Beijing cornering market for U.S. subway cars
Chinese dominance raising concerns about security
WASHINGTON – The warnings sounds like the plot of a Hollywood spy thriller: The Chinese hide malware in a subway rail car’s security camera system that allows surveillance of Pentagon or White House officials as they ride – sending images back to Beijing.
Or sensors on the train secretly record the officials’ conversations. Or a flaw in the software that controls the train – inserted during the manufacturing process – allows it to be hacked by foreign agents or terrorists to cause a crash.
Congress, the Pentagon and industry experts have taken the warnings seriously, and now the Washington, D.C.-area subway system, known as Metro, will do the same. The transit agency recently decided to add cybersecurity safeguards to specifications for a contract it will award later this year for its next-generation rail cars following warnings that China’s state-owned rail car manufacturer could win the deal by undercutting other bidders.
Metro’s move to modify its bid specifications after they had been issued comes amid China’s push to dominate the multibillion-dollar U.S. transit rail car market. The stateowned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency’s newest series of rail cars.
CRRC’s success has raised concerns about national security and China’s growing footprint in the U.S. industrial supply chain and infrastructure.
“This is part of a larger conversation about this country and China, and domination of industries,” said Robert Puentes, president of the Eno Center for Transportation. “We don’t want to get trapped into a xenopho- bic conversation . . . but we also don’t want to be naive.”
No U.S. company makes subway cars, so China competes in that market against companies from Asia, Europe and Canada. But U.S. companies build freight rail cars, such as boxcars and tank cars, and they fear China will target them next.
That could cost U.S. manufacturing jobs. It also could increase the risk of a cyberattack that cripples domestic rail transportation in a military confrontation or other national emergency.
“China’s attack on our rail system is insidious and ingenious,” retired Army Brig. Gen. John Adams wrote in an October report distributed by the Rail Security Alliance, a U.S. industry group. “We must retain the know-how and technology to ... safeguard against disruption of this strategically vital sector of our economy.”
China makes no secret of its desire to dominate the global rail car industry. Its “Made in China 2025” economic strategy proposes to seek competitive advantage in that sector, among others.
Both the U.S. Senate and House have sought to block further Chinese penetration of the transit vehicle market. Each chamber has inserted language in annual transportation appropriations bills to impose a oneyear ban on new purchases of mass transit rail cars or buses from Chinese-owned companies if the procurement uses federal funding. The ban is not yet law, as final action has been put off until this year.
Sen. John Cornyn, R-Texas, sponsored the Senate ban. His spokeswoman said it reflected his “concern over China’s market distorting practices and their whole government effort . . . to dominate industries sensitive to our national security.” Texas is home to Trinity Industries, a leading U.S. rail car company.
A ban on purchases from China could penalize financially pressed transit systems such as Metro, which may want to take advantage of CRRC’s low prices. Critics have said the company is able to underbid competitors because of state subsidies. CRRC did not respond to emails requesting comment.
Rep. Gerald Connolly, D-Va., said the subway system hould be willing to pay extra if necessary.
“Saving a buck isn’t worth compromising security in the nation’s capital,” Connolly said. “If there are valid security concerns about sourcing rail cars from a Chinese stateowned company, then find another option.”
In picking the winner of the contract, Metro is legally required to follow guidelines it set in a lengthy request for proposals, or RFP, which it issued in September and will now revise to include the cybersecurity safeguards. The changes are expected to require the winning bidder get its hardware and software certified as safe by a third-party vendor cleared by the federal government.
“We are working on amended language right now that will require certain security assurances,” said Kyle Malo, Metro’s chief information security officer. He declined to single out China as a threat but noted, “There are countries that are far more aggressive with cyberattacks than others.”
Bids for the subway contract are due April 4. The original deadline, in late January, was extended because Metro received more than 300 questions from potential bidders.
Metro decided to revise the RFP after questions were raised by board member David Horner, who represents the federal government and is a former U.S. deputy assistant secretary of transportation.
“My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner said. “These risks are today not widely understood, but their significance is becoming apparent very quickly.”
Horner’s concerns were reinforced in a Nov. 16 blog post by Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council. It warned that the subway system’s RFP did not allow the transit agency to reject a bid because of cybersecurity worries.
“The risk of espionage is uniquely high in our nation’s capital,” Grotto, now a fellow at Stanford University’s Center for International Security and Cooperation, said in an email. “Malware could divert data collected from the high definition security cameras. An adversary with that data could then use facial recognition algorithms to track riders, potentially right down to the commuting patterns of individual riders.”
The Pentagon also is concerned China could use infrastructure such as rail cars for spying. It pointed to recent U.S. charges of the massive, Beijing-backed hacking of business secrets as evidence of the country’s bad practices.
“As illustrated by the Dec. 20 Department of Justice indictment against the Chinese Ministry of State Security, the Chinese Communist Party’s use of predatory economic practices like illegal states-sponsored cybertheft reinforce concerns about Chinese companies playing a role in critical infrastructure - whether it be rail cars or 5G telecommunications networks,” said Air Force Lt. Col. Mike Andrews, a Defense Department spokesman.
China has previously been accused of embedding spying technology in its products. In May, the Pentagon directed service members on military bases to stop using phones made by the Chinese companies ZTE and Huawei because of security risks.