Sen. Cruz: Federal Government Has Lousy Track Record of Protecting Data From Cyberattacks

September 18, 2024

Washington, D.C. – In his opening statement at today’s Senate Commerce Committee hearing titled “Aviation Cybersecurity Threats,” Ranking Member Ted Cruz (R-Texas) highlighted the federal government’s inconsistent handling of its own cybersecurity and reporting requirements while holding the private sector to more burdensome and duplicative standards. Sen Cruz also raised concerns over the complexity and inefficiencies of the many agencies involved in cybersecurity, with overlapping regulations and insufficient expertise, particularly at the Transportation Security Administration (TSA).

In addition, Sen. Cruz outlined his concern with the Biden-Harris administration’s refusal to respond appropriately to his probe regarding the housing of illegal aliens on airport property.

Here are Sen. Cruz’s remarks as prepared for delivery:

“If cybercrime were measured as a country it would be the third largest economy in the world—costing about ten trillion dollars a year, up from three trillion dollars ten years ago. It is a threat the federal government must take seriously.

“The transportation sector is often targeted by cyber criminals—no mode is immune. A 2021 ransomware attack rendered inoperable the Colonial Pipeline, which carries about 45 percent of the East Coast’s fuel. Airlines, pilots unions, and airports globally have also all been hacked.

“While the Port of Seattle recovers from the August hack, it appears travelers were largely spared from widespread disruptions. I look forward to hearing from SeaTac Managing Director Lance Lyttle [little] on how the airport responded and any lessons learned. I will note Mr. Lyttle [little] spent five years working for the Houston Airport System before going to SeaTac, so I’d like to extend a special welcome to him.

“Airlines, airports, and avionics manufacturers invest heavily to fortify their technology systems and protect data. Cyber defenses are expensive and ever-evolving due to the nature of cyber threats. But we should be cautious about placing too much faith in more regulation and reporting requirements to protect us.

“I am concerned about the dozens of potentially duplicative cyber security reporting requirements that regulated entities must already comply with. There may be a better or more effective way to keep critical infrastructure secure than more box-checking compliance activities.

“Skepticism about new compliance burdens is well founded. The federal government itself has a lousy track record of protecting data from cyberattacks—millions of Americans’ data has been stolen in government hacks over the past ten years. And yet the law today gives the federal government more than double the amount of time a private entity has to report a cybersecurity incident.

“In many cases, federal agencies have little understanding of how regulated industries work. For example, when the Transportation Security Administration first issued security directives on cybersecurity requirements for pipelines, many of the mandates were impractical and had been designed without any private sector input.

“The TSA set unrealistic timelines for pipeline operators to effectively overhaul their cybersecurity practices and applied cybersecurity requirements typically required for computers, such as updating passwords, to things like sensors that monitor pipeline processes.

“TSA’s security directives created so much confusion the agency received an “unprecedented number—more than 380—of alternative measure requests” from operators. Had TSA used a regular rulemaking process with notice and comment, rather than issuing directives to industry without input, those mistakes might have been avoided.

“On the subject of TSA, I am pleased this committee is holding a hearing related to aviation security, but we should be looking more closely at TSA’s operations as well.

“For example, more than a year ago, I began an investigation into why three Mayors of radical left-wing sanctuary cities were using commercial airports to house thousands of illegal aliens. Not surprisingly, the Biden-Harris administration continues their delay tactics and has yet to provide all the information I have requested.

“The Department of Homeland Security (DHS), including TSA, has failed to produce documents and communications requested about the potential security threats illegal aliens pose to airports and airport facilities. Additionally, the FAA has failed to provide requested communications between it and other federal entities about the housing of illegal aliens at airports.

“Separately, I worked closely with Senators Merkley and Kennedy on an amendment to the FAA authorization on TSA’s use of facial recognition technologies at passenger checkpoints.

“The TSA begged members of Congress to allow for continued facial recognition with no guardrails. Chair Cantwell, I know you offered to Senator Merkley to hold a hearing on this and other topics. I think that is a great idea.

“The TSA and the DHS must be more collaborative in their work, and especially their rulemaking. I look forward to hearing from today’s witnesses on their experience working with the TSA on cyber issues and how we can keep the aviation sector safe.”

###