March 27, 2025

A new report from the current iteration of the Cyberspace Solarium Commission dives into the security of the transportation sector and the intersection with the Defense Department, offering recommendations for policy proposals to bolster cybersecurity for maritime, railroad and aviation stakeholders.

"The cybersecurity of the critical air, rail, and maritime infrastructure that underpins U.S. military mobility is insufficient. To improve resilience, the United States needs significant investment by the government and private sector as well as improved public-private collaboration," the March 27 report says.

It continues, "The nation can no longer afford to waste time debating the immediacy of the threat. Washington must identify and resource solutions now."

The report was released by the Foundation for Defense of Democracies on behalf of the Cyberspace Solarium Commission 2.0, which is housed at the think tank. It was written by Annie Fixler, director of FDD's Center for Cyber and Technology Innovation; retired Rear Adm. Mark Montgomery, who directs CSC 2.0; and FDD's Rory Lane.

The commission describes the current organization of critical infrastructure and defense critical infrastructure in the maritime, aviation and railroad sectors. It also goes into securing GPS, detailing how the DOD space asset is vulnerable and more investment is needed to address jamming and spoofing.

Across all transportation systems, the report recommends harmonizing cyber regulations as a partnership between Congress, the executive branch and independent federal and state regulators.

The report says, "Regulatory harmonization should remain a priority for both Congress and the executive branch so that maritime, aviation, and rail operators -- and all critical infrastructure owners and operators -- can focus on improving their security and resilience rather than proving their compliance with multiple, redundant regulations."

"During the Biden administration, the Office of the National Cyber Director undertook regulatory harmonization efforts to address these and other concerns by encouraging reciprocity between different regulatory and compliance regimes. In other words, if a company demonstrates to one set of regulators that it complies with cybersecurity requirements, it should not need to demonstrate the same facts again to a second regulatory body," according to the report.

"This effort should continue under the Trump administration," the commission argues. "Members of Congress from both parties, meanwhile, are also on record supporting legislation and other efforts to harmonize regulations, particularly as it relates to cyber incident reporting requirements."

C2C 2.0 also encourages Congress to "authorize and appropriate funding for cybersecurity grant programs across all transportation critical infrastructure subsectors vital to military mobility." The report proposes grant programs for three sectors:

a. For the maritime industry: Congress should direct the Coast Guard to create a grant program in conjunction with the DOT's Maritime Administration to provide port authorities with funds to improve cybersecurity. Working with DoD, the grant-making agency should prioritize strategic sealift ports. Among other cybersecurity investments, port operators should use grants to offset the costs of purchasing new ship-to-shore cranes from non-adversarial countries.

b. For the aviation industry: Congress should provide funds for the establishment of a cybersecurity grant program for airport authorities. In addition to prioritizing commercial hubs, the FAA should also work closely with DoD to prioritize grants for major hubs for CRAF carriers and the designated airports with which DoD has arrangements to support military operations.

c. For the freight rail industry: Congress should direct TSA to create a cybersecurity grant program for short-line freight railroads to improve their cybersecurity protections. In administering the program, TSA should work with DoD to prioritize grants for smaller railroads that are an essential part of STRACNET, those serving as connectors to Class I freight lines, and all other non-Class I freight railroads covered by TSA's proposed cybersecurity rule. Among other priorities, funding should support the proper implementation of sensors and securing other trackside operational technologies.

When it comes to DOD, CSC 2.0 says the department should be responsible for reviewing "interagency coordination and its own implementation of responsibilities for defense critical infrastructure protection."

The report says, "DoD is best positioned to identify the critical infrastructure most essential for supporting military mobility, but mitigating these threats requires cooperation with the sector risk management agencies that uniquely understand this infrastructure."

"To ensure effective coordination between DoD and SRMAs, the GAO should conduct a review of interagency coordination efforts to secure defense critical infrastructure in the transportation sector. Such a report should identify gaps in general communication, threat intelligence sharing, and mitigation efforts as well as any overlapping, duplicative efforts," according to the report.

Tabletop exercises can also be an important mechanism to bring government and private-sector partners together to simulate the "mobilization of military forces while critical infrastructure sustains cyberattacks," according to the report.

At the White House level, the report encourages the administration to revise the "GPS governance strategy and accelerate the transition to the GPS III architecture and the less vulnerable L5 frequency while also exploring the feasibility of terrestrial" positioning, navigation and timing.

Current policies

Montgomery and Fixler reflected on efforts under the Biden administration to address maritime and aviation security on a March 26 call with reporters to discuss the report.

Former President Biden issued an executive order in February 2024 to strengthen maritime security with a focus on addressing concerns over Chinese-made cranes operating in U.S. ports.

Montgomery said the Biden effort focused on replacing the cranes but it's not realistic with 90 percent of cranes operating in the U.S. made in China. Instead, Montgomery said the focus should be on replacing the software in the cranes and their cellular modems.

As part of the EO, the Coast Guard issued a final rule on Jan. 17 to establish minimum cyber requirements for the maritime transportation sector.

The Coast Guard also issued a Maritime Security Directive when the EO was released to establish "cyber risk management actions for ship-to-shore cranes manufactured by the People's Republic of China located at U.S. Commercial Strategic Seaports," according to the White House fact sheet.

The directive is similar to actions taken by the Transportation Security Administration for the pipeline, railroad and aviation sectors.

Montgomery called the Biden EO great, while criticizing the Coast Guard's abilities to carry out its activities due to a lack of funding.

"The Coast Guard doesn't have two nickels to rub together," Montgomery said, adding that if they are asked to prioritize their resources the focus is usually on rescuing people out of the sea versus cybersecurity.

Fixler highlighted a requirement in the 2021 Bipartisan Infrastructure Law directing the Federal Railroad Administration to block China from infiltrating U.S. freight rail. A final rule to establish new requirements from the FRA went into effect on Jan. 21.

Under the final rule, the CSC 2.0 report says "no railcars manufactured after December 2025 [will] include components or sensitive technology from countries of concern. The regulation, however, does not remove existing Chinese-built stock, nor does it address aftermarket maintenance." -- Sara Friedman ([email protected])