China’s state-owned rail-car manufacturer has shown increased interest in building Metro’s next-generation rail cars, a development that could put the transit agency at odds with Congress over concerns about the cybersecurity risks and economic conflicts of such a deal.
China Railway Rolling Stock Corp. (CCRC) made a Metro-sponsored site visit last month for companies interested in bidding for the rail-car contract, which could exceed $1 billion for its next-generation 8000-series cars. Eleven CRRC employees showed up to the event at Metro’s Greenbelt rail yard, according to meeting documents.
That visit, along with CRRC’s aggressive push for rail-car contracts in other U.S. markets, including New York, suggests the company is likely to make a bid on the Metro deal. The possibility concerns some Metro board members, experts and others who say China could potentially use the vehicles to conduct electronic spying on the nation’s capital. Those concerns, experts say, are heightened given political tensions between Beijing and the West and accusations that it has previously used connected technology for malicious purposes.
In December, the United States and four of its allies blamed China for a 12-year campaign of cyberattacks affecting 12 countries, and two Chinese hackers were indicted by the Justice Department, which said they had acted “in association with” the Chinese Ministry of State Security.
“When we hear from security professionals both within the agency and the federal government, that’s something that is worthy of consideration and discussion,” said Metro board member Steve McMillin, who represents the federal government. “To the extent we can address that through the procurement process, we absolutely should.”
Since 2014, CRRC has won four out of five major U.S. contracts for new rail cars, including ones for transit systems in Chicago, Boston and Los Angeles. Critics contend the company has been able to secure the deals by dramatically underbidding competitors due to subsidies from Beijing. In addition to Metro, the company is making a play for part of a more than $4 billion contract with the New York Metropolitan Transportation Authority for rail cars for that city’s subway. A story in O’Dwyer’s, a public relations publication, reported that the U.S. division of CRRC is paying a public affairs firm $25,000 a month in its bid to land a contract to build some of the more than 1,000 cars MTA needs.
The situation is complicated because there are no U.S. transit rail-car manufacturers and there is concern about the economic precedent of allowing a state-subsidized manufacturer into the U.S. market.
Other rail-car makers who attended last month’s Metro event included Hyundai Rotem, of South Korea, and France-based Alstom, according to meeting documents. CRRC has bested Hyundai in the past, however.
Kawasaki Rail Car, the Japanese maker of Metro’s 7000-series rail car, which is built in Nebraska, has not made site visits for the 8000-series project, which calls for up to 800 new rail cars. Observers say that’s probably because the company is consumed with a contract to build an initial batch of new rail cars for the New York subway.
CRRC was initially believed to be on the verge of securing that $3.2 billion contract — which would have been the company’s largest U.S. deal — but lost out in a joint bid with Canada’s Bombardier Transportation, according to media reports. A China-based rail expert said the decision reflected “political considerations,” among other factors, according to a summary of his comments in the Beijing-aligned Global Times. A spokesman for MTA did not immediately respond to a request for comment on whether the agency has heeded cybersecurity and economic concerns about CRRC.
Kawasaki, which had delivered about three-fourths of Metro’s 7000-series cars by the end of last year, is expected to have delivered all 748 by the end of this year, according to Metro projections.
Neither Kawasaki nor CRRC returned requests to multiple employees for comment.
The Southeastern Pennsylvania Transportation Authority awarded CRRC a $137 million contract in 2017 for the construction of 45 regional rail coaches, to be built in Massachusetts. SEPTA said CRRC beat out two other bidders based on two factors: technical rating and pricing.
“SEPTA determined the CRRC proposal was the best value and most advantageous for the Authority,” agency spokesman Andrew Busch said in a statement. SEPTA said the next lowest bid was from Bombardier, for nearly $172 million, followed by Hyundai Rotem at nearly $185 million.
After cybersecurity concerns were raised, Metro updated its bid solicitation to address some of the issues. It also extended the deadline for bids to April from January.
Last week, the transit agency outlined several new procurement requirements for the contract, such as requiring the manufacturer disclose the country of origin of all rail-car components, assert that any software-related “back doors” have been disabled and remove any communications ports that wouldn’t otherwise be needed for operations.
But some members of Congress are concerned any safeguards would not go far enough and want the transit agency to secure approval from the Departments of Defense, Homeland Security and Transportation before cutting any such deal. Meanwhile, they are considering whether federal legislation would be an appropriate next step.
“The broader challenges posed by China’s ambitions demand the attention of policymakers, and I’ve been engaging with my colleagues on how to appropriately respond to China’s cyber incursions and other malign actions,” Sen. Mark R. Warner (D-Va.) said in a statement Sunday. Metro “needs to share a sense of urgency that I haven’t seen from their response so far, and I have requested that they hold a more detailed briefing for my office this week on their handling of this issue.”
Warner said the issue is “bigger than just this single procurement.”
Metro declined to say if it would seek DHS, DOD or DOT approval before awarding a contract, saying it could not disclose “specific arrangements” it has with the agencies for security reasons. It also said it was up to Congress to adopt legislation if it wanted to prohibit a foreign adversary from entering the rail-car market.
Metro General Manager Paul J. Wiedefeld has written to senators twice in an effort to reassure them the transit agency was taking appropriate safeguards.
“We are confident that these approaches will impose appropriate controls that limit any malicious actor’s ability to embed malware and for [Metro] to monitor and enforce security requirements,” Wiedefeld wrote in response to concerns raised by Sens. Mike Crapo (R-Idaho) and Sherrod Brown (D-Ohio), who serve as chairman and ranking minority-party member of the Senate Committee on Banking, Housing and Urban Affairs, which has mass transit as part of its oversight jurisdiction.
Metro noted, however, that it was ill-equipped to address one of the key issues the senators raised: Why not buy American, or otherwise protect against bids from foreign government controlled entities?
“We would welcome the opportunity for an American-owned company to participate in [Metro’s] railcar procurements, but unfortunately, there are currently no American-owned railcar manufacturers,” Wiedefeld wrote. “Given the congressional concerns about Chinese manufactured railcars operating in U.S. transit systems, we recommend that Congress consider leading an effort to protect critical infrastructure and U.S. railcar manufacturing using a more holistic approach, such as passing or amending federal law, rules or agreements to adequately address these concerns.”
Metro said it plans to maintain a free and fair procurement process, adding that any actions to protect against foreign interference in the process should take place without “unduly restricting competition.”
Transit agencies in cities where CRRC has been awarded contracts tout the value and economic opportunities that come with the deals — some of which include dozens or hundreds of new jobs and rail-car assembly on-site.
But senators, including Brown and Crapo, expressed “deep concerns” regarding CRRC’s efforts “to displace rail manufacturers in the United States.” Others contend the risk of cyberespionage is greater in the nation’s capital than elsewhere.
Metro said hardware and software components would be tested by a Defense Department-certified firm for cybersecurity vulnerabilities. The rail-car procurement, Metro said, will be subject to a National Institute of Standards and Technology cybersecurity protocol and verified for compliance.
“I want to assure you that [Metro] takes your concerns about the national security of our 8000-series railcar procurement request for proposals very seriously,” Wiedefeld wrote.
Experts also fear security-sensitive equipment such as surveillance cameras and electronic or train-signaling equipment could be vulnerable to hacking.
Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council, said Metro deserved praise for prioritizing cybersecurity as an “explicit factor” in its contract decision.
“I hope this sets a precedent nationwide, not just for commuter rail, but for all infrastructure investments,” he said. It “is an impressive list of requirements that, if implemented, would certainly make it much harder for China or any other adversary to attack Metro.”
Still, he said, no compliance check would totally eliminate vulnerabilities posed by potential cybersecurity risks.
If “China were determined to attack Metro, I would still put my money on them succeeding, no matter who supplies the cars in the end,” he said. “That is one of the hard truths about the risks of digitizing our infrastructure.”