Washington, D.C., transit cybersecurity comes under Senate scrutiny

After San Francisco transit was temporarily crippled by a ransomware attack in late 2016, Sen. Mark Warner is worried that Washington, D.C.'s transit authority is a high-value target whose defenses have to be kept up to date.
A Metro station in D.C. (Michael Hicks / Flickr)

Just over a month after San Francisco’s Municipal Transportation Agency fell victim to a ransomware attack, the cybersecurity of the Washington Metropolitan Area Transit Authority is under examination in a new letter from Sen. Mark Warner, a co-founder of the Senate Cybersecurity Caucus.

“I am acutely concerned about what this kind of attack may mean for transportation systems like WMATA,” Warner, D-Va., wrote in a letter to WMATA General Manager Paul Wiedefeld. “While early reports indicate that the attack on SFMTA may have been opportunistic rather than targeted, I am concerned that WMATA may represent a particularly enticing target for more advanced threats, given its importance to the region and the number of federal agencies that rely on the system to transport their workforces each day.”

The specific questions Warner posed to the transit agency:

  1. SFMTA was apparently a victim of a random attack that looked for antiquated, vulnerable computer systems.  When was the last complete overhaul of WMATA’s IT systems?  Has WMATA identified any end-of-life legacy components, and if so has WMATA taken steps to replace and/or isolate them?  Does WMATA have backup systems in place that would allow for some level of continuity of operations in the case of a complete computer system outage?
  1. Does WMATA employ network segmentation, including between consumer-facing or internet-connected systems and mission-critical, operational systems to protect against lateral movement of attackers?  Does WMATA have a procedure in place to notify overseers, regulators, and the public in the case of a cyberattack?
  1. Does WMATA have a comprehensive plan in place to deal with ransomware attacks?  If so, was the plan developed in coordination with local and regional partners, including any entities or jurisdictions that may share or have access to internet-connected systems?

Ransomware is a billion-dollar criminal business that shows no sign of slowing in 2017. Ransomeware attacks per day quadrupled in 2016, according to the Justice Department. Targets vary but out-of-date systems, the kind that government tends to rely on more than any other sector, are especially vulnerable.

The SFMTA attack, which is still under investigation, ended with no payment from the SFMTA to the attacker despite a ransom demand of over $70,000. However, passengers were allowed to ride for free for much of Thanksgiving weekend after 900 office computers were affected.

“Should a cyberattack cripple WMATA’s ability to collect fares for days at a time, or have the effect of deterring alarmed riders, the financial implications would only exacerbate WMATA’s serious and mounting fiscal problems,” Warner wrote. “A cyberattack could potentially threaten these vital networks as well, putting riders at risk if an accident or emergency were to occur during a cyberattack.”


Warner also asked the WMATA on updates on the expansion of wireless communications and testing of radio networks through the system. Radio issues hampered Washington, D.C., fire and rescue personnel’s communications during a smoke emergency near the L’Enfant Plaza station in 2015.

Latest Podcasts