Best Practices for Physical & Cyber Systems
In the US, border and transportation security are intrinsically tied together. Transportation is a critical infrastructure system that is a high security priority because it provides access to the US as well as providing support for other critical systems. Within this framework, an analysis of border and transportation security reveals both a resilient and flawed security system.
The large size of the US creates a massive infrastructure of roadways and borders that connect Canada and Mexico directly with the country. Unlike other countries such as in Europe, transportation span thousands of miles as well as borders. This is both a strength and weakness to the security systems.
The large size of the US transportation system means that it is resilient. It would take a tremendous effort to cripple the US transportation system since there are multiple roads and methods of transportation which allow for access to different points within the US. However, size also creates a weakness in the system because there are too many points of access to the country to effectively guard them all. While a large infrastructure ensures that the country can operate if one system is taken offline such as air travel during 9/11, this also creates many soft targets both to physical assets and to cyber assets.
The US transportation system consists of a large number of interconnected roadways. This system is much larger than air transportation and railway transportation or boat. It is also the largest number of physical assets that are not easy to protect. An example of this issue can be seen in accidents that occur:
On Wednesday, November 19, 2014, the driver of a big-rig tractor-trailer fell asleep while driving southbound on a Berks County, Pennsylvania, highway, plowed into a line of cars stopped at a traffic light on the southbound side and then crossed into the opposite side of the roadway and crashed into two cars that were about to exit a parking lot. According to reports, several of the impacted vehicles in the 10-vehicle pile-up flipped over, and the two cars at the parking lot exit were smashed between the truck and a large Duncan Donut’s sign. A 34-year-old woman and a 23-year-old man were killed and nine others were injured in the accident (Killino, 2014).
Accidents such as this reflect the nature of transportation in which it is prone to accidents and to tremendous damage due to the vast number of soft targets available to terrorists. An accident such as the one mentioned could just as easily have been a terrorist driving a truck into a crowded building such as in the case of the Oklahoma City Bombing. The largest risk that one can see with physical assets is the infrastructure itself in transportation systems. Bridges and tunnels are major targets and there are many of these systems in use. Many of these systems have millions of users on a consistent monthly basis making it nearly impossible to verify and check every motorist. As a result of this problem, drugs, contraband, and illegals are often able to enter the country with very little effort. It is much more difficult to accomplish these illegal activities with air and other forms of transportation because the assets are highly controlled such as airports and shipyards. For example, the TSA is focused on mainly air transportation and hires screening officers in airports, armed Federal Air Marshals for planes (TSA, 2017). The agency also uses mobile teams of dogs for explosive detection. Much of the physical protection is focused on aviation due to 9/11. This focus on aviation is understandable but it leaves many physical systems of transportation exposed such as highways, borders, bridges, etc.
Transportation systems are some of the oldest critical systems. Similar to physical security, transportation cybersecurity has both strengths and weaknesses. One major advantage that the US has with transportation is that its systems are decentralized. This means that no one system can be hacked and affect all transportation systems. For example, if the Baltimore mass transit administration is hacked this will not affect other cities in Maryland. However, being decentralized, transit cybersecurity is also not uniform in its security practices. This means that one city’s cybersecurity system may be more or less secure than another city. This means that some cities are more prone to attack transportation systems than others (Clifford, 2004). As a result of these differences in security, transportation is prone to hacking and malware in some instances and this can threaten other critical infrastructure. For example, New York has been in the process of building a highly sophisticated cybersecurity system for transportation which includes surveillance on streets, subways, and the ability to track public transportation. The process of creating a unified cybersecurity system is embedded in the linking of government systems within New York:
New York State agencies have worked to establish e-government services since 1996 and used this system with great resourcefulness and flexibility after September 11th, 2001, to provide New Yorkers with the latest information available…Developing e-government systems is essential to information and intelligence sharing aspects of public administration…the use of information technology to support government operations, engage citizens and provide government services…This broad working definition encompasses the four key dimensions that reflect functions of government itself. The first is e-services, which is the electronic delivery of information and services. E-democracy uses electronic communications to increase citizen participation in the public decision-making process (Dawes, 2009 ).
This centralizing of security ensures that security policies and practices are uniform across the transportation systems. However, this centralized system makes the entire system vulnerable when security is breached. For this reason, there is controversy concerning whether security for transportation and borders should be centralized or decentralized.
Arguments for decentralized security for transportation and borders can be found in the Transportation Safety Administration (TSA). The TSA was formed under the Aviation and Transportation Security Act, in 2001 in the aftermath of 9/11 (TSA, 2017). The TSA is focused on strengthening and protecting transportation systems. The TSA works with other agencies such as Homeland Security and the FBI in order to detect threats and respond to security breaches. Collaboration is important to these agencies because transportation, especially aviation is a critical infrastructure that impacts other critical infrastructures by providing support for their ongoing operations. The TSA partners with state, local, and federal agencies and assists with other areas of transportation security including “highways, railroads, buses, mass transit systems, pipelines and ports” (TSA, 2017). Mostly, TSA ensures aviation security starting at the passenger level.
The TSA has been highly criticized because it appears overly focused on aviation while other agencies also deal with airline security such as the FBI. This has brought the need for this agency under fire especially because of many of its inefficiencies. The agency has been criticized because of its poorly trained staff as well as other issues. The need for this agency is questionable considering the fact that there are already multiple agencies dealing with airline and transportation protection.
The inefficiencies resulting from the TSA have been blamed on a variety of issues mainly the fact that the agency does not follow a clear set of practices (FEMA, 2008). This problem highlights the solution to protecting borders and transportation systems.
Protecting transportation and borders needs to be accomplished through a decentralized system that is reinforced through best practices and standards set by the government. Security structured in this manner already exists within the manufacturing of computers and devices that must be used for sensitive information. The Federal Risk and Authorization Management Program (FedRAMP) provides the model for this form of security management. FedRAMP was formed to provide standards for the security of cloud services and products used by the government. FedRAMP provides a common standardized security model for the Federal Government which allows for more effective cloud use and better access from agencies that need information systems.
1) providing recommendations on the application of NIST SP 800–37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, and 2) providing recommendations on the application of security controls selected from NIST SP 800–53. (National Institute of Standards and Technology, 2014).
FedRAMP should be applied to the existing cyber systems that control transportation and border security systems. This would ensure that all systems meet the minimum requirement for security. Similarly, DHS provides standard security planning that states should abide by when protecting critical assets (FEMA, 2008). This should be expanded for states to use in security planning for borders and physical assets. This would allow multiple state agencies to protect these critical assets.
Decentralized security provides many layers of protection. Using a standard security planning that is issued by the Federal Government, would ensure minimum standards are met. This would solve a variety of cost and inefficiency issues with having large agencies incapable of protecting all borders and transportation systems.
Clifford, M. (2004). Identifying and Exploring Security Essentials. New Jersey: Prentice-Hall.
Dawes, S. (2009 ). “Need to Know” to “Need to Share”: Tangled Problems, Information Boundaries, and the Building of Public Sector Knowledge Networks. Public Administration Review, 69(3), 392–402.
FEMA. (2008, January). Critical Infrastructure and Key Resources Support Annex. Retrieved from FEMA: http://www.fema.gov/pdf/emergency/nrf/nrf-support-cikr.pdf
Killino, J. (2014, Novemeber 24). Truck Driver Falls Asleep and Causes Horrific Crash, Leaving Two Dead. Retrieved from The Killino Firm P.C.: http://www.killinofirm.com/news/truck-driver-falls-asleep-and-causes-horrific-crash-leaving-two-dead
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity . Washington: National Institute of Standards and Technology.
TSA. (2017). About. Retrieved from Transportation Safety Agency: https://www.tsa.gov
Clifford, M. (2004). Identifying and Exploring Security Essentials. New Jersey: Prentice-Hall.