“Ever-Present Emergencies”: Grand Trunk Corp. v. TSA Confirms that Continuous Cyber-Threats Qualify as Emergencies under 49 U.S.C. § 114(l)(2)

“Ever-Present Emergencies”: Grand Trunk Corp. v. TSA Confirms that Continuous Cyber-Threats Qualify as Emergencies under 49 U.S.C. § 114(l)(2)

1 · Introduction

Grand Trunk Corporation and its subsidiary Illinois Central Railroad Company (together, “CN”) sought review of three Transportation Security Administration (TSA) rail-cybersecurity security directives issued between 2024 and 2025. The directives compel higher-risk rail carriers and Strategic Rail Corridor Network (STRACNET) freight railroads to implement costly cyber-defences (e.g., network segmentation, continuous monitoring, patch management) without the customary notice-and-comment period required by the Administrative Procedure Act (APA).

TSA justified bypassing ordinary rule-making under the “emergency procedures” clause of its enabling statute, 49 U.S.C. § 114(l)(2), pointing to “ongoing cybersecurity threats” from Russia, China and other adversaries. CN contended that a constant, long-term threat does not amount to an emergency, that TSA lacked statutory authority, should have performed a cost-benefit analysis, and acted arbitrarily and capriciously.

In Grand Trunk Corporation v. TSA, the Seventh Circuit (Judges Scudder, Kirsch, Lee; opinion by Judge Kirsch) denied all petitions, establishing a significant precedent that continuing cyber-risks can be treated as emergencies permitting the TSA to skip notice-and-comment and cost-benefit review.

2 · Summary of the Judgment

  • Emergency Definition Expanded – The Court held that § 114(l)(2) gives TSA significant discretion to determine when immediate action is necessary. An emergency need not be a sudden, short-lived event; threats that are “real, acute, and ever-present” satisfy the statute.
  • No Cost-Benefit Requirement for Directives – Section 114(l)(3) requires cost-benefit balancing only for regulations, not security directives. TSA therefore lawfully skipped it.
  • Statutory Authority Affirmed – TSA’s broad mandate over all modes of transportation (49 U.S.C. § 114(d) & (f)) supplies substantive power to issue rail cyber-directives.
  • Action Not Arbitrary or Capricious – The directives are narrowly tailored to higher-risk and STRACNET railroads, updated annually, and repeatedly ratified by the Transportation Security Oversight Board (TSOB). TSA reasonably explained its approach.
  • Petitions Denied – All challenges failed; directives remain effective.

3 · Analysis

3.1 Precedents Cited and Their Influence

  • Home Building & Loan Ass’n v. Blaisdell, 290 U.S. 398 (1934) – Referenced by CN for a “rare, sudden emergency” conception. The Court distinguished it, emphasizing statutory text over lay definitions.
  • National-Security Deference Trilogy
    • Haig v. Agee, 453 U.S. 280 (1981)
    • Trump v. Hawaii, 585 U.S. 667 (2018)
    • Dep’t of Navy v. Egan, 484 U.S. 518 (1988)
    These cases underscore judicial reluctance to second-guess Executive assessments of national-security risks. The Seventh Circuit leaned on this tradition to validate TSA’s judgement on cyber threats.
  • Curtiss-Wright Export Corp., 299 U.S. 304 (1936) – Cited for the Executive’s unique foreign-affairs and intelligence capabilities; bolsters deference.
  • Ziglar v. Abbasi, 582 U.S. 120 (2017) & Holder v. Humanitarian Law Project, 561 U.S. 1 (2010) – Warnings against talismanic invocations of security were acknowledged but deemed inapposite because Congress explicitly conferred emergency power.
  • Administrative-Law Cases
    • Perez v. Mortgage Bankers Ass’n, 575 U.S. 92 (2015) – Restates baseline APA rule-making duties; provides backdrop for the § 114(l)(2) exception.
    • Bonacci v. TSA, 909 F.3d 1155 (D.C. Cir. 2018) & Olivares v. TSA, 819 F.3d 454 (D.C. Cir. 2016) – Confirm substantial deference to TSA on transportation security.
    • FCC v. Prometheus Radio Project, 592 U.S. 414 (2021) – Sets modern arbitrary-and-capricious standard adopted by the panel.

3.2 Legal Reasoning

  1. Statutory Text Controls – The Court begins with § 114(l)(2)’s language: TSA may skip notice-and-comment when the Administrator determines that a directive must be issued immediately to protect transportation security. The text imposes no temporal limit on what counts as an emergency.
  2. Historical Practice of “Long Emergencies” – Using examples under the National Emergencies Act and IEEPA (Iran sanctions, post-9/11 emergency, COVID-19), the Court demonstrates Congress’s tolerance of years-long emergencies.
  3. Updated Intelligence as “Immediate” Cause – TSA’s iterative directives rely on fresh joint-cyber advisories, Annual Threat Assessments (ODNI 2023 & 2025) and other classified inputs (reviewed in camera). The evolving nature of the threat justified renewed immediacy.
  4. Structural and Institutional Deference
    • Congress placed TSA within DHS to leverage Executive intelligence-gathering.
    • TSOB’s annual ratifications (comprising DoD, DOJ, Treasury, ODNI, NSC, DOT) supply inter-agency validation.
  5. Cost-Benefit Statutory Carve-Out – By contrasting § 114(l)(2) (security directives) with § 114(l)(3) (regulations only), the Court applies the canon of negative implication (expressio unius est exclusio alterius).
  6. Arbitrary-and-Capricious Review – The panel finds adequate tailoring (only higher-risk/STRACNET carriers) and reasoned explanation; TSA’s omission of unavailable procedures (notice-and-comment, cost-benefit) could not be arbitrary.

3.3 Impact on Future Litigation and Regulatory Practice

  • Precedent on “Ongoing Emergencies” – First published circuit authority squarely holding that continuous cyber threats can constitute an emergency under § 114(l)(2) (and potentially analogous statutory schemes). Agencies may cite this to justify emergency directives in other infrastructure sectors (pipelines, aviation).
  • Cost-Benefit Litigation Narrowed – Regulated entities challenging security directives now face a textual wall: unless Congress amends § 114(l)(3) to cover directives, cost-benefit arguments are unlikely to prevail.
  • Encouragement of “Two-Track” Approach – TSA’s simultaneous informal rule-making (NPRM Nov. 2024) and recurring directives received judicial blessing. Other agencies may adopt a similar directive-now, rule-later model during protracted threats.
  • Deference Framework Fortified – The decision integrates traditional national-security deference with modern arbitrary-and-capricious review, signaling that Chevron’s future is less relevant where Congress expressly uses broad, discretionary language tied to security.
  • Rail Industry Compliance Strategy – With judicial affirmation, carriers will likely focus on shaping the forthcoming final rule rather than contesting directives. Investments in cyber-resilience can proceed with reduced litigation risk.

4 Complex Concepts Simplified

Notice-and-Comment Rule-Making
A formal process under the APA (§ 553) where an agency publishes a proposed rule, invites public comments, reviews them, and issues a final rule—often taking months or years.
Security Directive vs. Regulation
Security Directive – Immediate, binding orders issued by TSA in emergencies; valid up to 90 days unless ratified (then up to 1 year).
Regulation – Permanent rules issued after notice-and-comment; codified in the Code of Federal Regulations.
STRACNET
“Strategic Rail Corridor Network” – A Department of Defense–designated map of rail lines critical for moving military equipment from installations to ports during conflict.
Arbitrary and Capricious Standard
A reviewing court must invalidate agency action that lacks a rational connection between facts found and choice made, ignores important factors, or offers an explanation that runs counter to the evidence.
Transportation Security Oversight Board (TSOB)
High-level inter-agency board (DHS, DoT, DoD, DOJ, Treasury, ODNI, NSC) that reviews TSA’s emergency directives; can ratify, modify, or reject them.

5 Conclusion

Grand Trunk Corp. v. TSA cements a robust reading of TSA’s emergency power: perpetual, sophisticated cyber-threats qualify as “emergencies” warranting immediate directives without prior public participation or economic balancing. By grounding its decision in statutory text, historical practice, and national-security deference, the Seventh Circuit provides agencies a clear roadmap for emergency action while implicitly urging a transition to permanent rule-making as soon as practicable.

Key takeaways:

  • Section 114(l)(2) emergency authority is broad; its trigger is the Administrator’s reasoned determination of immediate need, not the suddenness of the threat.
  • Cost-benefit analysis is not required for emergency security directives.
  • TSA possesses ample statutory authority to regulate rail cybersecurity; challenges predicated on lack of power are unlikely to succeed.
  • Courts will generally defer to agency assessments of national-security threats, especially when inter-agency validation exists.

The decision thus aligns legal doctrine with the modern reality that cyberwarfare rarely announces itself in discrete events but rather persists as a continuous state of risk—a risk Congress empowered TSA to confront swiftly and decisively.

Case Details

Year: 2025
Court: Court of Appeals for the Seventh Circuit

Judge(s)

Kirsch

Comments