Media Kit » Try RailPrime™ Today! »
Progressive Railroading
Newsletter Sign Up
Stay updated on news, articles and information for the rail industry

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

View Current Digital Issue »


Rail News Home Federal Legislation & Regulation


Rail News: Federal Legislation & Regulation

AAR, other trade groups oppose provision in cybersecurity bill


The Association of American Railroads (AAR) is among 46 business and trade organizations that have asked congressional leaders to remove a Senate cybersecurity bill provision that would allow the Department of Homeland Security (DHS) to regulate the cyber practices of "critical infrastructure" entities.

In a Nov. 12 letter to Senate and House committee leadership, the organizations said they "strongly oppose" Section 407 of the Cybersecurity Information Sharing Act (CISA), which passed the Senate in late October. S. 754 would provide legal immunity to companies that voluntarily share cyber-threat information with the federal government. The bill has to be reconciled with similar bills passed in the House.

Authored by U.S. Sen. Susan Collins (R-Maine), Section 407 would require DHS, relevant sector specific agencies (SSAs) and regulatory agencies to single out certain critical infrastructure entities and report to Congress the extent of their cybersecurity incident reporting, the letter stated.

The section would run counter to the voluntary nature of CISA and the House-passed bills; presumes the entities are deficient in cyber threat reporting; and would burden those entities with additional regulations, the organizations wrote.

"We support and already engage in a strong voluntary partnership of information sharing with the U.S. government that will grow stronger with the passage of CISA and the House bills," they said.

The organizations also noted that members of their associations "are spending billions of dollars to counter cyber attacks from nation-state adversaries, criminal organizations and other malicious actors."

But Section 407 would give DHS, the SSAs and other federal regulators "free rein to assess certain business cybersecurity gaps and develop unilateral mitigation strategies for each critical infrastructure entity without input from industry," the letter stated.

In addition to AAR, the letter was signed by the U.S. Chamber of Commerce and groups representing the financial services industry, telecommunications, transportation and other industries.