statement concluded with two main points. First, he noted, Congress has already acted upon the issue at hand through the Cyber Security Information Sharing Act of 2015. This underutilized legislation expressly authorizes information sharing within industries, across sectors, and between government agencies and private sector entities. At the same time, the statute specifies protections that remove impediments to timely and effective sharing of threat and security information. His second point cited the gap that persists due to lack of analysis of significant cybersecurity threats, incidents, and concerns already reported by railroads and other private sector entities to the federal government. He expressed the hope that Congress will look to build upon the already existing and successful collaborative approach by industry with the government in addressing cybersecurity – an approach urged by the President in the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, issued on July 28, 2021.