Executive Summary
A direct military engagement between the United States and a near-peer adversary would require the swift mobilization and deployment of a sizable U.S. military force. Moving troops and equipment efficiently over land, sea, and air is essential to America’s ability to project power, support partners and allies, and sustain forces to fight and win wars. Alongside the U.S. military’s own assets, commercially owned and operated critical infrastructure enables this military mobility. While U.S. Transportation Command (TRANSCOM) conducts logistical operations to facilitate the mobility of U.S. forces, civilian-owned rail networks, commercial ports, and airport authorities will handle transportation of the majority of servicemembers and materiel during a significant, rapid mobilization.
U.S. adversaries know that compromising this critical infrastructure through cyber and physical attacks would impede America’s ability to deploy, supply, and sustain large forces. As the U.S. intelligence community’s 2024 annual threat assessment warned, China would “consider aggressive cyber operations against U.S. critical infrastructure and military assets” in the event of an imminent conflict with the United States. Beijing would seek to use these operations not only as a deterrent against further U.S. military action but also specifically to “interfere with the deployment of U.S. forces.”
Over the past year, the intelligence community has revealed how deeply Chinese hackers known as Volt Typhoon penetrated U.S. transportation, energy, and water systems. Volt Typhoon demonstrated China’s capability to gain and maintain persistent access to closed systems and preposition malicious payloads to cause disruption and destruction. Meanwhile, other Chinese Communist Party (CCP) malicious cyber operations, including Flax Typhoon, hijacked cameras and routers, and Salt Typhoon burrowed deep into U.S. telecommunications networks. In addition to enabling potential disruption, compromising critical infrastructure allows Beijing to amass information about the movement of goods, surreptitiously watching as the United States moves its military equipment across the country. Given these threats, the U.S. military has a vested interest in the security of the nation’s critical transportation infrastructure.
The cybersecurity of the critical air, rail, and maritime infrastructure that underpins U.S. military mobility is insufficient. To improve resilience, the United States needs significant investment by the government and private sector as well as improved public-private collaboration. The nation can no longer afford to waste time debating the immediacy of the threat. Washington must identify and resource solutions now.
Recommendations
For All Transportation Systems:
Congress, the executive branch, and independent federal and state regulators should work together to harmonize cybersecurity regulations.
Congress should authorize and appropriate funding for cybersecurity grant programs across all transportation critical infrastructure subsectors vital to military mobility.
DoD should review interagency coordination and its own implementation of responsibilities for defense critical infrastructure protection.
DoD should conduct national and local exercises with private-sector partners simulating the mobilization of military forces while critical infrastructure sustains cyberattacks.
The White House should revise the GPS governance strategy and accelerate the transition to the GPS III architecture and the less vulnerable L5 frequency while also exploring the feasibility of terrestrial PNT.
For Maritime Transportation Systems:
The Government Accountability Office should conduct an audit of U.S. Coast Guard requirements to effectively exercise its SRMA responsibilities.
Congress should provide additional appropriations to support cyber initiatives conducted by U.S. Coast Guard captains of the port.
The U.S. Coast Guard and CISA should provide guidance on trusted vendors for maritime operational technology.
For the National Airspace System:
Congress should provide oversight and appropriations to ensure that the FAA and TSA collaboration with the private sector is fully resourced.
The FAA should produce a cybersecurity roadmap report to be delivered to Congress alongside the FAA NextGen Annual Report.
For the U.S. Freight Rail Industry:
TSA should continue investing in building collaboration and trust with rail operators.
The White House should direct an interagency supply chain risk assessment for the U.S. freight rail industry.
DoD should produce an annex on cybersecurity and resiliency alongside its five-year STRACNET assessments.