In 2016, hackers hit the San Francisco transit system with a ransomware attack demanding $70,000. The following year, Sacramento Regional Transit faced a similar strike. In 2018, the Colorado Department of Transportation shut down 2,000 computers after falling victim to two ransomware attacks in two weeks.
Faced with these kinds of new cyberthreats, a number of security officials and experts have focused attention on one potential source: China. Chinese hackers have not been accused of the transit ransomware attacks, but they have been blamed for hacking other U.S. government agencies and businesses in an effort to gain intelligence and trade secrets. The growing political tensions between the U.S. and China have culminated in a series of tariffs on Chinese goods.
Meanwhile, a state-owned Chinese company is building rail cars for some of America's biggest cities, prompting cybersecurity concerns. The increasing role of the China Railway Rolling Stock Corp. (CRRC) has prompted a bipartisan group of U.S. senators to introduce legislation that would prevent transit agencies from using federal funding for rail-car contracts with companies that are owned, controlled or subsidized by China.
By significantly underbidding other companies, CRRC has won rail-car contracts in Boston, Chicago, Los Angeles and Philadelphia. In 2017, the Chinese company reportedly lost out on a bid with the New York City subway to the Japanese company Kawasaki Heavy. Now, CRRC has eyes on a contract with the New York Metropolitan Transportation Authority again and may soon bid to design and build rail cars for Washington, D.C.’s metro system.
The potential D.C. deal has sparked a clash between local transportation officials and federal lawmakers.
In a January letter to the Washington Metro Area Transit Authority (WMATA), U.S. senators from Maryland and Virginia raised concerns “in regards to the procurement process that WMATA is currently undertaking to acquire new rail cars.” The letter does not name China or CRRC directly but says state and local procurements become a problem if they “involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security.”
"U.S. national security should be of the utmost importance as WMATA considers bids," the senators wrote.
Usually, public entities pick the cheapest bid. If Congress wants D.C. to use a more expensive manufacturer, Washington City Councilmember and WMATA Board Chairman Jack Evans told The Washington Post that the federal government would "need to subsidize the difference."
Economic and National Security Concerns
The concerns over CRRC’s growth in the U.S. center on economic and national security, says Erik Olson, vice president of the Rail Security Alliance, which advocates for a ban on contracts with Chinese state-owned companies.From an economic standpoint, Olson says CRRC’s U.S.-based manufacturing plant provides fewer local jobs than other popular foreign rail-car manufacturers, such as German-owned Siemens. Also, by underbidding competitors by millions, CRRC enables some local governments and transit agencies to fully fund rail-car projects on their own rather than seeking federal funding. When this happens, CRRC could bypass federal “Buy America” requirements, according to Olson. The 1982 regulations require that 60 percent of the cost for components used in transit projects go to American sources; that number will increase to 70 percent in October.
Regarding cybersecurity, opponents of the CRRC contracts worry the company will install surveillance devices on the rail cars that it builds. Such a possibility could be especially unsettling in Washington, D.C., the nation's capital.
“We’re not saying they are going to blow up the subway system,” Olson says. “There’s a lot of technology used on these cars. … We’re talking about [China] gathering intelligence.”
To Ban or Not to Ban?
Last week, a bipartisan group of U.S. senators introduced the Transit Infrastructure Vehicle Security Act, which would "prevent federal funds from being used by transit agencies to purchase rail cars or buses manufactured by Chinese government-owned, controlled or subsidized companies," according to a press release.The ban, however, wouldn't affect projects that don't receive federal aid, such as the Boston transit agencies' CRRC contract and the D.C. procurement.
Congressional lawmakers introduced similar regulations last year as part of the appropriations process. The House and Senate both passed bills including the foreign contract ban, but it was removed from the final legislation.
While groups like the Rail Security Alliance support the ban, other security experts say that level of concern may be unwarranted.
Timothy Heath, a senior international defense research analyst for the RAND Corporation, says he is “not totally persuaded” that CRRC presents a real security threat at this point. CRRC’s U.S. rail contracts don't include developing software or computer components for the cars. The separation between hardware and software manufacturing makes any desired hacking much more difficult, Heath says.
Transit Officials on the Defense
In defense of their CRRC contracts, local transit officials say cybersecurity concerns extend beyond China. As technology becomes more sophisticated, they say it's best to be prepared.“[We’ve] had talks since they started the preliminary designs to make sure cybersecurity is considered from the very beginning,” says David Collins, a senior project leader for Philadelphia's transit system. “It’s not something that we’re just adding on at the end.”
Los Angeles Metro spokesman Dave Sotero touted his agency’s ability to take appropriate precautions.
“Metro has the means and expertise to assure that any threats to security are identified and mitigated,” says Sotero. “Metro oversees all elements of vehicle design and system integration, and has the ability and intention to validate software and hardware integrity.”
As for Washington, D.C., WMATA is still in talks with other companies, but has added "enhanced" cybersecurity safeguards to procurements.
This article was originally published by Governing, a sister publication to Government Technology.