A regulatory gap analysis in transportation cybersecurity and data privacy

Although the need for regulatory and enforcement measures is dire, there is no all‐encompassing federal law or regulatory framework that governs cybersecurity or data privacy in the US transportation industry. The objective of this paper is to analyze the gaps that exist in US cybersecurity regulatory schematic as applied to transportation law and policy. As opposed to a theoretical approach, this study relies on a systematic gap analysis methodology to canvas a broad topic and distill specific insights that can be used as a foundation for establishing legislative and policy goals. Specifically, this paper attempts to answer: (i) what federal and/or state agencies are responsible for governing cybersecurity practices in the United States, including risk assessment, preventative measures, detection of breaches, and remedial enforcement; and (ii) how do industry experts assess the greatest risks/threats to ensuring cybersecurity in the transportation sector? The scope of selected legislative analysis is purposefully all‐encompassing of the transportation industry to highlight the scant nature of existing US law on the subject. Several states have enacted their own cybersecurity legislation, creating an unsynchronized approach nationwide that implicates jurisdictional issues, preemption problems, and inconsistent compliance requirements for national stakeholders. This paper next considers states' perspectives of transportation cybersecurity as assessed through a national survey of US state transportation agencies. Specific areas of concern identified as being important to the transportation industry but largely overlooked in the legislative spectrum include issues related to third‐party vendor liability, identifying cybersecurity tools, and supply chain risk management. Legislation covering workforce, ransomware, and cybersecurity‐related privacy issues saw more success, but low passage rates were still reflected with respect to the number of bills proposed. On the other hand, funding, insurance, and penalization issues appeared to be frequently prioritized. This paper presents the results of a gap analysis research approach identifying discrepancies between “what is” and “what should be” in transportation cybersecurity legislation.