Persistent Cyber-Security Threats as “Emergencies” under 49 U.S.C. §114(l)(2):
Commentary on Grand Trunk Corporation & Illinois Central Railroad Co. v. TSA, 7th Cir. (2025)

1. Introduction

The Seventh Circuit’s decision in Grand Trunk Corporation v. Transportation Security Administration (Nos. 24-2109, 24-2156 & 25-2084, decided 21 Aug 2025) squarely addresses how the Transportation Security Administration (TSA) may respond to evolving cyber-security threats against the national rail system. Petitioners, collectively known as CN, challenged three successive TSA Security Directives (SD 1580/82-2022-01B, –01C & –01D) that imposed costly cyber-risk mitigation obligations on “higher-risk” and STRACNET railroads. CN argued principally that the Directives were invalid because TSA:

• bypassed the Administrative Procedure Act’s notice-and-comment requirements,
• skipped a cost-benefit analysis,
• exceeded its statutory authority, and
• acted arbitrarily and capriciously.

The Seventh Circuit rejected every argument, holding that (1) an ongoing and evolving cyber-security threat may itself constitute an “emergency” within the meaning of 49 U.S.C. §114(l)(2), thereby authorising the TSA to dispense with notice-and-comment rule-making, and (2) the cost-benefit mandate in §114(l)(3) applies only to regulations, not security directives. The ruling cements broad agency discretion to react swiftly to persistent national-security risks in the surface transportation sector.

2. Summary of the Judgment

Writing for a unanimous panel (Scudder, Kirsch, and Lee, JJ.), Judge Kirsch denied all three consolidated petitions. The court:

1. Interpreted §114(l)(2)’s “emergency procedures” to encompass long-term, persistent, and evolving threats, not only sudden discrete events.
2. Deferred to TSA’s threat assessments, emphasising:
   • Recent intelligence reports from CISA, the Department of Defense, and ODNI documenting Russian and Chinese capabilities.
   • The Transportation Security Oversight Board’s repeated ratifications of the Directives.
3. Found no statutory requirement to perform a cost-benefit analysis before issuing a security directive.
4. Confirmed TSA’s substantive authority—rooted in §§114(d), (f), (l) & (m)—to regulate rail security and to issue binding directives beyond merely internal TSA conduct.
5. Held that the Directives were not arbitrary or capricious because they were narrowly tailored to the railroads of greatest strategic significance and were repeatedly updated as intelligence evolved.

3. Analysis

3.1 Precedents Cited and Their Influence

• Haig v. Agee, 453 U.S. 280 (1981) & Trump v. Hawaii, 585 U.S. 667 (2018)
  – Invoked to justify judicial deference in national-security contexts.
• Department of Navy v. Egan, 484 U.S. 518 (1988)
  – Supports executive primacy in security-clearance/national-security determinations, analogised to TSA security directives.
• Perez v. Mortgage Bankers Association, 575 U.S. 92 (2015)
  – Cited for the general APA notice-and-comment obligation, which the court distinguished via the statutory emergency exemption.
• Bonacci v. TSA, 909 F.3d 1155 (D.C. Cir. 2018) and Olivares v. TSA, 819 F.3d 454 (D.C. Cir. 2016)
  – Provide templates for affording “substantial deference” to TSA in aviation screening; the Seventh Circuit extends the same logic to surface transportation.
• Historical Emergency Declarations
  – E.g., COVID-19 national emergency (2020-2023) and the 1979 Iran sanctions. These examples demonstrate that, historically, an “emergency” need not be fleeting.

3.2 The Court’s Legal Reasoning

1. Textual Analysis of §114(l)(2)
     • Key statutory phrases: “if the Administrator determines” and “must be issued immediately.” The court regarded this language as conferring broad discretion.
     • No temporal qualifier on “emergency” exists in the text. Therefore, the inquiry is whether immediate action is required, not how long the risk has been present.
2. Historical Practice
   Multi-year emergency declarations under the National Emergencies Act and IEEPA serve as persuasive evidence that Congress tolerates prolonged emergency states.
3. Structural Considerations & Executive Expertise
   National security decisions require specialised, often classified information. Courts, lacking that expertise, traditionally defer unless Congress expressly curtails executive authority.
4. Interpretation of §114(l)(3)
   Omission of “security directive” from §114(l)(3) is deliberate, triggering the expressio unius canon; cost-benefit analyses therefore apply only to regulations.
5. Statutory Authority under §114(d) & (f)
   Section 114 assigns TSA responsibility for “security in all modes of transportation” and obligates it to “ensure the adequacy of security measures.” The court viewed these provisions as a broad mandate, not merely a grant of TSA-internal housekeeping power.
6. Arbitrary-and-Capricious Review
   • The Directives target only high-risk and STRACNET railroads.
   • TSA updated each Directive based on “recent and evolving intelligence,” signaling reasoned, iterative decision-making.

3.3 Potential Impact of the Judgment

The ruling’s doctrinal and practical consequences are substantial:

• Administrative Law: Establishes Seventh Circuit precedent that a persistent threat can satisfy an “emergency” exception to notice-and-comment, potentially influencing other circuits interpreting statutory emergency clauses (e.g., in the FAA, FCC, or HHS contexts).
• Transportation & Critical-Infrastructure Security: Validates rapid-deployment cyber standards in rail and may encourage similar directives in pipelines, maritime, and highway sectors.
• Cost-Benefit Jurisprudence: Clarifies that statutory cost-benefit clauses must be read with textual precision; “regulation” does not automatically encompass “directive” or “order.”
• Industry Compliance Posture: Freight carriers can expect heightened, recurring cyber obligations, with limited procedural avenues to delay implementation through litigation.
• Executive-Congressional Dynamics: The decision may prompt legislative re-examination of §114 if Congress wishes to cabin TSA’s emergency powers or to impose cost-benefit requirements on directives.

4. Complex Concepts Simplified

Notice-and-Comment Rulemaking

A formal APA process requiring agencies to publish proposed rules, solicit public input, and respond to comments before issuing a final regulation.

Security Directive

A binding order issued by TSA to address specific transportation threats quickly, bypassing the slower rule-making route.

STRACNET

The Strategic Rail Corridor Network—rail lines designated by the Department of Defense as essential for moving military supplies.

Arbitrary and Capricious

A standard under the Administrative Procedure Act allowing courts to set aside agency actions that lack a reasonable basis or adequate explanation.

Cost-Benefit Analysis

Systematic comparison of the expected costs of a regulation to its anticipated security or societal benefits.

IEEPA & National Emergencies Act

Federal statutes permitting the President to declare national emergencies and impose economic sanctions or other measures.

5. Conclusion

Grand Trunk v. TSA is a watershed ruling in administrative and transportation law. By holding that continuous, state-sponsored cyber threats meet the statutory definition of an “emergency”, the Seventh Circuit has fortified TSA’s authority to act swiftly, even when protective measures impose heavy compliance costs. Moreover, the court’s meticulous textual approach to §114 delineates clear boundaries: cost-benefit requirements attach to regulations, but not to security directives. The decision thus empowers agencies to confront cyber adversaries in real time while signalling that long-term policy should eventually migrate to ordinary rule-making. Going forward, litigants challenging emergency directives will need to marshal compelling evidence that the threat is neither immediate nor security-related—an uphill battle in the shadow of this precedent.