The cybersecurity of the critical air, rail, and maritime infrastructure that underpins U.S. military mobility is insufficient. Washington must identify and resource solutions now.
Executive Summary
A direct military engagement between the United States and a near-peer adversary would require the swift mobilization and deployment of a sizable U.S. military force. Moving troops and equipment efficiently over land, sea, and air is essential to America’s ability to project power, support partners and allies, and sustain forces to fight and win wars. Alongside the U.S. military’s own assets, commercially owned and operated critical infrastructure enables this military mobility. While U.S. Transportation Command (TRANSCOM) conducts logistical operations to facilitate the mobility of U.S. forces, civilian-owned rail networks, commercial ports, and airport authorities will handle transportation of the majority of servicemembers and materiel during a significant, rapid mobilization.
U.S. adversaries know that compromising this critical infrastructure through cyber and physical attacks would impede America’s ability to deploy, supply, and sustain large forces. As the U.S. intelligence community’s 2024 annual threat assessment warned, China would “consider aggressive cyber operations against U.S. critical infrastructure and military assets” in the event of an imminent conflict with the United States. Beijing would seek to use these operations not only as a deterrent against further U.S. military action but also specifically to “interfere with the deployment of U.S. forces.”
Over the past year, the intelligence community has revealed how deeply Chinese hackers known as Volt Typhoon penetrated U.S. transportation, energy, and water systems. Volt Typhoon demonstrated China’s capability to gain and maintain persistent access to closed systems and pre-position malicious payloads to cause disruption and destruction. Meanwhile, other Chinese Communist Party (CCP) malicious cyber operations, including Flax Typhoon, hijacked cameras and routers, and Salt Typhoon burrowed deep into U.S. telecommunications networks. In addition to enabling potential disruption, compromising critical infrastructure allows Beijing to amass information about the movement of goods, surreptitiously watching as the United States moves its military equipment across the country. Given these threats, the U.S. military has a vested interest in the security of the nation’s critical transportation infrastructure.
The cybersecurity of the critical air, rail, and maritime infrastructure that underpins U.S. military mobility is insufficient. To improve resilience, the United States needs significant investment by the government and private sector as well as improved public-private collaboration. The nation can no longer afford to waste time debating the immediacy of the threat. Washington must identify and resource solutions now.
Recommendations for All Transportation Systems
Rec 1: Congress, the executive branch, and independent federal and state regulators should work together to harmonize cybersecurity regulations.
Rec 2: Congress should authorize and appropriate funding for cybersecurity grant programs across all transportation critical infrastructure subsectors vital to military mobility.
- 2a – Grant for the maritime industry: Congress should direct the Coast Guard to create a grant program to provide port authorities, particularly strategic sealift ports, with funds to improve cybersecurity.
- 2b – Grant for the aviation industry: Congress should fund a cybersecurity grant program through the FAA to support airport authorities, with priority given to commercial hubs and DoD-partnered airports critical to military operations.
- 2c – Grant for the freight rail industry: Congress should direct TSA to launch a cybersecurity grant program for short-line and non-Class I freight railroads, prioritizing those vital to STRACNET and focused on securing trackside technologies and sensors.
Rec 3: DoD should review interagency coordination and its own implementation of responsibilities for defense critical infrastructure protection.
- 3a – Review of interagency coordination: GAO should review how DoD and sector risk management agencies coordinate to protect defense critical infrastructure in the transportation sector, identifying communication gaps, intelligence sharing issues, and duplicative efforts.
- 3b – Review of DoD policy implementation: DoD should assess whether it is effectively implementing its defense critical infrastructure protection responsibilities, including reviewing mission assurance cybersecurity priorities.
Rec 4: DoD should conduct national and local exercises with private-sector partners simulating the mobilization of military forces while critical infrastructure sustains cyberattacks.
Rec 5: The White House should revise the GPS governance strategy and accelerate the transition to the GPS III architecture and the less vulnerable L5 frequency while also exploring the feasibility of terrestrial PNT.
Recommendations for Maritime Transportation Systems
Rec 6: The GAO should conduct an audit of U.S. Coast Guard requirements to effectively exercise its SRMA responsibilities.
Rec 7: Congress should provide additional appropriations to support cyber initiatives conducted by U.S. Coast Guard captains of the port.
Rec 8: The U.S. Coast Guard and CISA should provide guidance on trusted vendors for maritime operational technology.
Recommendations for National Airspace Systems
Rec 9: Congress should provide oversight and appropriations to ensure that the FAA and TSA collaboration with the private sector is fully resourced.
Rec 10: The FAA should produce a cybersecurity road map report to be delivered to Congress alongside the FAA NextGen Annual Report.
- 10a – FAA cybersecurity roadmap: Congress should direct the FAA to deliver a cybersecurity roadmap as part of its NextGen report, outlining how it will integrate newer technologies with legacy air traffic control systems while prioritizing infrastructure security and continuous operations.
- 10b – FAA annual cybersecurity report: Congress should request an annual FAA report on cybersecurity improvements in air traffic control, developed with input from the aviation cybersecurity rulemaking committee and delivered alongside the NextGen report.
Recommendations for the U.S. Freight Rail Industry
Rec 11: TSA should continue investing in building collaboration and trust with rail operators.
Rec 12: The White House should direct an interagency supply chain risk assessment for the U.S. freight rail industry.
- 12a – Freight rail supply chain risk assessment: The White House—or Congress, if necessary—should task Department of Commerce with conducting a supply chain risk assessment to identify critical freight rail components sourced from China and evaluate the national security risks of foreign-made railcars already in stock.
- 12b – Rail manufacturing capabilities assessment: The Department of Commerce should evaluate domestic and allied capacity to produce all rail components without inputs from countries of concern and recommend incentives if production is not commercially viable.
Rec 13: DoD should produce an annex on cybersecurity and resiliency alongside its five-year STRACNET assessments.